In the United States, there isn't a single comprehensive federal data protection law like the EU's GDPR. Instead, some states have their own privacy regulations with unique provisions. One significant piece of legislation is the Connecticut Data Privacy Act (CTDPA), which became effective on 1 July 2023.

Similar to the California Consumer Privacy Act, the Virginia Consumer Data Privacy Act (VCDPA), and the Colorado Privacy Act (CPA), the CTDPA focuses on protecting consumers' personal data, giving them more control over how it's collected, used, and shared.

In this article, we'll take a closer look at the Connecticut Data Privacy Act, exploring its purpose, scope, and what your business should be doing in order to comply.

What is the CTDPA?

The CTDPA is a law that grants consumers control over their personal information that’s being collected and processed by businesses and organizations. To allow this, it establishes responsibilities and privacy protection standards for businesses and organizations in Connecticut (more on scope below).

These are the rights that are being granted to consumers under CTDPA:

  1. Access: Consumers have the right to confirm whether a business is processing their personal data and to access the specific personal data being processed.
  2. Correction: Consumers can request corrections to inaccuracies in their collected personal data so that their information remains up-to-date.
  3. Deletion: Consumers have the right to request the deletion of personal data provided by or about them.
  4. Data portability: Consumers can obtain a portable copy of their personal data, allowing them to transfer it to another service provider in a simple manner.
  5. Opt-out: Consumers have the right to choose not to let companies use their personal information for targeted ads, selling it to others, or profiling.

The CTDPA defines "personal data" as any information linked or reasonably linkable to an identifiable individual, such as:

  • address
  • driver’s license or ID numbers
  • passport information
  • account numbers
  • payment card information
  • login credentials.

There’s also a subset of personal data, called “sensitive data”, which might sound like the same thing but it isn’t. Sensitive data is extra personal personal information that gets enhanced protection under the CTDPA and its processing requires explicit consent from the individual. It includes information like:

  • racial or ethnic origin
  • religious beliefs
  • health condition and diagnosis
  • genetic or biometric data
  • sexual orientation
  • precise geolocation data
  • any personal data of children under 13.

    What’s the purpose of CTDPA?

    The CTDPA aims to balance safeguarding consumer privacy and allowing businesses to handle personal data responsibly. It gives individuals more control over their information, respecting their privacy preferences and empowering them to make informed choices.

    The law also holds organizations accountable by outlining data processing obligations, security practices, and transparent consent procedures, encouraging fair and ethical data practices within the business community.

    One crucial aspect of the CTDPA is its approach to handling data breaches. It requires businesses to quickly inform affected individuals and relevant authorities if a breach occurs.

    Finally, by implementing this comprehensive data protection law, Connecticut aligns with national and global trends in data privacy regulation, showing its dedication to addressing data protection concerns.

    CTDPA’s scope: Who does it apply to?

    First of all, let’s distinguish the two types of entities the CTDPA talks about: data controllers and data processors. A "controller" is an organization or business that determines the purposes and means of processing personal data. On the other hand, a "processor" processes personal data as instructed by the controller, but doesn’t have decision-making authority over personal data.

    The CTDPA applies to businesses operating within Connecticut or offering products and services to Connecticut residents, provided they either:

    1. controlled or processed personal data of 100,000 or more consumers in the previous year (data processed solely for completing a payment transaction is exempt),


    2. controlled or processed personal data of 25,000 or more consumers during the preceding year and derived over 25% of their gross revenue from selling personal data.

    Like the Colorado Privacy Act, the CTDPA does not include a revenue threshold, potentially catching a broader range of businesses in its scope. So, even if you own or manage a smaller business, but you still handle a lot of personal data, the CTDPA may apply to you.

    CTDPA’s Implications and Responsibilities for Companies

    Now that we’ve talked about what the CTDPA does for consumers, it’s time to understand the practical implications for businesses. How are businesses supposed to ensure that consumer personal data is protected in a way that complies with Connecticut’s new data privacy law?

    Controllers' obligations

    • Transparency: Controllers must be transparent about their data processing practices, informing consumers about the purpose and extent of data collection, as well as information about how the consumer can exercise their rights.
    • Data minimization: Controllers can only collect and process the minimum amount of personal data necessary for the specified purposes.
    • Avoiding secondary use: Personal data should not be processed for reasons unrelated to the original purpose without explicit consent.
    • Security: Controllers have to implement security measures to safeguard personal data from unauthorized access or breaches. Not only enforcing internal policies but also having a good data loss protection solution in place is a smart way to comply with this responsibility.
    • Consent: Obtaining valid consent from consumers before processing their personal data is crucial. More about consent is below.

    Processors' obligations

    • Compliance with controller instructions: Processors must strictly adhere to the instructions provided by the controllers regarding data processing activities.
    • Assisting with consumer rights requests: Processors should assist controllers in responding to consumer rights requests, such as access, correction, deletion, or data portability.

    Data processing agreements

    Controllers and processors must sign clear and comprehensive data processing agreements that outline the responsibilities of each party.

    Data protection assessments

    The CTDPA requires businesses to conduct a data protection assessment (DPA) for activities involving personal data that could potentially cause harm to consumers. The DPA aims to carefully analyze the risks and benefits of these data processing activities for consumers, the company doing the processing, and the public at large.

    If requested by the Connecticut Attorney General, businesses must provide this assessment for investigation. It applies to data processing activities taking place after 1 July 2023 and doesn't apply retroactively.

    Opting out and consumer consent

    • Controllers must provide consumers with a clear and easily accessible option to opt out of targeted advertising, sale of personal data, or profiling.
    • Starting in January 2025, the CTDPA will mandate businesses to respect a universal opt-out preference signal that is unambiguous, consumer-friendly, and easy to use.
    • Consumers have the right to revoke their consent for data processing at any time, and controllers must promptly respect and implement the revocation.

    Complying with the CTDPA

    It's crucial for businesses to be aware of these new obligations so that they can put processes in place to ensure compliance with the CTDPA. Not only will they maintain consumer trust, but they’ll also avoid being penalized.

    The enforcement of the CTDPA falls under the exclusive authority of the Connecticut Attorney General, who can take action against violations.

    There is a "Notice and Cure" period in place until 31 December 2024, which means that the Attorney General will notify businesses of CTDPA violations and give them an opportunity to correct any non-compliance concerns within 60 days. Starting in 2025, whether or not a business gets a chance to rectify violations before they are penalized will be under the Attorney General’s discretion.

    Penalties for non-compliance may include fines of up to USD 5,000 per violation.

    Safetica's DLP Software: A Solution for CTDPA Compliance

    When it comes to complying with the CTDPA, Safetica's Data Loss Protection (DLP) software offers a valuable solution for businesses. With its user-friendly features, Safetica can help organizations navigate the complexities of the CTDPA and ensure consumer data is handled responsibly.

    One of the essential aspects of CTDPA compliance is conducting data protection assessments. Safetica's DLP software simplifies this process, allowing businesses to identify and assess potential risks associated with data processing activities.

    Safetica's DLP products provide an award-winning interface and robust security features. For example:

    1. Data classification: Easily identify and classify personal data within your organization, ensuring proper handling and protection.
    2. Data monitoring and auditing: Monitor data usage in real-time, track sensitive data transfers, and generate detailed audit logs for compliance reporting and analysis.
    3. Access controls: Implement access controls to ensure that only authorized personnel can access sensitive data, reducing the risk of data breaches.
    4. Incident response: Safetica's software enables you to respond quickly to potential data breaches, allowing you to investigate incidents, contain the impact, and mitigate risks.

    By partnering with Safetica, you can proactively address the challenges of data privacy and compliance. We’ll help you navigate the complexities of data protection while maintaining productivity and efficiency.

      Learn how to be compliant with CTDPA

    Next articles

    SAMA’s Cyber Security Framework: The Scope, Purpose, and How to Comply

    The Saudi Arabian Monetary Authority (SAMA) has introduced a Cyber Security Framework designed to fortify the nation's financial systems and critical industries against cyber threats. Throughout this guide, we'll explore the key components, while also providing tips and insights on how to achieve compliance with its requirements.

    HITRUST framework: The Scope, Purpose, and How to Comply

    This article will guide you through HITRUST's evolution, its current scope, and how it can be a game-changer for your organization's data protection strategy.

    Understanding SOC 2: The Scope, Purpose, and How to Comply

    Get started with your SOC 2 compliance efforts: what SOC 2 is, why it matters, and, most importantly, what steps you need to take if you want to get a SOC 2 report for your organization.