Connecticut Governor Ned Lamont signed into law the Personal Data Privacy and Online Surveillance Act (CPDPA) on May 10, 2022, making Connecticut the most recent state to pass its own online privacy law. lack of comprehensive federal privacy legislation. Connecticut is following the steps of Nevada, California, Virginia, Colorado and Utah in enacting its own comprehensive privacy legislation, with more pending in various state legislatures.
Connecticut’s law takes effect July 1, 2023, giving businesses just over a year to determine whether it applies and, if so, to take steps to comply. Fortunately, many organizations already have compliance programs in place for the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), so add some nuance to laws in other states, including Connecticut. , won’t be as intimidating as the first one. circumvent California law.
The CPDPA aims to establish a framework for the control and processing of personal data. This:
- defines responsibilities and privacy standards for data controllers;
- gives consumers the right to access, correct, delete and obtain a copy of personal data and to object to the processing of personal data for certain purposes (eg, targeted advertising);
- requires data controllers to carry out data protection assessments;
- authorizes the state attorney general to bring an action to enforce the requirements of the bill; and
- considers the violations to be violations of Connecticut’s unfair trade practices law. https://cga.ct.gov/2022/ACT/PA/PDF/2022PA-00015-R00SB-00006-PA.PDF
The CPDPA applies to individuals and corporations operating in the State of Connecticut or targeting products or services to residents of Connecticut and Is: monitor or process the personal data of at least 100,000 Connecticut consumers (unless the data is processed solely to complete a payment transaction) or control or process the personal data of at least 25,000 Connecticut consumers and derive more than 25% of their gross revenue from the sale of personal data. Enforcement is not tied to actual gross revenue like the CCPA ($25 million), which is an important distinction that may restrict its applicability to organizations.
The law does not apply to nonprofit organizations, state and local governments, institutions of higher education, or national securities associations registered under the Securities Exchange Act. Consistent with other national data privacy laws, it also exempts financial institutions and data subject to the Gramm-Leach-Bliley Act and covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA). .
The law excludes 16 different categories of data from its scope, including health information protected under HIPAA, information subject to the Fair Credit Reporting Act, employee and job applicant data, and information protected by the Family Educational Rights and Privacy Act.
A “consumer” is defined as a resident of Connecticut and excludes persons “acting in a business or employment context,” also known as the business-to-business exception, which is consistent with other state laws on Protection of private life.
Connecticut consumers will have the right to opt out of the processing of their personal data for targeted advertising, the sale of their data, or profiling for automated decisions that produce legal or significant consumer effects. Entities subject to the law will be required to provide “clear and prominent” links on their websites giving consumers a choice to opt-out of this type of processing and provide a universal opt-out preference signal by January 1, 2025. protection of privacy, the CPDPA contains an anti-discrimination clause. These requirements, along with those of other state laws that go into effect in 2023, warrant another review of company websites to see if they need to be updated.
The CPDPA requires controllers to limit:
- collection of personal data to the minimum necessary for the purposes of the collection;
- the use of personal data for the sole purpose of collection or as the consumer has authorized; and
- establish and implement data security practices to protect data
- obtain consent before processing sensitive data, including the data of anyone under the age of 13, and follow the provisions of the Children’s Online Privacy Protection Act.
Controllers will be required to update their website and other privacy notices to be transparent about the categories of data collected, the purpose of the collection, how consumers can exercise their rights under the law, including including an active email address at which to contact the controller, what information is shared with third parties and the categories of third parties with whom the controller shares the information. In addition, a controller must disclose that they are selling personal data for the purpose of targeted advertising and provide consumers with information on how they can opt out of the sale of their information.
Also consistent with other national data privacy laws, the CPDPA requires data controllers to enter into a written contract with data processors before disclosing personal data, outlining specific instructions for data processing and security requirements. data for the protection of personal data. This requires organizations to review contracts with third parties to determine whether they are disclosing personal data to third parties, whether the CPDPA applies, and to amend contracts with such third parties as appropriate.
Violation of the CPDPA can lead companies to legal action by the Connecticut Attorney General (AG), who can impose fines and penalties under the Connecticut Unfair Trade Practices Act. However, there is a grace period for enforcement actions until December 31, 2024, for the GA to give organizations the opportunity to remedy any alleged violations. Effective January 1, 2025, the AG has the discretion to provide companies with this opportunity to remedy and may review the conduct of the organization during the remedy period to determine fines and penalties.
Significantly, consistent with Colorado, Virginia, and Utah, but diverging from California, the CPDPA makes it clear that the law does not provide a private right of action for consumers to seek damages- interests against organizations for violation of the law. Jurisdiction for violations rests solely with GA 2023 will be a busy compliance year for state data privacy laws as laws in Virginia, Colorado, Utah and now Connecticut will all go into effect . Now is the time to determine if these new privacy laws apply to your organization and start planning for compliance obligations.