Connecticut’s legislators have recently enacted a new and comprehensive privacy act, titled ‘an Act Concerning Personal Data Privacy and Online Monitoring’ (“CTDPA“). As part of a growing trend of state privacy legislation, Connecticut is now the fifth state to enact a state privacy law in absence of a comprehensive Federal privacy law, following California, Virginia, Colorado and Utah.

The CTDPA is materially similar to the abovementioned laws, and particularly to Colorado’s recently enacted law (which we have previously reported about). However, there are certain variations between CTDPA and other US state laws or similar advanced privacy laws and therefore preparation for the new law would require adjustments of compliance efforts.

The new act would apply to all entities that conduct business in Connecticut, or produce a product or service that targets Connecticut’s residents, and during the preceding calendar year has met one of the following thresholds:

1. The entity is controlling or processing personal data of at least 100,000 Connecticut residents (excluding personal data that is used solely to complete payment transactions); or
2. The entity is controlling or processing personal data of at least 25,000 Connecticut residents, and more than 25% of its gross revenue derives from sale of personal data.

Similarly to the other state privacy laws, the CTDPA contains exceptions for certain data categories and entities, such as those that are regulated under sectorial Federal law (such as the Health Insurance Portability and Accountability). In addition, the CTDPA excludes employment data and business-to-business contact information from its scope, following similar exclusions (some are permanent while others are only applicable in the transition period) in other US state privacy laws.

Below are some of the CTDPA’s key provisions, compared to existing laws:

• Opt-out: similarly to Colorado’s law, in addition to widely common data subjects’ rights, the CTDPA allows data subjects to opt-out of certain uses of their personal data, including targeted advertising, ‘sale‘ of personal data, and profiling in furtherance of automated decision-making that produces legal or other significant effects on data subjects. A controller is not required to authenticate opt-out requests, and it may deny requests if it has a good faith, reasonable and documented belief that a request is fraudulent. Beginning 1 January 2025, the act would require controllers to recognize opt-out preference signals for targeted advertising and sale of personal data.

• Sensitive data: the CTDPA’s definition of ‘sensitive data’ includes data revealing racial or ethnic origin, precise geolocation, mental or physical health, biometric data and more. Processing of sensitive data will require conducting and documenting a data protection assessment and obtaining the data subject’s consent.

• Consent: where consent is required under the CTDPA, it has to be affirmative, and does not include: (i) acceptance of general or broad terms of use or similar document containing descriptions of personal data processing along with other, unrelated information; (ii) hovering over, muting, pausing or closing a given piece of content; or (iii) agreement obtained through the use of dark patterns, which include any practices that the Federal Trade Commission refers to as such.

• Privacy by design: the CTDPA requires controllers of personal data to incorporate certain privacy by design principles. These principles include, inter alia, limiting the collection of data to what is reasonably necessary and relevant in relation to the purpose of the processing, and avoiding processing that is not reasonably necessary, nor compatible, with the disclosed purposes for which it is collected, unless consent is obtained.

• Further rulemaking: the CTDPA does not create rulemaking authority for Connecticut’s Attorney General (“AG“). However, the new act creates a task force, which will study certain topics, such as algorithmic decision-making and children’s privacy, and make recommendations to amend the law.

• Enforcement: The CTDPA does not create a private right of action for individuals. The law will be exclusively enforced by the AG. Until 1 January 2025 the CTDPA will include a mandatory 60 days’ cure period following a notice of violation from the AG, and after this date such opportunity for correction will be in the AG’s discretion. Violations of the new act will be considered as unfair trade practices under Connecticut’s law.

The CTDPA is still subject to Connecticut’s Governor’s signature, however approval without any changes is expected, as the law was approved by both the state’s House of Representatives and the Senate. The law is expected to enter into force on 1 July 2023.

Connecticut’s new legislation, which is a part of a growing trend of new and comprehensive state privacy laws, presents an important regulatory development for entities that conduct business in the United States in connection with personal data of Connecticut residents. As the CTDPA has certain variations comparing to other US state laws it would require adjustments of compliance policies and procedures.

Relevant businesses should examine their data flows and assess the CTDPA’s applicability to them, as well as the required adjustments of their policies. Feel free to contact us if you have any questions regarding the new law and its potential effects on your company’s compliance efforts.

Kind regards,

Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation