Expert Commentary

Connecticut Data Privacy Act: Controllers and Processors, Assessments, De-identified Data, and Enforcement

This article discusses the Connecticut Data Privacy Act (CTDPA) controller and processor responsibilities, controller-processor contracts, data protection assessments, de-identified data, and Connecticut attorney general enforcement.


Cyber and Privacy Risk and Insurance
June 2022

The CTDPA application and definitions, consumer rights and privacy notice, and related requirements were discussed in "Connecticut Data Privacy Act: Application and Definitions." The CTDPA will take effect on July 1, 2023.

Controller Responsibilities

A controller must do the following.

  • Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer;
  • Except as otherwise provided in in the CTDPA, not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent;
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue;
  • Not process sensitive data concerning a consumer without obtaining the consumer's consent or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the Children's Online Privacy Protection Act;
  • Not process personal data in violation of the laws of Connecticut and federal laws that prohibit unlawful discrimination against consumers;
  • Provide an effective mechanism for a consumer to revoke the consumer's consent that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than 15 days after the receipt of such request, and
  • Not process the personal data of a consumer for purposes of targeted advertising or sell the consumer's personal data without the consumer's consent, under circumstances where a controller has actual knowledge, and willfully disregards, that the consumer is at least 13 years of age but younger than 16 years of age.

A controller must not discriminate against a consumer for exercising any of the consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer.

A controller must not require a consumer to create a new account to exercise consumer rights but may require a consumer to use an existing account.

Nothing in the CTDPA shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

Processor Responsibilities

A processor must adhere to the instructions of the controller and assist the controller in meeting its obligations under the CTDPA, and such assistance must include the following.

  • Taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as is reasonably practicable, to fulfill the controller's obligation to respond to consumer rights requests;
  • Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security, as defined in section 36a-701b of the Connecticut General Statutes, of the system of the processor, in order to meet the controller's obligations; and
  • Providing necessary information to enable the controller to conduct and document data protection assessments.

Nothing regarding such processor responsibilities shall be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of such controller's or processor's role in the processing relationship, as described in the CTDPA.

Controller-Processor Contracts

A contract between a controller and a processor must govern the processor's data processing procedures with respect to processing performed on behalf of the controller.

The contract must be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties, and also require that the processor does the following.

  • Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
  • At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
  • Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in the CTDPA;
  • After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and
  • Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations under the CTDPA, using an appropriate and accepted control standard or framework and assessment procedure for such assessments.

The processor also must provide a report of such assessment to the controller upon request.

Nothing regarding such controller-processor contracts shall be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of such controller's or processor's role in the processing relationship, as described in the CTDPA.

Data Protection Assessments

Data protection assessment requirements apply to processing activities created or generated after July 1, 2023, and are not retroactive.

A controller must conduct and document a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a consumer.

For this purpose, "processing that presents a heightened risk of harm to a consumer" includes the following.

  • The processing of personal data for the purposes of targeted advertising;
  • The sale of personal data;
  • The processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of the following.
    • Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
    • Financial, physical, or reputational injury to consumers;
    • A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or
    • Other substantial injury to consumers; and
  • The processing of sensitive data.

Data protection assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that the controller can employ to reduce such risks.

The controller must factor into any such data protection assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.

If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment shall be deemed to satisfy these data protection assessment requirements if such data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to these data protection assessment requirements.

A single data protection assessment may address a comparable set of processing operations that include similar activities.

De-identified Data

Any controller in possession of de-identified data must do the following.

  • Take reasonable measures to ensure that the data cannot be associated with an individual;
  • Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and
  • Contractually obligate any recipients of the de-identified data to comply with all provisions of the CTDPA.

Nothing in the CTDPA shall be construed to do the following.

  • Require a controller or processor to re-identify de-identified data or pseudonymous data; or
  • Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data.

Nothing in in the CTDPA shall be construed to require a controller or processor to comply with an authenticated consumer rights request if the controller does the following.

  • Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data;
  • Does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and
  • Does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in the CTDPA.

The consumer rights of access to correction, to deletion, and to data portability shall not apply to pseudonymous data in cases where the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information.

A controller that discloses pseudonymous data or de-identified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and must take appropriate steps to address any breaches of those contractual commitments.

Enforcement

The Connecticut attorney general will have exclusive authority to enforce violations of the CTDPA.

During the period beginning on July 1, 2023, and ending on December 31, 2024, the Connecticut attorney general must, prior to initiating any action for a violation of any provision of the CTDPA, issue a notice of violation to the controller if the Connecticut attorney general determines that a cure is possible. If the controller fails to cure such violation within 60 days of receipt of the notice of violation, the Connecticut attorney general may bring an action pursuant to the CTDPA.

Beginning on January 1, 2025, the Connecticut attorney general may, in determining whether to grant a controller or processor the opportunity to cure an alleged violation of any provision of the CTDPA, consider the following.

  • The number of violations;
  • The size and complexity of the controller or processor;
  • The nature and extent of the controller's or processor's processing activities;
  • The substantial likelihood of injury to the public;
  • The safety of persons or property; and
  • Whether such alleged violation was likely caused by human or technical error.

A violation of the requirements of the CTDPA will constitute an unfair trade practice for purposes of section 42–110b of the Connecticut General Statutes and will be enforced solely by the Connecticut attorney general, provided the provisions of section 42–110g of the Connecticut General Statutes will not apply to such violation.

Nothing in the CTDPA shall be construed as providing the basis for, or be subject to, a private right of action for violations of the CTDPA or any other law.


Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More