Please note that this page is intended to be a summary. It is not a complete recitation of the applicable laws and/or regulations and is not intended to be used as legal advice.
Connecticut Becomes the Fifth State to Pass Consumer Privacy Legislation
Connecticut passed An Act Concerning Personal Data Privacy and Online Monitoring (CPDPA) on May 10, 2022. The CPDPA becomes effective on July 1, 2023.
Obligations under the CPDPA are placed on controllers and processors (defined in CPDPA) that conduct business in Connecticut or market goods or services to consumers in Connecticut and, during the preceding calendar year:
- Controlled or processed the personal data of at least 100,000 Connecticut consumers, excluding data controlled or processed solely for payment transactions; or
- Controlled or proceed the personal data of at least 25,000 Connecticut consumers and derived more than 25% of gross revenue from the sale of personal data.
The definition of “consumer” in the CPDPA is “a resident of [Connecticut].” The word “consumer” does not include people or entities acting in a commercial or employment context, so information collected in a business-to-business or employment context will not be subject to the CPDPA. Other exempt entities and information include, among others: nonprofit organizations; institutions of higher education; financial institutions subject to the GLBA; protected health information under HIPAA; personal information used by consumer reporting agencies subject to regulation under the FCRA; and personal data regulated by FERPA.
Consumer Rights Under the CPDPA
The CPDPA requires controllers to post a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of personal data processed, the purpose for processing personal data, how consumers may exercise their right described below, and the categories of data provided to third parties and the categories of those third parties.
Controllers and processors must obtain consent for processing consumer data. They also must include a mechanism for consumers to revoke that consent that is at least as easy as the mechanism by which the consumer provided consent. Notably, the CPDPA indicates that “consent” does not include agreement obtained through the use of dark patterns (an interface designed to manipulate the consumer into consent).
Additional customer rights under the CPDPA include the right to confirm whether a controller is processing the consumer’s personal data; to correct inaccuracies in the consumer’s personal data; to delete personal data provided by or obtained about the consumer; to obtain a copy of the consumer’s personal data processed by the controller; and, to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling.
Enforcing the CPDPA
Only the state attorney general can enforce the CPDPA. From July 1, 2023, to December 31, 2024, the Attorney General will issue notices of violation to controllers or processors and provide a 60-day cure period if the Attorney General determines a cure is possible. Beginning January 1, 2025, the Attorney General’s provision of a cure period will be based on the Attorney General’s consideration of a number of factors provided in the CPDPA.
Following Utah’s passage of the Utah Consumer Privacy Act in March of 2022, Connecticut is now the fifth US state to enact a comprehensive consumer privacy law. It should be noted that each state law creates different rights and obligations; now is the time for companies to consult with experienced privacy and data strategy counsel to determine how to move forward in compliance.
KJK will continue to monitor developments related to state privacy laws. If you have any questions, please contact KJK Cybersecurity, Data Breach & Privacy attorney Brett Krantz (BK@kjk.com; 216.736.7238).