Connecticut Governor Ned Lamont signed the Personal Data Privacy and Online Monitoring Act (CPDPA) into law on May 10, 2022, making Connecticut the most recent state to pass its own privacy law in the absence of comprehensive federal privacy legislation. Connecticut follows in the steps of Nevada, California, Virginia, Colorado and Utah in enacting its own comprehensive privacy legislation, with more pending in various state legislatures.
The Connecticut law goes into effect on July 1, 2023, giving companies just over a year to determine whether it applies, and if so to take steps to comply. Luckily, many organizations have already put compliance programs in place for the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), so adding some nuances from other state laws, including Connecticut, will not be as daunting as the first go-round with California’s law.
The CPDPA is designed to establish a framework for controlling and processing personal data. It:
- sets responsibilities and privacy protection standards for data controllers;
- gives consumers the right to access, correct, delete, and obtain a copy of personal data and to opt out of the processing or personal data for certain purposes (e.g., targeted advertising);
- requires controllers to conduct data protection assessments;
- authorizes the state attorney general to bring an action to enforce the bill’s requirements; and
- deems violations to be Connecticut Unfair Trade Practices Act violations. https://cga.ct.gov/2022/ACT/PA/PDF/2022PA-00015-R00SB-00006-PA.PDF
The CPDPA applies to individuals and entities that conduct business in the state of Connecticut or target products or services to Connecticut residents and either: control or process personal data of at least 100,000 Connecticut consumers (except if the data is processed solely for completing a payment transaction) or control or process the personal data of at least 25,000 Connecticut consumers and derives more than 25 percent of their gross revenue from the sale of personal data. The application of the law is not tied to an actual gross revenue figure like the CCPA is ($25 million), which is an important distinction that may narrow its applicability to organizations.
The law does not apply to nonprofits, state and local governments, higher education institutions, or national securities associations registered under the Securities Exchange Act. Consistent with other state data privacy laws, it also exempts financial institutions and data subject to the Gramm-Leach-Bliley Act and covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA).
The law excludes 16 different categories of data from its purview, including protected health information under HIPAA, information subject to the Fair Credit Reporting Act, employee and job applicant data, and information protected by the Family Educational Rights and Privacy Act.
A “consumer” is defined as a Connecticut resident, and excludes individuals “acting in a commercial or employment context,” also known as a business-to-business exception, which is consistent with other state privacy laws.
Connecticut consumers will have the right to opt out of the processing of their personal data for targeted advertising, the sale of their data, or profiling for automated decisions that produce legal or significant effects on the consumer. Entities subject to the law will have to provide “clear and conspicuous” links on their websites giving consumers the choice to opt-out of that type of processing and provide a universal opt-out preference signal by January 1, 2025. Consistent with other state privacy laws, the CPDPA contains an anti-discrimination clause. These requirements, along with those of the other state laws that go into effect in 2023, warrant another look at companies’ websites to see if they need to be updated.
The CPDPA requires controllers to limit:
- collection of personal data to the minimum amount necessary for the purpose of the collection;
- use of the personal data to only the purpose of the collection or as the consumer has authorized; and
- establish and implement data security practices to protect the data
- obtain consent before processing sensitive data, including data of any individual under the age of 13, and follow the provisions of the Children’s Online Privacy Protection Act.
Controllers will be required to update their website and other Privacy notices to be transparent about the categories of data collected, the purpose of the collection, how consumers can exercise their rights under the law, including an active email address at which to contact the controller, what information is shared with third parties, and the categories of third parties with which the controller shares the information. In addition, a controller must disclose that it is selling personal data for targeted advertising and provide consumers with information on how they can opt-out of the sale of their information.
Also consistent with the other state data privacy laws, the CPDPA requires that data controllers enter into a written contract with data processors prior to disclosing the personal data, outlining specific instructions for the data processing and data security requirements for the protection of the personal data. This requires organizations to review third-party contracts to determine whether they are disclosing personal data to third parties, whether CPDPA applies and to amend contracts with those third parties, as appropriate.
Violation of the CPDPA may land companies in an enforcement action by the Connecticut Attorney General (AG), who can levy fines and penalties under the Connecticut Unfair Trade Practices Act. However, there is a grace period for enforcement actions until December 31, 2024, for the AG to provide organizations an opportunity to cure any alleged violations. Beginning on January 1, 2025, the AG has discretion to provide companies with that opportunity to cure and can look at the conduct of the organization during the cure period to determine fines and penalties.
Significantly, consistent with Colorado, Virginia, and Utah, but tacking away from California, the CPDPA is clear that the law does not provide a private right of action for consumers to seek damages against organizations for violation of the law. Jurisdiction for violations is solely with the AG 2023 will be a busy compliance year for state data privacy laws as laws in Virginia, Colorado, Utah, and now Connecticut will all go into effect. Now is the time to determine whether these new privacy laws apply to your organization and to start planning compliance obligations.