On May 10, 2022, Connecticut adopted the Data Privacy and Online Monitoring Act (CTDPA) to regulate the collection, storage and usage of personal information and create new consumer privacy rights. .

Among other things, the CTDPA establishes a framework for controlling and processing personal data; defines responsibilities and privacy protection standards for data controllers and processors; and grants consumers the right to access, correct, delete and obtain a copy of personal data and opt out of the processing of personal data in certain circumstances. The CTDPA becomes effective July 1, 2023. 

Action Steps

Employers that conduct business in Connecticut or produce products or services targeted to Connecticut residents should become familiar with the CTDPA and update their systems, policies and procedures to enable compliance with this law by July 1, 2023 

Affected employers should pay particular attention to consumer notification requirements. Questions or compliance inquiries should be directed to the Connecticut's Office of the Attorney General (CTOAG). The CTOAG has already published some guidance and answers to frequently asked questions regarding the CTDPA on its website. Employers can rely on this guidance as the official interpretation of how to comply with the law. 

Consumer Rights 

Under the CTDPA, consumers have a right to: 

• Confirm whether a controller is processing their personal data and access that personal data; 
• Correct inaccuracies in their personal data; 
• Delete the personal data they provide or is obtained about them; 
• Obtain a copy of their processed personal data; and 
• Opt out of the processing of their personal data for targeted advertising, the sale of personal data or profiling.
• Consent 

“Consent” means a clear affirmative act signifying a consumer's freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer.

Affected Entities 

The CTDPA applies to persons or entities that conduct business in Connecticut or produce products or services that are targeted to Connecticut residents if they did either of the following during the prior calendar year: 

• Controlled or processed the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or 
• Controlled or processed the personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

However, the CTDPA does not apply to any state body, authority, board, bureau, commission, district or agency, nonprofit organization, institution of higher education, national securities association registered under 15 USC 78o-3 of the Securities Exchange Act of 1934, financial institution or data subject to Title V of the Gramm-Leach-Bliley Act, or covered entity or business associate, as defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 

Consumer Rights 

The CTDPA defines “consumer” as an individual who is a state resident. This term does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit or government agency.

Under the CTDPA, consumers have a right to: 

• Confirm whether a controller is processing their personal data and access that personal data unless the confirmation or access would require the controller to reveal a trade secret; 
• Correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data; 
• Delete the personal data they provide or that is obtained about them; 
• Obtain a copy of the personal data processed by the controller in a portable and, to the extent technically feasible, readily usable format that allows consumers to transmit the data to another controller without hindrance (the processing must be carried out by automated means, provided the controller cannot be required to reveal any trade secret); and 
• Opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning consumers. 

“Profiling” means any form of automated processing performed on personal data to evaluate, analyze or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Consumers may designate another person to serve as their authorized agent and act on their behalf to opt out of the processing of their consumer’s personal data. Consumers may designate an authorized agent by way of, among other things, a technology, including but not limited to an internet link or a browser setting, browser extension or global device setting, indicating their intent to opt out of processing. Controllers must comply with an opt-out request received from an authorized agent if they are able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent’s authority to act on the consumer’s behalf. 

Protected Data 

The CTDPA protects consumers’ personal data. “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual. “Personal data” does not include de-identified data or publicly available information.

The following information and data are exempt from the CTDPA: 

• Protected health information under HIPAA; 
• Patient-identifying information; 
• Identifiable private information for purposes of the federal policy for the protection of human subjects; 
• Identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use; 
• Personal data used or shared in research that is conducted in accordance with the CTDPA’s standards or other research conducted in accordance with applicable law; 
• Information and documents created for purposes of the Health Care Quality Improvement Act of 1986; Patient safety work product for purposes of the Patient Safety and Quality Improvement Act; 
• Information derived from any of the health care-related information listed in the CTDPA that is de-identified in accordance with the requirements for de-identification under HIPAA; 
• Information originating from and intermingled to be indistinguishable with, or information treated in the same manner as, information exempt under the CTDPA that is maintained by a covered entity or business associate, program or qualified service organization; 
• Information used for public health activities and purposes as authorized by HIPAA, community health activities and population health activities;
• The collection, maintenance, disclosure, sale, communication or use of any personal information bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living by a consumer reporting agency, furnisher or user that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that the activity is regulated by and authorized under the Fair Credit Reporting Act; 
• Personal data collected, processed, sold or disclosed in compliance with the Driver’s Privacy Protection Act of 1994; Personal data regulated by the Family Educational Rights nd Privacy Act;a Personal data collected, processed, sold or disclosed in compliance with the Farm Credit Act; 
• Data processed or maintained: 
• In the course of an individual applying to, employed by or acting as an agent or independent contractor of a controller, processor or third party to the extent that the data is collected and used within the context of that role; 
• As the emergency contact information of an individual under sections of the CTDPA used for emergency contact purposes; or 
• That is necessary to retain to administer benefits for another individual relating to the individual who is the subject of the information under the CTDPA and used for the purposes of administering benefits; and 
• Personal data collected, processed, sold or disclosed in relation to price, route or service, as such terms are used in the Airline Deregulation Act, 49 USC 40101 et seq. by an air carrier subject to said act, to the extent provisions of the CTDPA are preempted by the Airline Deregulation Act. 

“Publicly available information” means information that is lawfully made available through federal, state or municipal government records or widely distributed media. A controller must have a reasonable basis to believe a consumer has lawfully made information available to the general public. 

“De-identified data” means data that cannot reasonably be used to infer information about or otherwise be linked to an identified or identifiable individual, or a device linked to the individual, if the controller that possesses this data (A) takes reasonable measures to ensure that the data cannot be associated with an individual, (B) publicly commits to process the data only in a de-identified fashion and not attempt to re-identify the data, and (C) contractually obligates any recipients of such data to satisfy the criteria set forth in provisions (A) and (B). 

“Protected health information” has the same meaning as provided in HIPAA. 

Controller Obligations 

The CTDPA defines “controller” as an individual who or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data. Under the CTDPA, controllers must:

• Limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to consumers; 
• Not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which the personal data is processed, as disclosed to consumers, unless the controller obtains consumer consent; 
• Establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue; 
• Not process sensitive data concerning a consumer without obtaining consumer consent or, in the case of the processing of sensitive data concerning a known child, without processing the data in accordance with the federal Children’s Online Privacy Protection Act of 1998 (COPPA); 
• Not process personal data in violation of federal or state laws that prohibit unlawful discrimination against consumers; 
• Provide an effective mechanism for consumers to revoke their consent (the mechanism must be at least as easy as the mechanism by which the consumer provided their consent). Upon revocation of consent, controllers must cease to process the data as soon as practicable but not later than 15 days after receiving the request; and 
• Not process the personal data of consumers for purposes of targeted advertising or sell their personal data without consent when controllers have actual knowledge and willfully disregard that consumers are between 13 and 16 years of age. 

Consent 

“Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer. Consent may include a written statement, including by electronic means, or any other unambiguous, affirmative action.

Consent does not include (A) acceptance of general or broad terms of use or similar document that contains descriptions of personal data processing along with other unrelated information, (B) hovering over, muting, pausing or closing a given piece of content, or (C) agreement obtained through the use of dark patterns. “Dark pattern” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice, and includes but is not limited to any practice the Federal Trade Commission refers to as a “dark pattern.”

“Sensitive data” means personal data that includes (A) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, (B) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (C) personal data collected from a known child or (D) precise geolocation data.

Consumer Retaliation 

Controllers cannot discriminate against consumers for exercising any of their rights. Consumer discrimination includes denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services.

However, the CTDPA should not be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or prohibit a controller from offering a different price, rate, level, quality or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts or club card program.

Responding to Consumer Requests 

Controllers must comply with consumer requests to exercise their rights under the CTDPA without undue delay, but not later than 45 days after receipt of the request. Controllers may extend the response period by 45 additional days when reasonably necessary, considering the complexity and number of the consumer’s requests, if they inform consumers of the extension (and the reasons) within the initial 45-day response period. 

Controllers that decline to take action regarding consumer requests must inform consumers without undue delay, but not later than 45 days after receiving the request, of the justification for declining to take action and instructions for how to appeal the decision. 

Controllers must provide information in response to a consumer request free of charge, once per consumer, during any 12- month period. If requests from a consumer are manifestly unfounded, excessive or repetitive, controllers may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. Controllers bear the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. 

If a controller is unable to authenticate a request to exercise any of the rights afforded under the CTDPA using commercially reasonable efforts, the controller will not be required to comply with a request to initiate an action and must provide notice to the consumer that the controller is unable to authenticate the request until the consumer provides additional information reasonably necessary to authenticate the consumer and their request. 

A controller shall not be required to authenticate an opt-out request but may deny it if the controller has a good faith, reasonable and documented belief that the request is fraudulent. In these cases, the controller must send a notice to the person who made the request disclosing that the controller believes the request is fraudulent, why the controller believes the request is fraudulent and that the controller will not comply with the request. 

A controller that has obtained personal data about a consumer from a source other than the consumer will be deemed in compliance with a consumer’s request to delete such data by: 

• Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the controller’s records and not using this retained data for any other purpose; or 
• Opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant to the provisions of sections 1 to 11, inclusive, of the CTDPA. 

Finally, controllers must establish a process for consumers to appeal refusals to take action on a request within a reasonable period of time. The appeal process must be conspicuously available and similar to the process for submitting requests to initiate action. Controllers must inform the consumer in writing of any action taken or not taken in response to an appeal within 60 days. If the appeal is denied, controllers must also provide consumers with an online mechanism, if available, or another method through which consumers may contact the state attorney general to submit a complaint.

Data Protection Assessments

Controllers must conduct and document a data protection assessment for each of their processing activities that presents a heightened risk of harm to consumers. For the purposes of this section, processing that presents a heightened risk of harm to a consumer includes: 

• The processing of personal data for the purposes of targeted advertising; 
• The sale of personal data; 
• The processing of personal data for the purposes of profiling, where profiling presents a reasonably foreseeable risk of (A) unfair or deceptive treatment of, or unlawful disparate impact on, consumers, (B) financial, physical or reputational injury to consumers, (C) a physical or another intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where the intrusion would be offensive to a reasonable person, or (D) other substantial injury to consumers; and 
• The processing of sensitive data. 

Data protection assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the risks. Controllers must factor into this data protection assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed. 

The state’s attorney general may require controllers to disclose any data protection assessment that is relevant to an investigation. 

A single data protection assessment may address a comparable set of processing operations that includes similar activities. Data protection assessments conducted for the purpose of complying with another applicable law or regulation will be deemed to satisfy these requirements if these assessments are reasonably similar in scope and effect to the ones required by the CTDPA. Data protection assessment requirements apply to processing activities created or generated after July 1, 2023, and are not retroactive.

Possession of De-identified Data 

Controllers in possession of de-identified data must take reasonable measures to ensure that the data cannot be associated with an individual. Controllers must also publicly commit to maintaining and using de-identified data without attempting to re-identify the data and contractually obligate any recipients of the de-identified data to comply with all provisions of the CTDPA. 

The CTDPA should not be construed to: 

• Maintain data in an identifiable form or collect, obtain, retain or access any data or technology in order to be capable of associating an authenticated consumer request with personal data; 
• Require a controller or processor to re-identify de-identified data or pseudonymous data; or 
• Require a controller or processor to comply with an authenticated consumer rights request if the controller:
• Is not reasonably capable of associating the request with the personal data or if it would be unreasonably burdensome for the controller to associate the request with the personal data; 
• Does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer; and 
• Does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. 

These requirements do not apply to pseudonymous data in cases where the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information. “Pseudonymous data” means personal data that cannot be attributed to a specific individual without the use of additional information, provided the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.

However, a controller that discloses pseudonymous data or de-identified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments.

Privacy Notice

Controllers must provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes: 

• The categories of personal data processed by the controller; 
• The purpose for processing personal data; 
• The ways consumers may exercise their consumer rights, including how to appeal a decision with regard to consumer requests; 
• The categories of personal data that the controller shares with third parties, if any; 
• The categories of third parties, if any, with which the controller shares personal data; and 
• An active electronic mail address or another online mechanism that consumers may use to contact the controller. 

Processor Obligations 

A processor is an individual who or a legal entity that processes personal data on behalf of a controller. Processors must adhere to the instructions of their controller and must assist their controller in meeting the controller’s obligations under the act. 

Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. Processors will be reclassified as controllers if they: 

• Are not limited by controller instructions in their processing of personal data; 
• Fail to adhere to controller instructions; or 
• Begin to determine the purposes and means of the processing of personal data either alone or jointly with others. 

Get a free insurance quote from Defy Insurance: https://zurl.co/FsxS