Skip to Main Content
Main Menu
Regulation

Connecticut Data Privacy Act (CTDPA)

The CTDPA, also called “An Act Concerning Personal Data Privacy and Online Monitoring”, gives Connecticut residents more control over their personal data. It requires organizations to take reasonable steps to safeguard the personal data of Connecticut residents from unauthorized access and disclosure.

Are you subject to the Connecticut – CTDPA?

The Connecticut – CTDPA applies to businesses in Connecticut or produce products or services targeted to Connecticut residents, and meets any of the following criteria:
  • Controls or processes personal data of 100,000 or more consumers (except personal data controlled or processed solely for payment transaction completion).

  • Derives over 25% of gross revenue from personal data sales or process personal data of 25,000 or more consumers.

Obligations & rights under the Connecticut – CTDPA

This data privacy and protection law requires organizations to provide control and transparency to Connecticut residents on how their personal data is collected, sold, and disclosed.

Consents & opt-outs

Obtain prior consent from consumers for processing sensitive personal data, and prior to selling or offering to sell their consumer health data. Provide a clear and conspicuous opt-out link on your website for consumers or their authorized representative to opt out of targeted advertising or sale of their personal data. Under the CTDPA, universal opt-out mechanisms must be recognized by businesses as valid consumer requests beginning January 1, 2025.

Policies & notices

Provide consumers with reasonably accessible, clear, and meaningful privacy notices that includes (1) categories of personal data processed, (2) the purpose for processing the personal data, (3) instructions for consumers to exercise their rights, including how to appeal a rejected consumer request, (4) categories of personal data shared with third parties and (5) the controller’s email address or other online contact mechanism.

Data subject rights & requests

Consumers have the right to request to know what personal information has been collected, deletion of any personal information collected, opt out of the sale of their personal information, correction of inaccurate personal information, and to limit use and disclosure of sensitive personal information. Businesses must be able to fulfill and address these requests within 45 days.

Vendor management

Under the CTDPA, businesses must have contracts in place with third-party vendors to ensure adherence to the controller’s instructions and assisting them in meeting their obligations.

Whitepaper

Connecticut Personal Data Privacy and Online Monitoring Act

While the Connecticut Privacy Law has similarities to other states, understand the key differences to meet compliance from controller and processor responsibilities to detailed consumer rights.

FAQs

  • What does the “Connecticut – CTDPA” refer to?

    An Act Concerning Personal Data Privacy and Online Monitoring (also known as The Connecticut Data Privacy Act or “CTDPA”). The CTDPA is a comprehensive privacy law in Connecticut that was signed into law on May 10, 2022, and becomes effective on July 1, 2023.

    Connecticut passes significant amendments to the Connecticut Data Privacy Act that will become effective July 1 and October 1, 2024 broadening its reach to include (1) giving minors (and some cases minors’ parents) more control over their personal data and social media platform accounts and introduces new protections for minors’ personal data, and (2) health-related data of Connecticut residents.

  • Who has privacy rights under the CTDPA?

    The CTDPA provides Connecticut residents certain rights over their personal data and it does not include individuals acting in a commercial or employment context and any personal data collected in an employment or business to business relationship.

  • What is personal information and sensitive personal information under the CTDPA?

    Personal information is any information that is linked or reasonably linkable to an identified or identifiable individual. Examples include a first and last name, email address, or phone number. It does not include de-identified data or publicly available information.

    Sensitive personal information includes examples like data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship, or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying an individual, personal data collected from a known child, and precise geolocation data.

  • Under the Connecticut – CTDPA, is it mandatory for businesses to perform Data Protection Assessments?

    This law requires businesses to conduct Data Protection Assessment (DPA) for processing activities that present a heightened risk of harm to consumers including processing for targeted advertising, sale of personal information, profiling, or before processing any sensitive data.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top