Connecticut is the latest state to have passed a comprehensive consumer privacy law. The Connecticut Data Privacy Act (CTDPA) will go into effect on July 1, 2023. Continue reading to learn more about how your business can start preparing for compliance.
This is the fourth article in our series of blog posts that will help your business stay compliant with the new state privacy laws in 2023. Connecticut is the latest state in the U.S. to pass a comprehensive consumer privacy law. Similar to Colorado’s CPA, the Connecticut Data Privacy Act (CTDPA) will go into effect on July 1, 2023.
CTDPA is most similar to Colorado’s and Virginia’s privacy laws, but it also contains elements of California’s CPRA. In this article, we’ll go over the unique provisions of Connecticut’s new privacy law in more detail, compare it with the previous three privacy laws we covered, and demonstrate how your business can get ready for compliance next year.
Connecticut’s privacy law applies to business entities that operate within the state, or target their products or services to Connecticut residents. Additionally, these business entities must:
Like Virginia’s CDPA and Colorado’s CPA, CTDPA does not use an annual revenue threshold to determine which businesses need to adhere to the law.
If your business falls into either of the categories above, it should start preparing for CTDPA compliance before next summer. We’ll help your businesses get started by examining the similarities and differences between CTDPA and other states’ privacy laws.
One of the most unique provisions of the Connecticut Data Privacy Act is “joint enforcement” with California and Colorado’s state privacy laws (also known as the “3Cs”). Joint enforcement refers to “multi-state enforcement actions against entities that violate comparable provisions of the three laws.”
This means Connecticut will be able to participate in cross-state investigations and enforcements for privacy violations. Virginia and Utah, on the other hand, will not, since privacy violations can still be rectified during their respective cure periods.
Additionally, CTDPA will phase out cure periods for companies that violate the coming privacy law. Unlike Virginia’s CDPA, which has a cure period that lasts for 30 days after the business is notified of a privacy violation, Connecticut’s cure period will only last between July 1, 2023, to December 31, 2024. After that, the Connecticut Office of the Attorney General will decide how to proceed with violations.
Lawmakers set this provision in the hopes that companies will swiftly make their data privacy practices fully compliant with CTDPA by 2025.
As with Virginia and Colorado, Connecticut residents will be able to opt out of data sales, targeted advertising, and profiling.
The law states that users should be able to manage their opt-out preferences through a company-provided “platform, technology, or mechanism.” By January 1, 2025, businesses must state this in their privacy policies, as well as provide the opt-out mechanism on their websites.
Like with Virginia and Colorado, Connecticut’s privacy law requires businesses to obtain explicit opt-in consent before they can process residents’ sensitive personal information.
CTDPA defines sensitive personal data as anything that reveals:
Much like Colorado’s privacy law, CTDPA is based on a hybrid consent model, where explicit consent is required for only specific data categories. This can lead to some confusion on how your business should design and implement its consent mechanism. Ethyca’s Privacy Center can help your businesses maintain granular control over your users’ consent preferences.
Unlike California, Virginia, and Colorado, Connecticut’s privacy law clearly states that Connecticut residents are allowed to revoke their consent choices. For example, if a consumer originally agreed to have their data collected by a business and changed their mind, the business must stop processing their data as soon as practicable.
To allow consumers to exercise their right, businesses must provide an easy-to-use mechanism to revoke consent.
CTDPA also expands the definition of biometric data. Although it is similar to Virginia’s definition of biometric data, Connecticut explicitly includes the category of a digital or physical photograph, or an audio or video recording that is “generated to identify a specific individual.”
This stricter definition of biometric data broadens protections for Connecticut residents, as well as significantly limits what consumer data businesses can collect.
Connecticut’s privacy law uses the Children’s Online Privacy Protection Rule’s (COPPA) definition of child to mean “an individual under the age of 13.” As stated above, the data of children who are under the age of 13 qualifies as sensitive personal data.
CTDPA states that companies shall not “process the personal data of a consumer for purposes of targeted advertising, or sell the consumer’s personal data without the consumer’s consent, under circumstances where a controller has actual knowledge, and willfully disregards, that the consumer is at least thirteen years of age but younger than sixteen years of age.”
In order to collect and process the data of a child known to be under 13 years old, CTDPA states that companies must obtain the consent of the parent or guardian. The parent or guardian may also exercise the child’s data privacy rights on their behalf.
Keeping track of the different state privacy laws can make privacy ops seem overwhelming for your business. Fortunately, Ethyca can help your company stay compliant no matter what state it does business in.
Ethyca is already getting ready for the new regulations coming in 2023. We’re updating the Consent Management experience for customers. Additionally, your business will soon be able to classify the data it collects into different data categories. Ethyca’s Consent Management Platform can help you manage Connecticuters’ consent preferences by giving them control over their opt-in and opt-out preferences. You’ll also be able to store their consent preferences for reporting and auditing.
If you want to exercise more granular control over your business’ privacy ops, your company also has the option of using the Fides privacy engineering platform. With Fides, your business can automate users’ privacy requests. You’ll be able to create a dynamic data map of all of the PII across multiple systems in your business. Instead of dealing with out-of-date data maps, your business will be able to easily fulfill user requests.
Since CTDPA will go into effect on July 1, 2023, your business still has more time to prepare for compliance. Getting ready for CPRA and CDPA, which goes into effect on January 1, 2023, will give your business a head start. Additionally, since Connecticut’s privacy law is similar to Colorado’s, preparing for CPA will also put your business in good shape for the next year.
It can be a challenge to accommodate so many state laws and their nuances. But, as you can see from this blog series, preparing for one state privacy law can help you get ready for others. Ethyca is here to help your business stay compliant no matter what state your company operates in.
Ethyca’s VP of Engineering Neville Samuell recently spoke at the University of Texas at Austin’s Texas McCombs School of Business about privacy engineering and its role in today’s digital landscape. Read a summary of the discussion by Neville himself here.
Learn more about all of the updates in the Fides 2.24 release here.
Ethyca’s Senior Software Engineer Adam Sachs goes through the thought process of creating Fideslang, the privacy engineering taxonomy that standardizes privacy compliance in software development.
Learn more about all of the updates in the Fides 2.23 release here.
Our Senior Software Engineer Dawn Pattison walks you through implementing data minimization into your business.
Learn more about all of the updates in the Fides 2.22 release here.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Request a Demo