This article discusses the Connecticut Data Privacy Act (CTDPA) controller and processor responsibilities, controller-processor contracts, data protection assessments, de-identified data, and Connecticut attorney general enforcement.
The CTDPA application and definitions, consumer rights and privacy notice, and related requirements were discussed in "Connecticut Data Privacy Act: Application and Definitions." The CTDPA will take effect on July 1, 2023.
A controller must do the following.
A controller must not discriminate against a consumer for exercising any of the consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer.
A controller must not require a consumer to create a new account to exercise consumer rights but may require a consumer to use an existing account.
Nothing in the CTDPA shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.
A processor must adhere to the instructions of the controller and assist the controller in meeting its obligations under the CTDPA, and such assistance must include the following.
Nothing regarding such processor responsibilities shall be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of such controller's or processor's role in the processing relationship, as described in the CTDPA.
A contract between a controller and a processor must govern the processor's data processing procedures with respect to processing performed on behalf of the controller.
The contract must be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties, and also require that the processor does the following.
The processor also must provide a report of such assessment to the controller upon request.
Nothing regarding such controller-processor contracts shall be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of such controller's or processor's role in the processing relationship, as described in the CTDPA.
Data protection assessment requirements apply to processing activities created or generated after July 1, 2023, and are not retroactive.
A controller must conduct and document a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a consumer.
For this purpose, "processing that presents a heightened risk of harm to a consumer" includes the following.
Data protection assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that the controller can employ to reduce such risks.
The controller must factor into any such data protection assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.
If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment shall be deemed to satisfy these data protection assessment requirements if such data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to these data protection assessment requirements.
A single data protection assessment may address a comparable set of processing operations that include similar activities.
Any controller in possession of de-identified data must do the following.
Nothing in the CTDPA shall be construed to do the following.
Nothing in in the CTDPA shall be construed to require a controller or processor to comply with an authenticated consumer rights request if the controller does the following.
The consumer rights of access to correction, to deletion, and to data portability shall not apply to pseudonymous data in cases where the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information.
A controller that discloses pseudonymous data or de-identified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and must take appropriate steps to address any breaches of those contractual commitments.
The Connecticut attorney general will have exclusive authority to enforce violations of the CTDPA.
During the period beginning on July 1, 2023, and ending on December 31, 2024, the Connecticut attorney general must, prior to initiating any action for a violation of any provision of the CTDPA, issue a notice of violation to the controller if the Connecticut attorney general determines that a cure is possible. If the controller fails to cure such violation within 60 days of receipt of the notice of violation, the Connecticut attorney general may bring an action pursuant to the CTDPA.
Beginning on January 1, 2025, the Connecticut attorney general may, in determining whether to grant a controller or processor the opportunity to cure an alleged violation of any provision of the CTDPA, consider the following.
A violation of the requirements of the CTDPA will constitute an unfair trade practice for purposes of section 42–110b of the Connecticut General Statutes and will be enforced solely by the Connecticut attorney general, provided the provisions of section 42–110g of the Connecticut General Statutes will not apply to such violation.
Nothing in the CTDPA shall be construed as providing the basis for, or be subject to, a private right of action for violations of the CTDPA or any other law.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.