Connecticut is the latest state to have passed a comprehensive consumer privacy law. The Connecticut Data Privacy Act (CTDPA) will go into effect on July 1, 2023. Continue reading to learn more about how your business can start preparing for compliance.
This is the fourth article in our series of blog posts that will help your business stay compliant with the new state privacy laws in 2023. Connecticut is the latest state in the U.S. to pass a comprehensive consumer privacy law. Similar to Colorado’s CPA, the Connecticut Data Privacy Act (CTDPA) will go into effect on July 1, 2023.
CTDPA is most similar to Colorado’s and Virginia’s privacy laws, but it also contains elements of California’s CPRA. In this article, we’ll go over the unique provisions of Connecticut’s new privacy law in more detail, compare it with the previous three privacy laws we covered, and demonstrate how your business can get ready for compliance next year.
Connecticut’s privacy law applies to business entities that operate within the state, or target their products or services to Connecticut residents. Additionally, these business entities must:
Like Virginia’s CDPA and Colorado’s CPA, CTDPA does not use an annual revenue threshold to determine which businesses need to adhere to the law.
If your business falls into either of the categories above, it should start preparing for CTDPA compliance before next summer. We’ll help your businesses get started by examining the similarities and differences between CTDPA and other states’ privacy laws.
One of the most unique provisions of the Connecticut Data Privacy Act is “joint enforcement” with California and Colorado’s state privacy laws (also known as the “3Cs”). Joint enforcement refers to “multi-state enforcement actions against entities that violate comparable provisions of the three laws.”
This means Connecticut will be able to participate in cross-state investigations and enforcements for privacy violations. Virginia and Utah, on the other hand, will not, since privacy violations can still be rectified during their respective cure periods.
Additionally, CTDPA will phase out cure periods for companies that violate the coming privacy law. Unlike Virginia’s CDPA, which has a cure period that lasts for 30 days after the business is notified of a privacy violation, Connecticut’s cure period will only last between July 1, 2023, to December 31, 2024. After that, the Connecticut Office of the Attorney General will decide how to proceed with violations.
Lawmakers set this provision in the hopes that companies will swiftly make their data privacy practices fully compliant with CTDPA by 2025.
As with Virginia and Colorado, Connecticut residents will be able to opt out of data sales, targeted advertising, and profiling.
The law states that users should be able to manage their opt-out preferences through a company-provided “platform, technology, or mechanism.” By January 1, 2025, businesses must state this in their privacy policies, as well as provide the opt-out mechanism on their websites.
Like with Virginia and Colorado, Connecticut’s privacy law requires businesses to obtain explicit opt-in consent before they can process residents’ sensitive personal information.
CTDPA defines sensitive personal data as anything that reveals:
Much like Colorado’s privacy law, CTDPA is based on a hybrid consent model, where explicit consent is required for only specific data categories. This can lead to some confusion on how your business should design and implement its consent mechanism. Ethyca’s Privacy Center can help your businesses maintain granular control over your users’ consent preferences.
Unlike California, Virginia, and Colorado, Connecticut’s privacy law clearly states that Connecticut residents are allowed to revoke their consent choices. For example, if a consumer originally agreed to have their data collected by a business and changed their mind, the business must stop processing their data as soon as practicable.
To allow consumers to exercise their right, businesses must provide an easy-to-use mechanism to revoke consent.
CTDPA also expands the definition of biometric data. Although it is similar to Virginia’s definition of biometric data, Connecticut explicitly includes the category of a digital or physical photograph, or an audio or video recording that is “generated to identify a specific individual.”
This stricter definition of biometric data broadens protections for Connecticut residents, as well as significantly limits what consumer data businesses can collect.
Connecticut’s privacy law uses the Children’s Online Privacy Protection Rule’s (COPPA) definition of child to mean “an individual under the age of 13.” As stated above, the data of children who are under the age of 13 qualifies as sensitive personal data.
CTDPA states that companies shall not “process the personal data of a consumer for purposes of targeted advertising, or sell the consumer’s personal data without the consumer’s consent, under circumstances where a controller has actual knowledge, and willfully disregards, that the consumer is at least thirteen years of age but younger than sixteen years of age.”
In order to collect and process the data of a child known to be under 13 years old, CTDPA states that companies must obtain the consent of the parent or guardian. The parent or guardian may also exercise the child’s data privacy rights on their behalf.
Keeping track of the different state privacy laws can make privacy ops seem overwhelming for your business. Fortunately, Ethyca can help your company stay compliant no matter what state it does business in.
Ethyca is already getting ready for the new regulations coming in 2023. We’re updating the Consent Management experience for customers. Additionally, your business will soon be able to classify the data it collects into different data categories. Ethyca’s Consent Management Platform can help you manage Connecticuters’ consent preferences by giving them control over their opt-in and opt-out preferences. You’ll also be able to store their consent preferences for reporting and auditing.
If you want to exercise more granular control over your business’ privacy ops, your company also has the option of using the Fides privacy engineering platform. With Fides, your business can automate users’ privacy requests. You’ll be able to create a dynamic data map of all of the PII across multiple systems in your business. Instead of dealing with out-of-date data maps, your business will be able to easily fulfill user requests.
Since CTDPA will go into effect on July 1, 2023, your business still has more time to prepare for compliance. Getting ready for CPRA and CDPA, which goes into effect on January 1, 2023, will give your business a head start. Additionally, since Connecticut’s privacy law is similar to Colorado’s, preparing for CPA will also put your business in good shape for the next year.
It can be a challenge to accommodate so many state laws and their nuances. But, as you can see from this blog series, preparing for one state privacy law can help you get ready for others. Ethyca is here to help your business stay compliant no matter what state your company operates in.
Introducing consent management in Fides 2.0. With the coming state privacy laws in 2023, your business needs to have granular control over users’ data and their consent preferences. Learn more about how Fides can enable this for your business, for free.
Ethyca launched its privacy engineering meetup, P.x, where Fides Slack Community members met and interacted with the Fides developer team. Two of our Senior Software Engineers, Dawn and Steve, gave presentations and demos on the importance of data minimization, and how Fides can make data minimization easier for teams. Here, we’ll recap the three main points of discussion.
We enjoyed two great days of security and privacy talks at this year’s Symposium on Usable Privacy and Security, aka SOUPS Conference! Presenters from all over the world spoke both in-person and virtually on the latest findings in privacy and security research.
At Ethyca, we believe that software engineers are becoming major privacy stakeholders, but do they feel the same way? To answer this question, we went out and asked 337 software engineers what they think about the state of contemporary privacy… and how they would improve it.
The UK’s new Data Reform Bill is set to ease data privacy compliance burdens on businesses to enable convenience and spark innovation in the country. We explain why convenience should not be the end result of a country’s privacy legislation.
Our team at Ethyca attended the PEPR 2022 Conference in Santa Monica live and virtually between June 23rd and 24th. We compiled three main takeaways after listening to so many great presentations about the current state of privacy engineering, and how the field will change in the future.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Get a Demo