The Connecticut Data Privacy Act (CTDPA), which will go into effect July 1, 2023, is now the fifth and latest comprehensive state consumer privacy law.
The CTDPA has many similarities with other states (California, Virginia, Colorado and Utah) that have passed consumer privacy laws, but is most similar to the Virginia Consumer Data Privacy Act (VCDPA) and the Colorado Privacy Act (CPA), which are more consumer-oriented
The CTDPA applies to persons conducting business in Connecticut or producing products or services targeted to Connecticut residents, and who during the preceding calendar year either:
- Controlled or processed the personal data of 100,000 or more consumers annually, except for personal data controlled or processed solely for the purpose of completing a payment transaction.
- Derived over 25 percent of their gross revenue from the sale of personal data and controlled or processed the personal data of 25,000 or more consumers.3
In addition to requiring businesses to respond to consumer requests regarding their personal data described above, this law creates further affirmative obligations for businesses, including that they must:
- Minimize the collection of personal data and refrain from processing personal data for purposes not disclosed to the consumer (unless the business has otherwise obtained consumer consent);
- Establish and maintain reasonable technical and physical data security practices to protect personal data; and
- Provide Connecticut residents with a privacy notice describing the categories of personal data processed and the purpose of the processing, if the entity shares or sells personal data with third parties, and how the consumer may exercise their right to access, modify, delete, or opt-out of the business’s use of personal data for targeted advertising or sale.
CTDPA and Data of Minors
Specifically, controllers and processors that comply with the requirements of the Children’s Online Privacy Protection Act (COPPA) are compliant with any parental consent requirements of the CTDPA. The Controller cannot process personal data for purposes of selling or targeted advertising, without the Consumer's consent when knowing the Consumer is between 13 and 16 years old.
The CTDPA also mandated that the General Assembly will convene a task force to study available ways to "verify the age of a child who creates a social media account."
This law does not create private right of action for consumers, but instead invests exclusive enforcement authority in the Connecticut Attorney General. During the first two years of implementation, the Attorney General must issue a notice of violation and permit the business an opportunity to cure the violation within 60 days of notice. Beginning in 2025, however, the opportunity to cure is no longer guaranteed.