Everything You Need to Know About the Connecticut Data Privacy Act

Proactive management of data privacy compliance to handle challenging CTDPA requirements

CYTRIO - Connecticut CTDPA

What is CTDPA?

The CTDPA applies to any individual or business that conducts business in Connecticut or produces products or services targeted to Connecticut residents. This includes in-state and out-of-state businesses, as well as government agencies, during the prior calendar year, controlled or processed the personal data of:
  1. The business collects personal information from 100,000 or more Connecticut consumers
  2. The business derives 25% or more of its annual revenue from selling personal information and collects personal information from 25,000 or more consumers
Businesses that fail to comply with the CTDPA can face significant penalties. These penalties include fines, legal fees, and reputational damage. Additionally, individuals affected by a data breach can bring a private right of action against the business for damages.

Cookie Consent under CTDPA

When it comes to cookie consent, the act requires businesses to obtain informed consent from users before using certain types of cookies and other tracking technologies that collect and store personal information. To comply, businesses may need to implement a cookie consent solution that:
  1. Displays a clear and conspicuous notice to users about the use of cookies and tracking technologies on the site.
  2. Provides users with information about the types of cookies and tracking technologies used, as well as their purposes.
  3. Allows users to make an informed choice about whether to accept or reject the use of cookies and tracking technologies.
  4. Provides an easy-to-use mechanism for users to manage their cookie and tracking preferences, such as a cookie consent banner or pop-up.
  5. A clear and conspicuous link to the website’s “Do Not Sell My Personal Information” page, where users can exercise their opt-out rights.
  6. Keeps records of user consents and maintains the security of personal information collected through cookies and tracking technologies.
It’s important for businesses operating in Connecticut to review and implement a cookie consent solution that is compliant with the law and gives users control over their privacy preferences.

Consumer Rights under the CTDPA

Right to Know

Right to Access Personal Information

Right to Request Deletion of Personal Information

Right to Correct Inaccuracies

Right to Opt Out of Sale of Personal Information

Right to Non-Discrimination

Best Practices: How to Comply

Below are a few tips to get going:

Establish and update your privacy policy

Review legal basis for processing personal data

Document all data that is collected/processed

Map personal information to each internal database

Appoint a person/team/Data Protection Officer who can own data privacy best practices and respond to incoming Data Subject Access Request (DSARs)

Meet proper deadlines

Audit/create reports showing your data landscape, purpose, and DSARs completed to date.

Understand all exemptions under CTDPA

Decipher between data definitions as they differ between state laws

What are the fines and penalties for non-compliance?

Non-Compliance Civil Penalty
Maximum $5,000 per offense

How does Connecticut’s DPA compare to California CPRA

  • The business generates over 50% of its annual revenue from selling personal information.
  • The business collects personal information from 50,000 or more Utah residents.
  • The business derives 50% or more of its annual revenue from selling personal information and the business collects personal information from 10,000 or more Utah residents.
CTDPA CPRA
Rights
  • The right to know what personal information is sold or shared and to whom
  • The right to access personal information and to receive a copy of that information.
  • The right to request that personal information be deleted, subject to certain exceptions.
  • The right to opt-out of the sale.
  • The right to not be discriminated against for exercising their rights
  • The right to correct inaccurate information
  • The right to know what personal information is sold or shared and to whom
  • The right to delete personal data and the personal data collected from third parties
  • The right to opt-out of sale or sharing of personal information
  • The right to non-discriminate
  • The right to correct inaccurate information
  • The right to limit the use and disclosure of sensitive personal information
  • The right to opt-out of automated decision-making technology
Who Must Comply: Organizations that conduct business or produce commercial products or services that are intentionally targeted to residents and that either:
  • The business collects personal information from 100,000 or more Connecticut consumers
  • The business derives 25% or more of its annual revenue from selling personal information and collects personal information from 25,000 or more consumers
  • Gross Revenue >$25 million
  • Buy, receive, sell, or share the personal information of more than 100,000 consumers, households, or devices for commercial purposes
  • Derive 50 percent or more of its annual revenues from selling or sharing consumers’ personal information
Fines The maximum fine for a violation under the UCPA is $2,500.
  • Unintentional Non-Compliance Civil Penalty: Maximum $2,500 per offense
  • Intentional Non-Compliance Civil Penalty: Maximum $7,500 per offense
  • Consumers can file private lawsuits for between $100 to $750 damages or for actual damages
Links - Websites must have “Do not sell my personal information” link and “Limit the use of my personal information” link
Enforcement The Connecticut Attorney General CA Attorney General + California Privacy Protection Agency
Minors - Organizations must notify minors under 16 years of age if they intend to sell or share their personal data
Cure Period (Fines) 60 Day Cure Period Cure Period (Fines) 60 Day Cure Period No Cure period (CCPA has a 30 Day Cure Period)
Minor Fines - Automatic $7,500 fine per violation involving the personal information of minors

Frequently Asked Questions

The Connecticut Data Privacy Act (CTDPA) was enacted on May 21, 2018 and became effective on October 1, 2018. This legislation was enacted in response to growing concerns about the collection, use, and disclosure of personal information by businesses and aimed to provide residents of Connecticut with greater control over their personal information.

The CTDPA established new rights for residents of Connecticut with respect to their personal information and imposed new obligations on businesses in terms of how they collect, use, and disclose personal information. The CTDPA also provided for enforcement by the Connecticut Attorney General and established civil penalties and damages for violations of the act.

The CTDPA applies to businesses that collect, process, or maintain personal information of Utah residents and that meet one of the following criteria:
  • The business collects personal information from 100,000 or more Connecticut consumers
  • The business derives 25% or more of its annual revenue from selling personal information and collects personal information from 25,000 or more consumers
Under the Connecticut Data Privacy Act (CTDPA), residents of the state of Connecticut have several rights with respect to their personal information:
Right to Know: Connecticut residents have the right to know what personal information is being collected about them, the source of that information, and the purposes for which it is being used.
Right to Access: Connecticut residents have the right to access their personal information held by a business and to receive a copy of that information.
Right to Correction: Connecticut residents have the right to request correction of any inaccuracies in their personal information held by a business.
Right to Deletion: Connecticut residents have the right to request that their personal information be deleted by a business, subject to certain exceptions.
Right to Opt-Out: Connecticut residents have the right to opt-out of the sale of their personal information by a business.
Right to Non-Discrimination: Connecticut residents have the right to not be discriminated against by a business for exercising their rights under the CTDPA.
These rights give Connecticut residents control over their personal information and help to ensure that their privacy is protected. Businesses must comply with these rights and provide consumers with a means to exercise them.

CYTRIO is helping organizations meet the burden of the Connecticut Data Privacy Act (CTDPA) with an easy-to-use All-in-One Data Privacy Compliance Platform. With CYTRIO, organizations can eliminate 80%+ of manual tasks, resulting in significant time and cost-saving, improved SLAs and minimization risk of regulatory fines, all the while building consumer trust.
With CYTRIO, organizations can operationalize and automate consent and privacy rights management, to meet a complex set of CTDPA compliance requirements through the All-in-One Data Privacy Compliance Platform featuring Cookie Consent Manager, Cookie Banner Generator, Cookie Scanner, DSAR Manager, DSAR Response Automation, Data Discovery, Data Mapping and Records of Processing Activity (ROPA) and Data Protection Impact Assessments (DPIA).

The Connecticut Attorney General

Any individual who has a permanent address in Connecticut

Customers of household goods and services, employees, and those who make business-to-business transactions

Consumers may only make information requests twice a year and only for a 12-month look-back

Yes, if you have customer/client who resides Connecticut you must comply

An individual whose data is collected and processed

An organization that collects data from one or more sources, provides some value-added processing, and repackages the result in a usable form

The process of matching fields from one database to another

A person who determines the purposes and means of the processing of personal data

A third-party who processes personal data on behalf of the controller

A business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship

All-in-one Data Privacy Compliance Platform