How Your Business Can Prepare for Connecticut’s CTDPA

Introduction

This is the fourth article in our series of blog posts that will help your business stay compliant with the new state privacy laws in 2023. Connecticut is the latest state in the U.S. to pass a comprehensive consumer privacy law. Similar to Colorado’s CPA, the Connecticut Data Privacy Act (CTDPA) will go into effect on July 1, 2023. 

CTDPA is most similar to Colorado’s and Virginia’s privacy laws, but it also contains elements of California’s CPRA. In this article, we’ll go over the unique provisions of Connecticut’s new privacy law in more detail, compare it with the previous three privacy laws we covered, and demonstrate how your business can get ready for compliance next year.

Does CTDPA Apply to Your Business?

Connecticut’s privacy law applies to business entities that operate within the state, or target their products or services to Connecticut residents. Additionally, these business entities must:

1. Control or process the data of at least 100,000 Connecticut consumers, excluding the personal data used only for completing a payment transaction.
2. Control or process the data of at least 25,000 Connecticut consumers and derive more than 25% of gross revenue from the sale of personal data.

Like Virginia’s CDPA and Colorado’s CPA, CTDPA does not use an annual revenue threshold to determine which businesses need to adhere to the law. 

If your business falls into either of the categories above, it should start preparing for CTDPA compliance before next summer. We’ll help your businesses get started by examining the similarities and differences between CTDPA and other states’ privacy laws.

What’s Included in the Connecticut Data Privacy Act?

Multi-state Enforcement with California and Colorado

One of the most unique provisions of the Connecticut Data Privacy Act is “joint enforcement” with California and Colorado’s state privacy laws (also known as the “3Cs”). Joint enforcement refers to “multi-state enforcement actions against entities that violate comparable provisions of the three laws.” 

This means Connecticut will be able to participate in cross-state investigations and enforcements for privacy violations. Virginia and Utah, on the other hand, will not, since privacy violations can still be rectified during their respective cure periods. 

Sunsetting Cure Periods for Privacy Violations

Additionally, CTDPA will phase out cure periods for companies that violate the coming privacy law. Unlike Virginia’s CDPA, which has a cure period that lasts for 30 days after the business is notified of a privacy violation, Connecticut’s cure period will only last between July 1, 2023, to December 31, 2024. After that, the Connecticut Office of the Attorney General will decide how to proceed with violations. 

Lawmakers set this provision in the hopes that companies will swiftly make their data privacy practices fully compliant with CTDPA by 2025. 

Universal Opt-Out Signals

As with Virginia and Colorado, Connecticut residents will be able to opt out of data sales, targeted advertising, and profiling. 

The law states that users should be able to manage their opt-out preferences through a company-provided “platform, technology, or mechanism.” By January 1, 2025, businesses must state this in their privacy policies, as well as provide the opt-out mechanism on their websites.

Explicit Opt-In Consent for Sensitive Personal Information

Like with Virginia and Colorado, Connecticut’s privacy law requires businesses to obtain explicit opt-in consent before they can process residents’ sensitive personal information.

CTDPA defines sensitive personal data as anything that reveals:

• Racial or ethnic origin.
• Religious beliefs.
• Mental or physical health condition or diagnosis.
• Sex life.
• Sexual orientation.
• Citizenship or immigration status.
• Genetic or biometric data for the purpose of uniquely identifying an individual.
• Children’s data.
• Precise geolocation data.

Following Colorado’s CPA, user consent has to be “freely given, specific, informed and unambiguous.” This excludes consumers accepting general or broad terms of use, using dark patterns, and hovering over, pausing, or closing consent signals.

Much like Colorado’s privacy law, CTDPA is based on a hybrid consent model, where explicit consent is required for only specific data categories. This can lead to some confusion on how your business should design and implement its consent mechanism. Ethyca’s Privacy Center can help your businesses maintain granular control over your users’ consent preferences. 

Mechanism to Revoke Consent

Unlike California, Virginia, and Colorado, Connecticut’s privacy law clearly states that Connecticut residents are allowed to revoke their consent choices. For example, if a consumer originally agreed to have their data collected by a business and changed their mind, the business must stop processing their data as soon as practicable. 

To allow consumers to exercise their right, businesses must provide an easy-to-use mechanism to revoke consent. 

Additions to Biometric Data

CTDPA also expands the definition of biometric data. Although it is similar to Virginia’s definition of biometric data, Connecticut explicitly includes the category of a digital or physical photograph, or an audio or video recording that is “generated to identify a specific individual.” 

This stricter definition of biometric data broadens protections for Connecticut residents, as well as significantly limits what consumer data businesses can collect.

Stricter Limits Regarding Children’s Data

Connecticut’s privacy law uses the Children’s Online Privacy Protection Rule’s (COPPA) definition of child to mean “an individual under the age of 13.” As stated above, the data of children who are under the age of 13 qualifies as sensitive personal data.

CTDPA states that companies shall not “process the personal data of a consumer for purposes of targeted advertising, or sell the consumer’s personal data without the consumer’s consent, under circumstances where a controller has actual knowledge, and willfully disregards, that the consumer is at least thirteen years of age but younger than sixteen years of age.”

In order to collect and process the data of a child known to be under 13 years old, CTDPA states that companies must obtain the consent of the parent or guardian. The parent or guardian may also exercise the child’s data privacy rights on their behalf.

How Ethyca Can Help Your Business Comply With CTDPA

Keeping track of the different state privacy laws can make privacy ops seem overwhelming for your business. Fortunately, Ethyca can help your company stay compliant no matter what state it does business in.

Ethyca is already getting ready for the new regulations coming in 2023. We’re updating the Consent Management experience for customers. Additionally, your business will soon be able to classify the data it collects into different data categories. Ethyca’s Consent Management Platform can help you manage Connecticuters’ consent preferences by giving them control over their opt-in and opt-out preferences. You’ll also be able to store their consent preferences for reporting and auditing.

If you want to exercise more granular control over your business’ privacy ops, your company also has the option of using the Fides privacy engineering platform. With Fides, your business can automate users’ privacy requests. You’ll be able to create a dynamic data map of all of the PII across multiple systems in your business. Instead of dealing with out-of-date data maps, your business will be able to easily fulfill user requests.

Conclusion

Since CTDPA will go into effect on July 1, 2023, your business still has more time to prepare for compliance. Getting ready for CPRA and CDPA, which goes into effect on January 1, 2023, will give your business a head start. Additionally, since Connecticut’s privacy law is similar to Colorado’s, preparing for CPA will also put your business in good shape for the next year. 

It can be a challenge to accommodate so many state laws and their nuances. But, as you can see from this blog series, preparing for one state privacy law can help you get ready for others. Ethyca is here to help your business stay compliant no matter what state your company operates in.