Connecticut

The Connecticut Data Protection Act (CTDPA) was signed into law on May 10, 2022. It subsequently came into effect on July 1, 2023.

While it has similarities to all of it’s predecessors it is most similar to the Virginia Consumer Data Protection Act and the recently implemented Colorado Privacy Act.

The Connecticut Attorney General is responsible for enforcing the Connecticut Data Protection Act. Violations of the CTDPA could result in civil penalties up to $5,000 per intentional violation.

Who does it impact?

The Connecticut Data Protection Act applies to persons conducting business in Connecticut or producing products or services targeted to Connecticut residents, and who during the preceding calendar year either:

  • Controlled or processed the personal data of 100,000 or more consumers annually, except for personal data controlled or processed solely for the purpose of completing a payment transaction
  • Derived over 25% of their gross revenue from the sale of personal data and controlled or processed the personal data of 25,000 or more consumers.

exemptions

  • State and local government entities
  • Non-profits
  • Institutions of higher educations
  • Certain national security associations
  • Financial entities covered by the Gramm-Leach-Bliley Act (GLBA)
  • “Covered entities” and “business associates” as covered by HIPAA
  • Other data exemptions.

Consumer Rights

The right to confirm whether a controller is processing their personal data and access that data. Unless such actions would reveal a trade secret.

Inaccuracies in their personal data (with some limitation).

Personal data provided by or about the consumer.

The right to obtain a portable copy of their personal data to the extent that is technically feasible and provided the controller will not be required to reveal any trade secret.

Of the processing of personal data for the purposes of: targeted advertising; sale of personal data; or, profiling in connection with automated decisions that produce legal or similarly significant effects concerning the customer.


Enforcement

The Connecticut Attorney General is responsible for enforcing the Connecticut Data Protection Act. Violations of the CTDPA could result in civil penalties up to $5,000 per intentional violation.

cure period

If a breach is discovered between July 1, 2023 and December 31, 2024 businesses will be given the opportunity to fix the problem, if a fix is possible. Businesses will be allowed a 60-notice cure period. From January 1, 2025 the Attorney General will still be able to grant opportunities to cure alleged violations at their discretion.


Value Privacy are on hand to make sure your business is compliant with data and privacy regulations. Whether you need a privacy health check or you want help to make sure you and your business are ready for the arrival of the Colorado Privacy Act, we’re here to help. You can find out more about what we do or contact us and have a chat about your needs.

en_USEN