The Connecticut Data Privacy Act: The Next Piece in a Patchwork of US Privacy Laws
On May 10, 2022, Connecticut became the fifth state to pass a comprehensive privacy law. The Connecticut Data Privacy Act (CTDPA) will go into effect alongside the Colorado Privacy Act on July 1, 2023, closely following the Virginia Consumer Data Protection Act, effective January 1, 2023.
The CTDPA includes many of the same provisions as the California, Colorado, Utah, and Virginia privacy laws. The CTDPA applies to entities that conduct business in Connecticut or produce products or services targeted to Connecticut residents and annually, either: (a) control or process the personal data of at least 100,000 consumers (excluding personal data controlled or processed solely for the purpose of completing payment transactions); or (b) control or process the data of at least 25,000 consumers and derive over 25% of their gross revenue from the sale of personal data.
As with the California, Colorado, and Virginia laws, the CTDPA grants consumers the rights to access their personal data, correct inaccuracies in their personal data, delete personal data, opt-out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or profiling, and the right to data portability.
The CTDPA broadly defines the “sale of personal data” to include the exchange of personal data for monetary or “other valuable consideration.” In this respect, the law aligns with Colorado’s and California’s privacy laws, treating all valuable consideration as a “sale,” unlike Utah’s and Virginia’s laws which only extend the definition of “sale” to monetary consideration. The CTDPA aligns with California’s privacy law in that it requires opt-in consent from children under the age of 16 before selling their personal data or using such data for targeted advertising. The Virginia, Colorado, and Utah privacy laws only restrict sharing, selling, and targeted advertising for children under 13.
The CTDPA follows Virginia, Colorado, and Utah by not providing consumers a private right of action. Rather, enforcement remains exclusively with the Connecticut Attorney General’s office. If a violation is found, organizations are given a 60-day right to cure such violation. Notably, that right to cure goes away beginning January 1, 2025 – Connecticut’s Attorney General will then have the choice to determine whether to provide a right to cure. A violation of the CTDPA amounts to an unfair trade practice under the Connecticut Unfair Trade Practices Act, imposing penalties of up to $5,000 per violation. Equitable remedies, such as restitution and injunctive relief, are also at the Attorney General’s disposal.
With the mid-point of 2022 fast approaching, it will continue to be a busy year for privacy compliance. For further information about the CTDPA or privacy laws in general, please contact John Landolfi, Chris Ingram, Chris LaRocco, Gretchen Rutz, Jordan Patterson, or your Vorys attorney.