Connecticut Privacy Law
Please note that this is intended to be a summary. It is not a complete recitation of the applicable laws and/or regulations and is not intended to be used as legal advice.
Connecticut passed An Act Concerning Personal Data Privacy and Online Monitoring (CPDPA) on May 10, 2022. The CPDPA becomes effective on July 1, 2023.
Obligations under the CPDPA are placed on controllers and processors (defined in CPDPA) that conduct business in Connecticut or market goods or services to consumers in Connecticut and, during the preceding calendar year:
Controlled or processed the personal data of at least 100,000 Connecticut consumers, excluding data controlled or processed solely for payment transactions;
Controlled or proceed the personal data of at least 25,000 Connecticut consumers and derived more than 25% of gross revenue from the sale of personal data.
The definition of “consumer” in the CPDPA is “a resident of [Connecticut].” The word “consumer” does not include people or entities acting in a commercial or employment context, so information collected in a business-to-business or employment context will not be subject to the CPDPA. Other exempt entities and information include, among others: nonprofit organizations; institutions of higher education; financial institutions subject to the GLBA; protected health information under HIPAA; personal information used by consumer reporting agencies subject to regulation under the FCRA; and personal data regulated by FERPA.
The CPDPA requires controllers to post a reasonably accessible, clear and meaningful privacy notice that includes: the categories of personal data processed, the purpose for processing personal data, how consumers may exercise their right described below, and the categories of data provided to third parties and the categories of those third parties.
Controllers and processors must obtain consent for processing consumer data. They also must include a mechanism for consumers to revoke that consent that is at least as easy as the mechanism by which the consumer provided consent. Notably, the CPDPA indicates that “consent” does not include agreement obtained through the use of dark patterns (an interface designed to manipulate the consumer into consent).
Additional customer rights under the CPDPA include the right to confirm whether a controller is processing the consumer’s personal data; to correct inaccuracies in the consumer’s personal data; to delete personal data provided by or obtained about the consumer; to obtain a copy of the consumer’s personal data processed by the controller; and to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data or profiling.
Only the State Attorney general can enforce the CPDPA. From July 1, 2023, to Dec. 31, 2024, the Attorney General will issue notices of violation to controllers or processors and provide a 60-day cure period if the Attorney General determines a cure is possible. Beginning Jan. 1, 2025, the Attorney General’s provision of a cure period will be based on the Attorney General’s consideration of a number of factors provided in the CPDPA.