by
on July 20, 2023
On May 10, 2022, Connecticut adopted the Data Privacy and Online Monitoring Act (CTDPA) to regulate the collection, storage and usage of personal information and create new consumer privacy rights. .
Among other things, the CTDPA establishes a framework for controlling and processing personal data; defines responsibilities and privacy protection standards for data controllers and processors; and grants consumers the right to access, correct, delete and obtain a copy of personal data and opt out of the processing of personal data in certain circumstances. The CTDPA becomes effective July 1, 2023.
Employers that conduct business in Connecticut or produce products or services targeted to Connecticut residents should become familiar with the CTDPA and update their systems, policies and procedures to enable compliance with this law by July 1, 2023
Affected employers should pay particular attention to consumer notification requirements. Questions or compliance inquiries should be directed to the Connecticut's Office of the Attorney General (CTOAG). The CTOAG has already published some guidance and answers to frequently asked questions regarding the CTDPA on its website. Employers can rely on this guidance as the official interpretation of how to comply with the law.
Under the CTDPA, consumers have a right to:
“Consent” means a clear affirmative act signifying a consumer's freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer.
The CTDPA applies to persons or entities that conduct business in Connecticut or produce products or services that are targeted to Connecticut residents if they did either of the following during the prior calendar year:
However, the CTDPA does not apply to any state body, authority, board, bureau, commission, district or agency, nonprofit organization, institution of higher education, national securities association registered under 15 USC 78o-3 of the Securities Exchange Act of 1934, financial institution or data subject to Title V of the Gramm-Leach-Bliley Act, or covered entity or business associate, as defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The CTDPA defines “consumer” as an individual who is a state resident. This term does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit or government agency.
Under the CTDPA, consumers have a right to:
“Profiling” means any form of automated processing performed on personal data to evaluate, analyze or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Consumers may designate another person to serve as their authorized agent and act on their behalf to opt out of the processing of their consumer’s personal data. Consumers may designate an authorized agent by way of, among other things, a technology, including but not limited to an internet link or a browser setting, browser extension or global device setting, indicating their intent to opt out of processing. Controllers must comply with an opt-out request received from an authorized agent if they are able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent’s authority to act on the consumer’s behalf.
The CTDPA protects consumers’ personal data. “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual. “Personal data” does not include de-identified data or publicly available information.
The following information and data are exempt from the CTDPA:
“Publicly available information” means information that is lawfully made available through federal, state or municipal government records or widely distributed media. A controller must have a reasonable basis to believe a consumer has lawfully made information available to the general public.
“De-identified data” means data that cannot reasonably be used to infer information about or otherwise be linked to an identified or identifiable individual, or a device linked to the individual, if the controller that possesses this data (A) takes reasonable measures to ensure that the data cannot be associated with an individual, (B) publicly commits to process the data only in a de-identified fashion and not attempt to re-identify the data, and (C) contractually obligates any recipients of such data to satisfy the criteria set forth in provisions (A) and (B).
“Protected health information” has the same meaning as provided in HIPAA.
The CTDPA defines “controller” as an individual who or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data. Under the CTDPA, controllers must:
“Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer. Consent may include a written statement, including by electronic means, or any other unambiguous, affirmative action.
Consent does not include (A) acceptance of general or broad terms of use or similar document that contains descriptions of personal data processing along with other unrelated information, (B) hovering over, muting, pausing or closing a given piece of content, or (C) agreement obtained through the use of dark patterns. “Dark pattern” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice, and includes but is not limited to any practice the Federal Trade Commission refers to as a “dark pattern.”
“Sensitive data” means personal data that includes (A) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, (B) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (C) personal data collected from a known child or (D) precise geolocation data.
Controllers cannot discriminate against consumers for exercising any of their rights. Consumer discrimination includes denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services.
However, the CTDPA should not be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or prohibit a controller from offering a different price, rate, level, quality or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts or club card program.
Controllers must comply with consumer requests to exercise their rights under the CTDPA without undue delay, but not later than 45 days after receipt of the request. Controllers may extend the response period by 45 additional days when reasonably necessary, considering the complexity and number of the consumer’s requests, if they inform consumers of the extension (and the reasons) within the initial 45-day response period.
Controllers that decline to take action regarding consumer requests must inform consumers without undue delay, but not later than 45 days after receiving the request, of the justification for declining to take action and instructions for how to appeal the decision.
Controllers must provide information in response to a consumer request free of charge, once per consumer, during any 12- month period. If requests from a consumer are manifestly unfounded, excessive or repetitive, controllers may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. Controllers bear the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request.
If a controller is unable to authenticate a request to exercise any of the rights afforded under the CTDPA using commercially reasonable efforts, the controller will not be required to comply with a request to initiate an action and must provide notice to the consumer that the controller is unable to authenticate the request until the consumer provides additional information reasonably necessary to authenticate the consumer and their request.
A controller shall not be required to authenticate an opt-out request but may deny it if the controller has a good faith, reasonable and documented belief that the request is fraudulent. In these cases, the controller must send a notice to the person who made the request disclosing that the controller believes the request is fraudulent, why the controller believes the request is fraudulent and that the controller will not comply with the request.
A controller that has obtained personal data about a consumer from a source other than the consumer will be deemed in compliance with a consumer’s request to delete such data by:
Finally, controllers must establish a process for consumers to appeal refusals to take action on a request within a reasonable period of time. The appeal process must be conspicuously available and similar to the process for submitting requests to initiate action. Controllers must inform the consumer in writing of any action taken or not taken in response to an appeal within 60 days. If the appeal is denied, controllers must also provide consumers with an online mechanism, if available, or another method through which consumers may contact the state attorney general to submit a complaint.
Controllers must conduct and document a data protection assessment for each of their processing activities that presents a heightened risk of harm to consumers. For the purposes of this section, processing that presents a heightened risk of harm to a consumer includes:
Data protection assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the risks. Controllers must factor into this data protection assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.
The state’s attorney general may require controllers to disclose any data protection assessment that is relevant to an investigation.
A single data protection assessment may address a comparable set of processing operations that includes similar activities. Data protection assessments conducted for the purpose of complying with another applicable law or regulation will be deemed to satisfy these requirements if these assessments are reasonably similar in scope and effect to the ones required by the CTDPA. Data protection assessment requirements apply to processing activities created or generated after July 1, 2023, and are not retroactive.
Controllers in possession of de-identified data must take reasonable measures to ensure that the data cannot be associated with an individual. Controllers must also publicly commit to maintaining and using de-identified data without attempting to re-identify the data and contractually obligate any recipients of the de-identified data to comply with all provisions of the CTDPA.
The CTDPA should not be construed to:
These requirements do not apply to pseudonymous data in cases where the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information. “Pseudonymous data” means personal data that cannot be attributed to a specific individual without the use of additional information, provided the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.
However, a controller that discloses pseudonymous data or de-identified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments.
Controllers must provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes:
A processor is an individual who or a legal entity that processes personal data on behalf of a controller. Processors must adhere to the instructions of their controller and must assist their controller in meeting the controller’s obligations under the act.
Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. Processors will be reclassified as controllers if they:
Get a free insurance quote from Defy Insurance: https://zurl.co/FsxS
In today's digital world, businesses of all sizes rely heavily on technology. Whether it’s storing c...
In today’s digital age, cyber threats are a significant risk for businesses of all sizes. Cyber insu...
We all have this perception at the workplace that our colleagues have our best interests in their he...
Become our partner and enjoy all the premium features.
Copyright © 2025 Defy Insurance