Connecticut Data Privacy Law Signed | Compliance point

The Connecticut Data Privacy Act (CTDPA) was signed by Governor Ned Lamont on Tuesday, May 10, 2022. Below is a brief description of what is now Connecticut’s fifth comprehensive data privacy law. state in the United States.

When does the law come into effect?

The CTDPA comes into force on July 1, 2023.

Who does the CTDPA apply to?

The new law applies to companies that conduct business in the state of Connecticut or produce a product or service for residents of Connecticut and that, during the preceding calendar year:

  • Controlled or processed the personal data of at least 100,000 consumers (this does not include personal data controlled or processed solely for the purpose of completing a payment transaction), or;
  • Has monitored or processed the personal data of no less than 25,000 consumers and derived more than 25% of its gross revenue from the sale of personal data.

What are the penalties and who applies them?

Connecticut law grants the Attorney General sole enforcement authority. There is no private right of action.

A 60-day healing right is available until December 31st2024.

Violations of Connecticut data privacy law are enforceable under the Connecticut Unfair Trade Practices Act. Civil penalties may be imposed as follows:

Maximum fine for willful violation: $5,000.

Maximum fine for breach of restraining order or injunction: $25,000

What are the requirements?

Connecticut privacy law provides consumer access rights, including:

  • The consumer has the right to confirm whether a controller is processing the consumer’s personal data and to access the personal data
  • The consumer has the right to obtain a copy of the personal data he has previously provided to the controller;
  • The right to delete the personal data that the consumer has provided to the controller
  • The right to object to the processing of personal data for targeted advertising or the sale of personal data and profiling resulting from solely automated decisions.
  • The right to update or correct inaccuracies

These requests must be honored within 45 days, with a 45-day extension available depending on the complexity and volume of requests. If an extension is exercised, the controller must inform the consumer of the extension, the duration of the extension and the reason for the extension.

Additionally, a controller must inform the consumer if they decide not to honor the request and the reasons why they are not taking action. The controller should also include instructions on how to appeal the decision.

The controller is not authorized to charge any fees for the information contained in the request, unless the request is the consumer’s second or subsequent request within the same 12-month period. Connecticut Privacy Law further outlines instances in which a controller may be able to charge a reasonable fee.

A consumer may also appoint an authorized agent to act on their behalf. A controller must comply with a takedown request received from an authorized agent if the controller is able to verify the identity of the consumer and the authority of the authorized agent to act on the consumer’s behalf.

There are also obligations specific to the subcontractor, in particular:

  • Respect the controller’s instructions; and
  • Implement appropriate security controls; and
  • Assist the data controller in fulfilling his obligations

A binding contract must be in place between a controller and a processor which includes instructions for the processing of data, the nature and purpose of the processing, the type of data subject to processing, the duration of the processing and the rights and obligations of both parties.

Additional obligations

Given the size, scope and type of controller’s business, a controller should employ data security practices appropriate to the volume and nature of the personal data involved.

Controllers are required to ensure that they operate under common privacy principles:

  • Lens limitation
  • Data minimization
  • Consent for secondary use; and,
  • Non-discrimination against a consumer exercising his rights.

Controllers are also required to make disclosures to consumers regarding, but not limited to:

  • The categories of personal data processed;
  • The purposes for which the personal data is processed;
  • How to exercise your rights;
  • The categories of personal data that the controller shares with third parties, if any;
  • The categories of third parties, if any, with which the controller shares personal data;
  • An email address or other online mechanism that the consumer can use to contact the controller; and,
  • A description of one or more secure and reliable means for consumers to submit requests to exercise their rights.

In addition, data controllers are prohibited from processing sensitive data collected from the consumer without obtaining the consent of the consumer. The mechanism used by consumers to revoke their consent must be at least as simple as the mechanism by which the consumer gave their consent.

Controllers must perform and document a data protection assessment for each of the controller’s processing activities that pose an increased risk of harm to a consumer. Processing that poses an increased risk of harm to a consumer includes:

  • The processing of personal data for the purpose of targeted advertising
  • The sale of personal data
  • The processing of personal data for profiling purposes, when this profiling presents a reasonably foreseeable risk for the consumer
  • The processing of sensitive data

Data protection assessments conducted by a controller in accordance with another regulation may be used to satisfy this requirement if the assessment is reasonably similar in scope and effect.


Connecticut data privacy law does not apply:

  • Non-profit
  • Financial Institutions and GLBA Data, and Registered National Securities Associations
  • Higher education institutions and FERPA data
  • Entities and business associates covered by HIPAA
  • Any agency or political subdivision of the state
  • Some FCRA data
  • Data subject to the Farm Credit Act
  • Data retained for employment records purposes
  • Data used by air carriers under the Airline Deregulation Act
  • Data subject to the Driver Privacy Act
  • Compliance with COPPA Parental Consent Requirements

As you can see, there is both a data and entity specific exemption for entities covered by the GLBA which differs from the CCPA.

Comments are closed.