Connecticut Becomes Fifth State to Enact a Comprehensive Data Privacy Law
On May 10, 2022, Connecticut, following Utah, California, Virginia, and Colorado, became the fifth state to adopt a comprehensive consumer data privacy law.
On May 10, 2022, Connecticut Governor Ned Lamot signed "An Act Concerning Personal Data Privacy and Online Monitoring," also known as the Connecticut Data Privacy Act ("CTDPA"), making Connecticut the fifth state to enact a comprehensive data privacy law. The CTDPA will take effect on July 1, 2023.
The CTDPA will apply to entities that: (i) conduct business or target consumers in Connecticut; (ii) generate $25 million or more in annual revenue; and (iii) either process or control: (a) the personal data of at least 100,000 Connecticut consumers, or (b) the personal data of at least 25,000 Connecticut consumers and derive at least 25% of their gross revenue from selling personal data. The CTDPA does not apply to individuals acting in a commercial or employment context.
Under the CTDPA, controllers have obligations to, among other things:
- Obtain consumer consent before processing consumers' sensitive data, including biometric and geolocation data;
- Provide consumers with a right to opt out of the use or processing of their personal data for purposes of: (i) targeted advertising; (ii) the sale of their personal data; and (iii) profiling in furtherance of solely automated decisions with effects concerning the consumer;
- Comply with requests from consumers to exercise their rights to access, correct, obtain a copy of, confirm whether a controller processes, or delete their personal data; and
- Establish, implement, and maintain reasonable administrative, technical, and physical data security practices.
Additional consumer-friendly provisions in the CTDPA are similar to those under California's laws. Notably, the CTDPA incorporates a broad definition of the "sale of personal data," including the exchange of personal data for both monetary value and "other valuable consideration." The CTDPA also does not require opt-out requests be authenticated.
The CTDPA does not create a private right of action, and it grants exclusive enforcement authority to the Attorney General. If businesses do not cure violations within 60 days of its notice, the Attorney General can collect statutory damages up to $5,000 per violation, plus actual and punitive damages, and attorneys' fees and costs.