Expert Commentary

Connecticut Data Privacy Act: Exceptions

This article discusses exceptions to the Connecticut Data Privacy Act (CTDPA). The CTDPA will take effect July 1, 2023.

Cyber and Privacy Risk and Insurance
June 2022

Other aspects of the CTDPA are discussed in "Connecticut Data Privacy Act: Application and Definitions" and "Connecticut Data Privacy Act: Controllers and Processors, Assessments, De-identified Data, and Enforcement."


The CTDPA does not apply to any of the following.

  • Connecticut body, authority, board, bureau, commission, district, agency, or political subdivision;
  • Nonprofit organization;
  • Institution of higher education;
  • National securities association that is registered under 15 U.S.C. § 78o-3 of the Securities Exchange Act of 1934, as amended from time to time;
  • Financial institution or data subject to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq.; or
  • Covered entity or business associate, as defined in 45 C.F.R. § 160.103.

The following information and data are exempt from the provisions of the CTDPA.

  • Protected health information under the Health Insurance Portability and Accountability Act (HIPAA);
  • Patient-identifying information for purposes of 42 U.S.C. § 290dd-2;
  • Identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. § 46;
  • Identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use;
  • The protection of human subjects under 21 C.F.R. Parts 6, 50 and 56, or personal data used or shared in research, as defined in 45 C.F.R. § 164.501, that is conducted in accordance with the foregoing standards and in the immediately preceding two bullet points, or other research conducted in accordance with applicable law;
  • Information and documents created for purposes of the Health Care Quality Improvement Act of 1986, 42 U.S.C. §§ 11101 et seq.;
  • Patient safety work product for purposes of section 19a–127o of the Connecticut General Statutes and the Patient Safety and Quality Improvement Act, 42 U.S.C. §§ 299b-21 et seq., as amended from time to time;
  • Information derived from any of the health-care-related information listed in these bullet points that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA;
  • Information originating from and intermingled to be indistinguishable with, or information treated in the same manner as, information exempt under these bullet points that is maintained by a covered entity or business associate, program, or qualified service organization, as specified in 42 U.S.C. § 290dd-2, as amended from time to time;
  • Information used for public health activities and purposes as authorized by HIPAA, community health activities, and population health activities;
  • The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act, 15 U.S.C. §§ 1681 et seq., as amended from time to time;
  • Personal data collected, processed, sold, or disclosed in compliance with the Driver's Privacy Protection Act of 1994, 18 U.S.C. §§ 2721 et seq., as amended from time to time;
  • Personal data regulated by the Family Educational Rights and Privacy Act, 20 U.S.C. §§ 1232g et seq., as amended from time to time;
  • Personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act, 12 U.S.C. §§ 2001 et seq., as amended from time to time;
  • Data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role, as the emergency contact information of an individual under the CTDPA used for emergency contact purposes, or that is necessary to retain to administer benefits for another individual relating to the individual who is the subject of information under HIPAA protected health information and used for the purposes of administering such benefits; and
  • Personal data collected, processed, sold, or disclosed in relation to price, route, or service, as such terms are used in the Airline Deregulation Act, 49 U.S.C. §§ 40101 et seq., as amended from time to time, by an air carrier subject thereto, to the extent the CTDPA is preempted by the Airline Deregulation Act, 49 U.S.C. § 41713, as amended from time to time.

Additional Exceptions

Below are additional exceptions to the CTDPA (collectively, "Additional Exceptions").

Nothing in the CTDPA shall be construed to restrict a controller's or processor's ability to do the following.

  • Comply with federal, state, or municipal ordinances or regulations;
  • Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, municipal, or other governmental authorities;
  • Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or municipal ordinances or regulations;
  • Investigate, establish, exercise, prepare for, or defend legal claims;
  • Provide a product or service specifically requested by a consumer;
  • Perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty;
  • Take steps at the request of a consumer prior to entering into a contract;
  • Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another individual, and where the processing cannot be manifestly based on another legal basis;
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity and preserve the integrity or security of systems or investigate, report, or prosecute those responsible for any such action;
  • Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board that determines, or similar independent oversight entities that determine, whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller, the expected benefits of the research outweigh the privacy risks, and whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification;
  • Assist another controller, processor, or third party with any of the obligations under the CTDPA; or
  • Process personal data for reasons of public interest in the area of public health, community health, or population health, but solely to the extent that such processing is subject to suitable and specific measures to safeguard the rights of the consumer whose personal data is being processed, and under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law.

The obligations imposed on controllers or processors under the CTDPA shall not restrict a controller's or processor's ability to collect, use, or retain data for internal use to do the following.

  • Conduct internal research to develop, improve, or repair products, services, or technology;
  • Effectuate a product recall;
  • Identify and repair technical errors that impair existing or intended functionality; or
  • Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party (collectively, "Specified Additional Exceptions").

The obligations imposed on controllers or processors under the CTDPA shall not apply where compliance by the controller or processor therewith would violate an evidentiary privilege under the laws of Connecticut. Nothing in the CTDPA shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of Connecticut as part of a privileged communication.

Nothing in the CTDPA shall be construed to do the following.

  • Impose any obligation on a controller or processor that adversely affects the rights or freedoms of any person, including, but not limited to, the rights of any person to freedom of speech or freedom of the press guaranteed in the First Amendment to the US Constitution or under section 52–146t of the Connecticut General Statutes; or
  • Apply to any person's processing of personal data in the course of such person's purely personal or household activities.

Personal data processed by a controller pursuant to the Additional Exceptions may be processed to the extent that such processing is reasonably necessary and proportionate to the purposes listed in the Additional Exceptions and adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in the Additional Exceptions. Personal data collected, used, or retained pursuant to the Specified Additional Exceptions must, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. Such data must be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers relating to such collection, use, or retention of personal data.

If a controller processes personal data pursuant to an Additional Exception, the controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements in the immediately preceding paragraph.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More