Mystic Privacy: Connecticut's New Law Makes it Clearer
Connecticut’s new privacy law, an Act Concerning Personal Data Privacy and Online Monitoring, also known as the Connecticut Data Privacy Act (“CTDPA”), generally continues the pattern of non-California states enacting comprehensive privacy laws of evolving rights and obligations without a private right of action, but some of the differences are interesting. Like the Colorado Privacy Act, the CTDPA will go into effect on July 1, 2023.
1. Not How Big You Are, But What You Do with Data
While California and Utah use revenue numbers to bring in all large entities or exclude small businesses, the CTDPA covers individuals and entities of any size that conduct business in Connecticut, or produce products or services that are targeted to Connecticut residents, as long as in the preceding calendar year they either:
Virginia and Colorado’s privacy laws similarly lack revenue targets, although the states differ slightly in terms of revenue thresholds derived from data sales. In addition to excluding pure payment processing, the CTDPA excludes state and local government entities, nonprofits, higher education institutions, financial institutions subject to the GLBA and covered entities and business associates subject to HIPAA.
2. Lots of Rights and Wrongs, But No Rules
The CTDPA gives many rights to consumers and imposes many requirements on controllers, but it is unusual as it does not contemplate Connecticut’s Attorney General issuing rules and (unlike Colorado) may anticipate that no rules will be issued. Might somebody be tired out by California?
Consumers (which as in other states except (soon) California, excludes employees and B2B contacts) have rights to:
Data controllers will be required to:
Note that “sensitive data” includes personal data knowingly collected from children under 13 years old. Connecticut appears to have focused on increased protections for children’s data, a trend also reemerging at the federal level. Companies should anticipate possible enforcement in this area at both the state and federal levels.
The CTDPA offers the right to cure violations that we love in California, but as in Colorado and under California’s CPRA, it sunsets, in Connecticut’s case on December 31, 2024.
We end with a warning to FTC commissioners and staffers to be sure to make appropriate disclaimers in fabric stores and at parties, lest you inadvertently make drapery illegal in Connecticut, where “dark pattern” now includes anything the FTC “refers to” as such.
Amanda M. Witt
John M. Brigagliano
Jennie L. Cunningham
New York, NY
Alexander J. Borovsky