Additional Business Obligations of CTDPA
Connecticut's privacy law also includes specific business obligations your company must follow in order to achieve compliance. This section will break them down into more detail.
CTDPA specifies that businesses must only collect data that is "adequate, relevant, and reasonably necessary," In other words, businesses should minimize the data they collect only to fulfill a specific business purpose.
Data minimization doesn't simply mean collecting less data. Rather, it's a way for businesses to protect themselves from potential data misuse. Reducing the amount of data your business collects will reduce the risk of data mishandling, such as improper collection, processing, access, storage, or sharing.
To implement data minimization in your business, identify the most necessary processing activities your business needs to conduct. Then you can focus on gathering only the data you need. Once the purpose has been fulfilled, delete the data from your systems so you're not storing more data than necessary.
Going through this exercise frequently will help your business ensure purposeful and compliant data collection practice
Your business must be transparent about its data processing practices via its privacy notices. Your privacy policies should include:
- The categories of personal data processed by the business.
- The purpose of this processing.
- How consumers can exercise their rights and appeal.
- The categories of personal data controllers share with third-parties, if any.
- The categories of third-parties the controller shares personal data with, if any.
- How the consumer can contact the controller, such as via email or online.
To make sure your business complies with CTDPA, work with your legal team to provide privacy notices on your website that includes all of the above information and is easily accessible to consumers.
Businesses are also required to enter data processing contracts with entities that process personal data on the business' behalf. Examples of this include third-party SaaS vendors that process and stores consumers' data for your business.
These contracts must include instructions for the processor to handle the controller’s data. They must also specify the type of data being processed, the purpose, and the duration of processing. These contracts need to ensure that the processor will not prevent businesses from fulfilling user subject and consent requests, or providing necessary information to demonstrate compliance to regulators.
If your business works with processors or subcontractors that process users' personal data on your behalf, be sure to enter legally binding data processing contracts with each of them.
CTDPA also requires businesses to perform data protection assessments ((DPAs). DPAs are a way for businesses to weigh the benefits and potential risks of specific processing activities on consumers.
DPAs under Connecticut's privacy law should assess the processing of personal data for:
- Targeted advertising.
- Sale of personal data.
- Profiling in a way that could heighten the risk of consumers.
CTDPA considers a “heightened risk of harm” to include:
- Unfair or deceptive treatment.
- Financial, physical, or reputational injury.
- Physical or other intrusion upon private affairs.
- Other substantial injury.
The Attorney General of Connecticut can request a DPA from your business as proof of compliance. To make sure you're ready for Connecticut's regulators, make sure your business regularly documents and records DPAs for the above processing activities.