Connecticut's Data Privacy Law

The new Connecticut data privacy law—inconveniently titled “An Act Concerning Personal Data Privacy and Online Monitoring” (hereinafter referred to as “CPDPA”) was signed into law on Tuesday, May 10, 2022 and will have an effective date of July 1, 2023. The CPDPA is moderately similar to both the Colorado Privacy Act (the “CPA”) and the Virginia Consumer Data Privacy Act (“VCDPA”), with only a few minor differences.

The CPDPA applies businesses that conduct business in the state of Connecticut or produce products or services targeted to residents of Connecticut and during the prior calendar year, controlled or processed the personal data of:

  • at least 100,000 consumers or
  • not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

Note this requirement is different from both the CPA and VCDPA—where the CPA has no percent of gross revenue requirement, and the VCDPA requires more than 50% of gross revenue to be derived from the sale of personal data.

Similar to the CPA and VCDPA, the CPDPA grants to consumers six identical rights (the right to confirm, access, correct, delete, obtain a copy, and opt-out of the processing of personal data for the purpose of targeted advertising, the sale of consumer data, and profiling), and prohibits the processing of sensitive data without affirmative consumer consent.

Like all prior state data privacy laws, consumers have the ability to exercise their rights under the CPDPA by submitting a consumer request to businesses. This process is largely similar to that of Virginia and Colorado, including the right to appeal a business’s denial of such request. However, the CPDPA does not allow a business to extend an appeal deadline, unlike both the VCDPA and the CPA.

Similar to the CPA, the CDPA requires businesses to adopt a technical opt-out mechanism. However, while the CPA delegated authority to the Colorado Attorney General to promulgate relevant rules regarding the technical specifications, the CPDPA outlines such requirements. No later than January 1, 2025, the business must allow a consumer to opt out of any processing of the consumer’s personal data through an opt-out preference signal sent by a platform, technology, or other mechanism to the controller. Such signal must be sent with the consumer’s consent, and must indicate the consumer’s intent to opt out of any such processing or sale. The CPDPA provides specific requirements for the platform, such as not making use of a default setting and to be as consistent as possible with any other similar platform required by any federal or state law.

Notably, a business may deny a consumer opt out request under certain circumstances. While most state data privacy laws grant a similar right to businesses concerning consumer requests, Connecticut is the only state to grant such right concerning opt out requests.

The CDPA also outlines additional requirements for businesses that process personal data. Such requirements are a mixture of those provided under the CPA and VCDPA, including the requirement that businesses must clearly and conspicuously disclose whether it sells personal data or processes it for the purpose of targeted advertising and provide the manner by which consumers may opt out of such use of their personal data and the requirement that consumers provide a reasonably accessible, clear, and meaningful privacy policy.

As with the CPA and VCDPA, data protection assessments are required in certain circumstances, and there must be a binding contract between a controller and processor to govern any data processing.

The CPDPA does not have a private right of action—the Connecticut Attorney General has exclusive enforcement authority. From July 1, 2023 to December 31, 2024, the Attorney General may issue a notice of violation to a business prior to initiating an action if the Attorney General determines that a cure is possible. After December 31, 2024, there will be no notice and cure process. A violation of the CPDPA is considered an unfair trade practice. Each violation will carry with it a penalty of up to $5,000 for willful violations. 

Finally, it appears the state of Connecticut may continue to promulgate either additional legislation or amend the CPDPA. Prior to September 1, 2022, the Connecticut General Assembly must convene a task force to study issues concerning data privacy, such as information sharing among health care providers, algorithmic decision-making, legislation concerning COPPA, verification of the age of children creating social media accounts, data colocation, and other topics concerning data privacy. Such task force will submit a report no later than January 1, 2023 with their findings and recommendations.

As more states promulgate state data privacy legislation that differ in minor ways, it is absolutely vital for businesses to consult with data privacy counsel to ensure compliance with all compulsory requirements in this ever-shifting landscape.

Should you have any questions or need assistance, please contact us.

Nicole E. Cloyd

Mark E. Musekamp

Nicole is admitted to practice law in Kentucky; Nicole is approved under Ohio Gov. Bar R. I § 19 to practice in Ohio while her application for admission is pending.

KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.


© 2024 Keating Muething & Klekamp PLL. All Rights Reserved


Jump to Page