Connecticut Data Privacy Act (CTDPA)

What is Connecticut Data Privacy Law

Gov. Ned Lamont, D-Conn, signed the Connecticut Data Privacy Act into law on May 10, 2022 making Connecticut the 5th state after California, Virginia, Colorado and Utah to enact a comprehensive consumer privacy act. The law will be in effect from July 1, 2023. CTDPA (Connecticut data privacy law) is drawn heavily from the Colorado’s CPA and Virginia’s CDPA. Many provisions of this law are similar to or fall between the CPA and CDPA, but the few notable distinctions must be taken care of.

Who must comply with Connecticut Data Privacy Act?

The law applies to entities that:
Conduct business in Connecticut or produce products or services targeted to Connecticut residents and that during the preceding calendar year, either:

  • Controlled or processed the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing payment transactions.
  • Controlled or processed the personal data of at least 25,000 consumers and derived over 25% of their gross revenue from the sale of personal data.

Who enforces Connecticut Data Privacy Act (CTDPA)?

The private right of action is not provided under CTDPA (Connecticut Data Protection Act) following the steps of other data privacy of US. It offers a 60 days cure period to the Controllers. If the controller fails to cure the violation within 60 days of receiving notice, the attorney general may bring an action. Entities may face civil penalties up to $5,000 per willful violation.

Connecticut Data Privacy Act (CTDPA) - Mandatly Inc.

Key highlights of CTDPA (connecticut data privacy law):

Personal Data“Personal data” means information that is linked or reasonably linkable to an identified individual or an identifiable individual. It does not include de-identified data or publicly available information.
Consumer RightsThe CTDPA provides the consumer rights, which largely mirror those provided by the CPRA.
Privacy AssessmentsControllers are required to perform and document Data Protection Impact Assessments for each processing activity “that presents a heightened risk of harm” to consumers.
ConsentUnder CTDPA, consent means “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer.”

Know the difference between Virginia’s CDPA, CCPA and CPRA?

Download this whitepaper to know more about the key differences between the provisions of Virginia’s new privacy law called CDPA, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).  It provides an overview of each law’s requirements, highlighting their similarities and differences. Although there are some similarities in all the active privacy laws, the framework, and definitions of CDPA carries its unique requirements and guidance.

Download White Paper
Know the difference between Virginias CDPA, CCPA and CPRA - Mandatly Inc.

Consumer Rights under Connecticut Data Privacy Act (CTDPA)

  1. Right to Access
    A consumer has the right to know whether a controller is processing the consumer’s personal data and access that data.
  2. Right to Correct
    It is the consumer’s right to correct any inaccuracies in the consumer’s personal data, considering the nature of that data and its purpose of processing.
  3. Right to Deletion
    A consumer has the right to ask for the deletion of their personal data that the consumer provided to the controller.
  4. Right to Data Portability
    A consumer has the right to obtain a copy of the consumer’s personal data, that the consumer previously provided to the controller, in a format that is portable, readily usable and allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means.
  5. Right to Opt-Out
    A consumer has the right to opt out of the processing of the consumer’s personal data for the purpose of targeted advertising, the sale of personal data or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Obligations of Controllers

Under the Connecticut Data Privacy Act (CTDPA) compliance, Controllers must follow strict rules to protect people’s information and make sure they’re following the law.

  1. Data Minimization
    Controllers must only collect the personal data that is adequate, relevant, and reasonably necessary considering the purposes for which their data is processed as disclosed to the consumer.
  2. Purpose Specification
    Controllers should not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.
  3. Transparency
    A controller shall provide consumers with reasonably accessible, clear, and meaningful privacy notice that includes:

    • The categories and purpose of personal data processed by the controller;
    • How consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision about the consumer’s request;
    • The categories of personal data that the controller shares with third parties, if any;
    • The categories of third parties, if any, with which the controller shares personal data; and
    • An active electronic mail address that the consumer may use to contact the controller.
  4. Security 
    The controller must establish, implement, maintain and update reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity and accessibility relevant to the volume and nature of the personal data at issue.
  5. Opt-in Consent
    Controllers should not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with Children’s Online Privacy Protection Act.Additionally, controllers are required to “provide an effective mechanism” for consumers to revoke consent that is at least as easy as the mechanism used to provide it.
  6. Non-Discrimination
    A controller may not discriminate against a consumer for exercising a right by denying a good or service to the consumer or charging the consumer a different price.
  7. Data protection assessments
    Controllers are required to perform and document Data Protection Impact Assessments for each processing activity “that presents a heightened risk of harm” to consumers.

How Mandatly helps you achieve Connecticut's CTDPA compliance?

Mandatly’s CTDPA compliance solution goes above and beyond automation and includes comprehensive privacy risk management features that enable you to make effective business decisions and eliminate privacy risks.

Data Subject Rights (DSR) - Mandatly Inc.
Consumer RightsEnd-to-end DSAR fulfillment solution with automated identity verification and data discovery to fulfill the consumer request timely, securely, and efficiently.
Data Inventory and Mapping - Mandatly Inc.
Data Inventory and MappingMaintain your data sources and map data flows to meet the CTDPA "Lookback" requirements.
Assessment Portal - Mandatly Inc.
Privacy AssessmentsBundled with intelligence to uncover and assess privacy risks that your business can be exposed to.
Privacy Notices - Mandatly Inc.
Privacy NoticesGenerate privacy notices for your website or applications to keep your customers informed about how their Personal Information is collected, processed, and shared.
Automated 'Do Not Sell' Requests Handling - Mandatly Inc.
Do not sell my informationEnables customers to opt-out of the cookie based and non-cookie based sale of personal information.
Reporting and Governance - Mandatly Inc.
AnalyticsReporting features are built into the system to get a holistic view of the compliance program for different stakeholders.

Start with our forever free edition

Get Started Free

No credit card required

Recent Articles

The American Privacy Rights Act of 2024 (APRA) - Mandatly Inc.

The American Privacy Rights Act of 2024 (APRA)

The American Privacy Rights Act of 2024 (APRA)IntroductionIn today's digital age, privacy is paramount, and to achieve a comp...
Read more
The Role of Employee Training in GDPR Compliance and Data Security - Mandatly Inc.

The Role of Employee Training in GDPR Compliance and Data Security

The Role of Employee Training in GDPR Compliance and Data SecurityOverview: GDPR Training For EmployeesIn today's rapidly evo...
Read more
The Intersection of GDPR & Cybersecurity - Mandatly Inc.

Explore the Link Between Cybersecurity and GDPR Compliance

The Intersection of GDPR & CybersecurityWhat is GDPR?Enforced since May 2018, GDPR is a comprehensive set of regulations ...
Read more
Cross Border Data Transfer & Legal Framework - Mandatly Inc.

International Data Transfers: Understanding Legal Frameworks

Cross Border Data Transfer & Legal FrameworkA Legal Framework For Data ProtectionBefore delving into the legal mechanisms...
Read more
The GDPR and the EU-U.S. Data Privacy Framework: A Symbiotic Relationship - Mandatly Inc.

EU-U.S. Data Privacy & GDPR: A Symbiotic Bond

The GDPR and the EU-US Data Privacy Framework: A Symbiotic RelationshipEU-US Data Privacy Shield FrameworkThe EU US Data Priv...
Read more
Employee Privacy Rights: CPRA's Impact on Workplace Data Protection - Mandatly Inc.

PIA Software: Streamlining Privacy Impact Assessments

Conducting Privacy Impact Assessments with PIA Software: Benefits and Best PracticesAbout Privacy Impact AnalysisIn today's d...
Read more