The Connecticut Data Privacy Act (CTDPA) will come into force on July 1, 2023. Signed by Governor Ned Lamont on May 10, 2023, the law made Connecticut the fifth state to enact a comprehensive data privacy law.
Connecticut Attorney General Tong explained in a recent press release that the act will give “consumers powerful new baseline rights, including the right to access, correct, and delete personal data stored and collected by businesses, and the right to opt-out of the sale of personal data and targeted advertising.”
What is the CTDPA?
The CTDPA is a consumer data protection law that grants Connecticut residents rights about the way their personal data is handled by organizations they interact with. These include:
- Right to access — Consumers must be able to access their data. Unlike other similar laws, the CTDPA grants and exception if doing so requires an organization to disclose any trade secrets.
- Right to correct — Consumers must be able to correct inaccuracies in their data.
- Right to delete — Consumers must be able to delete or request deletion of their data.
- Right to data portability — Consumers must be able to obtain a copy of their data in a format that is transferable to another entity and is readily usable. As for the right to access, the CTDPA permits an exception if doing so would disclose any trade secrets.
- Right to opt out — Consumers must be able to opt out of the processing of their data for reasons of targeted advertising, sale of their data, or profiling for decision-making. From January 1, 2025, this must be through a recognizable and universal “opt-out preference signal.”
Who needs to comply with the CTDPA?
The CTDPA applies to individuals and companies doing business in Connecticut or producing products or services for its residents. There is no revenue limit affecting applicability, and the law applies if, in the preceding year, they either:
- Controlled or processed the personal data of 100,000 or more consumers annually, except if that data was processed solely for completing a payment transaction.
- Derived over 25% of gross revenue from the sale of personal data and controlled/processed data of 25,000 or more consumers.
How do organizations comply with the CTDPA?
Individuals and companies covered by the act must meet several obligations to comply. These include:
- Being clear about data processing and publishing a notice about the types of data they process and why, and whether they share the data with any third parties. The notice also needs to explain how consumers can exercise their data rights.
- Limit collection of personal data to that necessary to fulfil the purpose.
- Obtaining consent from the consumer for the collection and processing of personal information.
- Conduct Data Protection Assessments to identify any risk of hard to consumers resulting from data processing.
- Protect the data using appropriate and reasonable safeguards (security controls).
- Respond to consumer requests without discrimination when they are exercising their rights or when processing their information.
Failing to meet their obligations could see individuals or companies receive penalties up to $5,000 per violation. The Connecticut Attorney General, who has exclusive authority to enforce violations of the act, can enforce further action and penalties.
Where should organizations start?
Among the most important steps for businesses to take is a periodic inventory of all personal information across the organization, specifically identifying information that relates to Connecticut residents.
Ground Labs’ Enterprise Recon simplifies this process by automating the discovery process and enables rapid identification and remediation of more than 300 personal data types across on-premises and cloud-based systems.
To find out how Enterprise Recon can enhance your CTDPA compliance efforts, book a call with one of our experts today.