Let’s jump in and learn:
- What Is the CTDPA, and for What Entities Is It Applicable?
- Enforcement of CTDPA Compliance Rules
- Controller Obligations under the CTDPA
- Opt-in and Opt-out of CTDPA Requirements
- Consumer Rights under the CTDPA
- Similarities and Differences Compared to the GDPR
- CTDPA Compliance Requirements Reflect Consumers’ Desire for Data Protection and Privacy
What Is the CTDPA, and for What Entities Is It Applicable?
On May 10, 2022, the Connecticut Data Privacy Act (CTDPA) was passed. It is also called Senate Bill 6, An Act Concerning Personal Data Privacy and Online Monitoring. Connecticut was the fifth U.S. state to adopt comprehensive consumer privacy legislation.
CTDPA compliance requires entities to abide by many rights, obligations, and exceptions that can also be found in California’s, Colorado’s, Utah’s, and Virginia’s consumer privacy laws—namely the California Privacy Act (CPA), Colorado Privacy Act (CPA), Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act (VCDPA) respectively.
Drawing heavily from the data privacy and data protection laws of Colorado and Virginia with many of its provisions being the same or very close, Connecticut’s law has notable distinctions from the other four privacy laws that should be factored into CTDPA compliance programs. For instance, like the California, Colorado, and Virginia laws, but unlike the UCPA, the CTDPA requires opt-in consent for the collection and processing of sensitive data.
Entities Covered by CTDPA
Entities bound to meet CTDPA compliance requirements include those that conduct business in Connecticut or produce products or services targeted to Connecticut residents during the preceding calendar year and either:
- Controlled or processed the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing payment transactions. This means that entities that process debit or credit cards only to the extent necessary to complete a sale will not have to meet CTDPA compliance requirements.
- Controlled or processed the personal data of at least 25,000 consumers and derived over 25% of their gross revenue from the sale of personal data. Note that Virginia’s law is 50% of gross revenue, and Colorado’s law is any revenue or discount.
Exemptions to CTDPA Compliance Requirements
Like other consumer privacy laws, the CTDPA compliance requirements have exemptions that are entity-level and data-based exemptions.
Six entity-level exemptions for CTDPA compliance
For the purposes of CTDPA compliance, the following six types of entities are exempt.
1. State and local government entities
3. Institutions of higher education
4. Certain national security associations registered under the Securities Exchange Act of 1934
5. Financial institutions covered by the Gramm-Leach-Bliley Act (GLBA)
6. Covered entities and business associates as defined by the Health Insurance Portability and Accountability Act (HIPAA)
16 data-based exemptions for CTDPA compliance
Data exempt under the CTDPA include the following information in the following categories.
1. Protected health information under HIPAA
2. Patient-identifying information
3. Identifiable private information for purposes of the federal policy for the protection of human subjects
4. Identifiable private information that is collected as part of human subject research pursuant to the good clinical practice (GCP) guidelines issued by the International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use (ICH)
5. Personal data used or shared in research
6. Information and documents created for purposes of the HealthCare Quality Improvement Act of 1986
7. Patient safety work product for purposes of Patient Safety and Quality Improvement
8. Information derived from any of the healthcare-related information that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA
9. Information originating from and intermingled to be indistinguishable with that is maintained by a covered entity or business associate, program, or qualified service
10. Information used for public health activities and purposes as authorized by HIPAA, community health activities, and population health activities
11. The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher or user that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act
12. Personal data collected, processed, sold, or disclosed in compliance with the Driver’s Privacy Protection Act of 1994
13. Personal data regulated by the Family Educational Rights and Privacy Act (FERPA)
14. Personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act
15. Data processed or maintained:
A. In the course of an individual applying to, employed by or acting as an agent or independent contractor of a controller, processor or third party, to the extent that the data is collected and used within the context of that role
B. As the emergency contact information of an individual
C. That is necessary to retain to administer benefits for another individual relating to the individual who is the subject of the information and used for the purposes of administering such benefits
16. Personal data collected, processed, sold, or disclosed in relation to price, route, or service, as such terms are used in the Airline Deregulation Act of 1978
Source: State of Connecticut Senate Bill No. 6
Enforcement of CTDPA Compliance Rules
Like Virginia, Colorado, and Utah, CTDPA compliance failures cannot be addressed with a private right of action. Following Virginia’s approach to enforcement, CTDPA compliance rests solely with the state’s attorney general.
In the event of a CTDPA compliance complaint, the attorney general must notify the organization’s controller of the violation and give them 60 days to cure the violation (Note that this is double the 30-day cure periods granted under the California, Utah, and Virginia laws). Beginning January 1, 2025, the attorney general will have the latitude to provide opportunities to cure alleged violations at their discretion, considering these six factors.
1. The number of violations
2. The controller or processor’s size and complexity
3. The nature and extent of the processing
4. The substantial likelihood of injury to the public
5. The safety of persons or property
6. Whether the alleged violation was caused by a human or technical error
Controller Obligations under the CTDPA
To meet CTDPA compliance requirements, controllers’ obligations include the following:
Avoid secondary use
Obtain the consumer’s consent and not process personal data for purposes that have not been disclosed to the consumer.
Obtain consent in a way that it is freely given, specific, informed, and unambiguous, with restrictions against obtaining consent through the use of dark patterns before processing sensitive data, using a consumer’s personal data for targeted advertising, or selling their data.
Limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes for which the data is processed.
Data processing contracts
Have a contract between a controller and processor to govern the data processing performed by the processor, on behalf of the controller, that specifies the nature and terms of the processing.
Data protection assessment
Conduct a data protection assessment (DPA) that identifies and weighs the risks and benefits of the processing to consumers, the controller, other stakeholders, and the public at large, including:
- Processing personal data for targeted advertising
- Selling personal data
- Processing sensitive data
- Processing personal data for profiling where it involves foreseeable risk of:
- Unfair or deceptive treatment or unlawful disparate impact on consumers
- Financial, physical, or reputational injury to consumers
- Intrusion upon the solitude or seclusion, or private affairs of consumers
- Other substantial injuries to consumers
Limits on collection
Collect only personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.
Limits on use
Refrain from processing personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which the personal data is being processed.
Do not process personal data in violation of state or federal laws prohibiting unlawful discrimination against consumers, and do not discriminate against consumers for exercising their rights.
Make available an effective method for consumers to revoke their consent that is as easy as the method used to provide the consent and cease processing their data within 15 days after receipt of the request.
Responding to consumer requests
Respond to a consumer’s request for information about personal data that is processed within 45 days of receiving the request, which may be extended an additional 45 days when reasonably necessary
Establish, implement, and maintain reasonable administrative, technical, and physical security practices to protect the confidentiality, integrity, and accessibility of personal data—commensurate with the volume and nature of the personal data in question.
Obtain a consumer’s opt-in consent before processing their sensitive data. If the consumer is a child, the controller must process that personal data in accordance with Children’s Online Privacy Protection Rule (COPPA).
Transparency and purpose specification
Provide consumers with a reasonably clear and meaningful privacy notice that includes:
- Categories of personal data processed
- Purpose for processing the personal data
- Instructions for consumers to exercise their rights, including how to appeal a rejected consumer request
- Categories of personal data shared with third parties
- Controller’s email address or another online contact mechanism
- Description of how a consumer may submit a consumer rights request
Opt-in and Opt-out of CTDPA Requirements
According to CTDPA compliance rules, consumers have the right to opt out of the processing of personal data for purposes of:
- Targeted advertising
- The sale of personal data
- Profiling in connection with automated decisions that produce legal or similarly significant effects
CTDPA compliance also requires opt-in consent for the collection and processing of sensitive data. That is information that reveals:
- Children’s data
- Citizenship or immigration status
- Mental or physical health condition or diagnosis
- Precise geolocation data
- Racial or ethnic origin
- Religious beliefs
- Sex life
- Sexual orientation
- The processing of genetic or biometric data for the purpose of uniquely identifying an individual
Consumer Rights under the CTDPA
Meeting CTDPA compliance requirements demands that covered entities assure the following consumer rights.
- Right to access
Consumers have the right to confirm whether or not a controller is processing their personal data and accessing such personal data. CTDPA has an exemption to the right to access if confirmation or access would require the controller to reveal a trade secret.
- Right to correct
Consumers have the right to correct inaccuracies in their personal data, learn the nature of the personal data that is being collected, and the purposes of the processing of their personal data.
- Right to data portability
Consumers have the right to obtain a copy of their personal data that is processed by the controller to the extent technically feasible, provided the controller will not be required to reveal any trade secret.
- Right to delete
Consumers have the right to have processors delete personal data provided by or obtained about them.
According to CTDPA compliance rules, controllers have up to 45 days to respond to consumer requests. They are allowed one 45-day extension, as “reasonably necessary,” based on the complexity and number of the consumer’s requests.
Similarities and Differences Compared to the GDPR
Europe’s General Data Protection Regulation (GDPR) and the CTDPA focus on controllers and processors in the language of their rules. Specific responsibilities and obligations are imposed on both controllers and processors.
GDPR and the CTDPA define these two roles as:
- Data controllers—an individual who, or legal entity that, alone or jointly with others, determines the purposes and means of processing personal data. A controller does business in the region and determines the purposes and means for processing personal data.
- Processor—an individual who, or legal entity that, processes personal data on behalf of a controller.
GDPR has a wider scope than CTDPA. GDPR applies to any processing of personal data by automated or non-automated means. In the case of CTDPA, if personal data is or is intended to be part of a filing system, CTDPA compliance rules only apply to entities that meet specified thresholds. In addition, broader exceptions are provided in the CTDPA as related to its material scope.
GDPR and CTDPA share similar principles with regard to data subject rights, but GDPR has slightly more strict rules than those required for CTDPA compliance. GDPR requires that any processing of personal data be subject to regulation, whereas CTDPA compliance is only required when processing specific data or for specific processing purposes.
In addition, unlike GDPR, CTDPA compliance only requires consumers’ consent, as an opt-in, only when processing sensitive data. Therefore, under CTDPA, consumer data can be processed without their consent, and without the option to opt-out, if the processing and its purposes are disclosed to the consumer and the data processing is limited to those purposes. Under the GDPR, a legal basis or consent is required to process any personal data.
CTDPA Compliance Requirements Reflect Consumers’ Desire for Data Protection and Privacy
The CTDPA represents a nationwide interest in and desire for consumer data protection and guidance for responsible use. Despite similarities across data privacy laws, it is important for national and global organizations to take a least common denominator approach to CTDPA compliance specifically and data protection generally, to meet the standards set by disparate consumer data privacy laws.
In addition, while California remains the only state to grant consumers a private right of action, organizations that process consumer data should understand the implications. Since being approved, privacy laws have continued to evolve—in most cases, becoming more stringent to stay on par with peers. When putting together plans for CTDPA compliance, pay heed to the other laws to avoid falling into trouble in other regions.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 27th February, 2023