The Connecticut Data Privacy Act (CTDPA) will take effect on July 1, 2023. This
article discusses CTDPA application and definitions, consumer rights, privacy
notice, and related requirements.
The Connecticut attorney general will have exclusive authority to enforce
violations of the CTDPA.
Application and Definitions
The CTDPA applies to persons that conduct business in Connecticut or persons
that produce products or services that are targeted to Connecticut residents
and that occurred during the preceding calendar year.
- Controlled or processed the personal data of not less than 100,000
consumers, excluding personal data controlled or processed solely for the
purpose of completing a payment transaction; or
- Controlled or processed the personal data of not less than 25,000
consumers and derived more than 25 percent of their gross revenue from the
sale of personal data.
"Consumer" means an individual who is a Connecticut resident and
does not include an individual acting in a commercial or employment context or
as an employee, owner, director, officer, or contractor of a company,
partnership, sole proprietorship, nonprofit, or government agency whose
communications or transactions with the controller occur solely within the
context of that individual's role with the company, partnership, sole
proprietorship, nonprofit, or government agency.
"Controller" means an individual who, or legal entity that, alone
or jointly with others determines the purpose and means of processing personal
data. Determining whether a person is acting as a controller or processor with
respect to a specific processing of data is a fact-based determination that
depends on the context in which personal data is to be processed. A person that
is not limited in their processing of personal data pursuant to a
controller's instructions, or that fails to adhere to the instructions, is
a controller and not a processor with respect to a specific processing of data.
If a processor begins, alone or jointly with others, determining the purposes
and means of the processing of personal data, they are a controller with
respect to the processing and may be subject to an enforcement action under the
CTDPA.
"Processor" means an individual who, or legal entity that,
processes personal data on behalf of a controller. Determining whether a person
is acting as a controller or processor with respect to a specific processing of
data is a fact-based determination that depends on the context in which
personal data is to be processed. A processor that continues to adhere to a
controller's instructions with respect to a specific processing of personal
data remains a processor.
"Process" or "processing" means any operation or set of
operations performed, whether by manual or automated means, on personal data or
on sets of personal data, such as the collection, use, storage, disclosure,
analysis, deletion, or modification of personal data.
"Personal data" means any information that is linked or reasonably
linkable to an identified or identifiable individual and does not include
de-identified data or publicly available information.
"Identified or identifiable individual" means an individual who
can be readily identified, directly or indirectly.
"De-identified data" means data that cannot reasonably be used to
infer information about, or otherwise be linked to, an identified or
identifiable individual, or a device linked to such individual, if the
controller possesses such data.
- Takes reasonable measures to ensure that such data cannot be associated
with an individual;
- Publicly commits to process such data only in a de-identified fashion and
not attempt to re-identify such data; and
- Contractually obligates any recipients of such data to satisfy the
criteria in the two immediately preceding bullet points.
"Sale of personal data" means the exchange of personal data for
monetary or other valuable consideration by a controller to a third party and
does not include the disclosure of the following.
- Of personal data to a processor that processes the personal data on
behalf of the controller;
- Of personal data to a third party for purposes of providing a product or
service requested by the consumer;
- Or transfer of personal data to an affiliate of the controller;
- Of personal data where the consumer directs the controller to disclose
the personal data or intentionally uses the controller to interact with a
third party;
- Of personal data that the consumer intentionally made available to the
general public via a channel of mass media and did not restrict to a specific
audience; or
- Or transfer of personal data to a third party as an asset that is part of
a merger, acquisition, bankruptcy or other transaction, or a proposed merger,
acquisition, bankruptcy, or other transaction in which the third party
assumes control of all or part of the controller's assets.
"Third party" means an individual or legal entity, such as a
public authority, agency, or body, other than the consumer, controller, or
processor or an affiliate of the processor or the controller.
"Affiliate" means a legal entity that shares common branding with
another legal entity or controls, is controlled by, or is under common control
with another legal entity. For purposes of this definition, "control"
or "controlled" means the following.
- Ownership of, or the power to vote, more than 50 percent of the
outstanding shares of any class of voting security of a company;
- Control in any manner over the election of a majority of the directors or
of individuals exercising similar functions; or
- The power to exercise controlling influence over the management of a
company.
"Targeted advertising" means displaying advertisements to a
consumer where the advertisement is selected based on personal data obtained or
inferred from that consumer's activities over time and across nonaffiliated
Internet websites or online applications to predict such consumer's
preferences or interests and does not include the following.
- Advertisements based on activities within a controller's own Internet
websites or online applications;
- Advertisements based on the context of a consumer's current search
query, visit to an Internet website, or online application;
- Advertisements directed to a consumer in response to the consumer's
request for information or feedback; or
- Processing personal data solely to measure or report advertising
frequency, performance, or reach.
"Profiling" means any form of automated processing performed on
personal data to evaluate, analyze, or predict personal aspects related to an
identified or identifiable individual's economic situation, health,
personal preferences, interests, reliability, behavior, location, or
movements.
"Decisions that produce legal or similarly significant effects
concerning the consumer" mean decisions made by the controller that result
in the provision or denial by the controller of financial or lending services,
housing, insurance, education enrollment or opportunity, criminal justice,
employment opportunities, healthcare services, or access to essential goods or
services.
"Consent" means a clear affirmative act signifying a
consumer's freely given, specific, informed, and unambiguous agreement to
allow the processing of personal data relating to the consumer and may include
a written statement, including by electronic means, or any other unambiguous
affirmative action. The following does not constitute consent.
- Acceptance of a general or broad terms of use or similar document that
contains descriptions of personal data processing along with other, unrelated
information;
- Hovering over, muting, pausing, or closing a given piece of content;
or
- Agreement obtained through the use of dark patterns.
"Dark pattern" means a user interface designed or manipulated with
the substantial effect of subverting or impairing user autonomy,
decision-making, or choice and includes, but is not limited to, any practice
the Federal Trade Commission refers to as a "dark pattern."
"Sensitive data" means personal data that includes the
following.
- Data revealing racial or ethnic origin, religious beliefs, mental or
physical health condition or diagnosis, sex life, sexual orientation, or
citizenship or immigration status;
- The processing of genetic or biometric data for the purpose of uniquely
identifying an individual;
- Personal data collected from a known child; or
- Precise geolocation data.
"Child" has the same meaning as provided in the Children's
Online Privacy Protection Act.
"Pseudonymous data" means personal data that cannot be attributed
to a specific individual without the use of additional information, provided
such additional information is kept separately and is subject to appropriate
technical and organizational measures to ensure that the personal data is not
attributed to an identified or identifiable individual.
"Trade secret" has the same meaning as provided in section 35–51
of the Connecticut General Statutes.
Consumer Rights
A consumer may exercise consumer rights by a secure and reliable means
established by the controller and described to the consumer in the
controller's privacy notice.
- Right of access. A consumer has the right to confirm
whether or not a controller is processing the consumer's personal data
and access such personal data, unless such confirmation or access would
require the controller to reveal a trade secret.
- Right to correction. A consumer has the right to correct
inaccuracies in the consumer's personal data, taking into account the
nature of the personal data and the purposes of the processing of the
consumer's personal data.
- Right to deletion. A consumer has the right to delete
personal data provided by, or obtained about, the consumer.
- Right to data portability. A consumer has the right to
obtain a copy of the consumer's personal data processed by the
controller, in a portable and, to the extent technically feasible, readily
usable format that allows the consumer to transmit the data to another
controller without hindrance, where the processing is carried out by
automated means, provided such controller will not be required to reveal any
trade secret.
-
Right to opt out. A consumer has the right to opt out of
the processing of the personal data for purposes of the following.
- Targeted advertising;
- The sale of personal data, subject to a specified exception;
or
- Profiling in furtherance of solely automated decisions that produce
legal or similarly significant effects concerning the consumer.
If a controller sells personal data to third parties or processes personal
data for targeted advertising, the controller must clearly and conspicuously
disclose such processing as well as the manner in which a consumer may exercise
the right to opt out of such processing.
Privacy Notice and Related Requirements
A controller must provide consumers with a reasonably accessible, clear, and
meaningful privacy notice that includes all of the following.
- The categories of personal data processed by the controller
- The purpose for processing personal data
- How consumers may exercise their consumer rights, including how a
consumer may appeal a controller's decision with regard to the
consumer's request
- The categories of personal data that the controller shares with third
parties, if any
- The categories of third parties, if any, with which the controller shares
personal data
- An active electronic mail address or other online mechanism that the
consumer may use to contact the controller
If a controller sells personal data to third parties or processes personal
data for targeted advertising, the controller must clearly and conspicuously
disclose such processing as well as the manner in which a consumer may exercise
the right to opt out of such processing.
A controller must describe in the privacy notice the means for consumers to
submit a request to exercise their consumer rights.
Any such means must include the following.
- Providing a clear and conspicuous link on the controller's Internet
website to an Internet Web page that enables a consumer, or an agent of the
consumer, to opt out of the targeted advertising or sale of the
consumer's personal data; and
- Not later than January 1, 2025, allowing a consumer to opt out of any
processing of the consumer's personal data for the purposes of targeted
advertising, or any sale of such personal data, through an opt-out preference
signal sent, with such consumer's consent, by a platform, technology, or
mechanism to the controller indicating such consumer's intent to opt out
of any such processing or sale. Such platform, technology, or mechanism must
do the following.
- Not unfairly disadvantage another controller;
- Not make use of a default setting, but, rather, require the consumer
to make an affirmative, freely given, and unambiguous choice to opt out
of any processing of such consumer's personal data pursuant to the
CTDPA;
- Be consumer friendly and easy to use by the average consumer;
- Be as consistent as possible with any other similar platform,
technology, or mechanism required by any federal or state law or
regulation; and
- Enable the controller to accurately determine whether the consumer is
a Connecticut resident and whether the consumer has made a legitimate
request to opt out of any sale of such consumer's personal data or
targeted advertising.