What are the requirements of the CTDPA?
Connecticut consumers are granted data subject rights and consent rights that your business needs to fulfill. This section will go over these rights in more detail.
Data Subject Requests
Data subject requests (DSRs) are requests that users can make to exercise control over the personal information businesses collect on them.
Under CTDPA, Connecticut residents have the following consumer rights:
| Right to Know and Access | Consumers are allowed to request to know if a company is collecting and processing their personal information, and access what personal data that company has on them. |
| Right to Correct | Consumers are allowed to request that a company correct inaccurate information about them. |
| Right to Delete | Consumers are allowed to request the deletion of all of the personal data a company has on them. This also extends to the personal data held by data processors, third-party vendors, or subcontractors. |
| Right to Data Portability | Consumers are allowed to request a copy of the data a company holds on them in a machine-readable format. |
| Right to Appeal | Consumers are allowed to challenge a company’s refusal to process a data subject request. |
Connecticut's privacy law mandates that businesses respond to consumers' requests within 45 days. They can also extend for an additional 45 days if needed to process complicated requests.
Consent Requirements
Connecticut's privacy law also grants specific consent rights for consumers to exercise control over how their personal data is processed by businesses. Under CTDPA, businesses must enable consumers to submit their consent preferences online. Here are the opt-out and opt-in consent rights Colorado residents have:
| Opt-Out | |
| Targeted Advertising | Displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests. |
| Sale of Personal Data | The exchange of personal data for monetary consideration by the controller to a third party |
| Profiling | Any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. |
| Opt-In | |
| The Processing of Sensitive Data |
|
Businesses must communicate how users can exercise their consent rights through Privacy Notices on their websites.
Universal Opt-Out Mechanism
Similarly to Colorado's privacy law, Connecticut's privacy law also requires businesses to allow consumers to opt out of targeted advertising or the sale of personal data via an opt-out preference signal or universal opt-out mechanism.
Consumers can use universal opt-out mechanisms to communicate their opt-out preferences across multiple websites at once, rather than each website at a time. Under CTDPA, businesses must be able to recognize universal opt-out mechanisms on their websites by January 1, 2025.
To ensure you're adhering to CTDPA's consent requirements, make sure your business website can read and record opt-out preference signals.
Enforcement
The Attorney General of Connecticut has exclusive authority over enforcing CTDPA. That means Connecticut residents do not have a private right of action and cannot directly sue a company over privacy violations.
Upon receiving a notice of privacy violations from the AG, businesses have a 60-day cure period to correct infractions. Take note that the cure period will sunset by December 31, 2024. Businesses will need to make sure their privacy operations meet CTDPA standards by then.