Partner
Connecticut residents who believe their personal data has been collected by a covered business have concrete rights under the Personal Data Privacy and Online Monitoring Act, Conn. Gen. Stat. § 42-515 et seq. This section explains how to exercise those rights in practice.
You have the right to confirm whether a controller is processing your personal data and, if so, to obtain a copy of it. To submit a request, look for the business’s privacy notice — typically linked in the website footer — which must disclose the mechanism for submitting consumer requests. Many businesses provide an online form, a toll-free number, or a designated email address. Under § 42-520, the controller must respond within 45 days. If the controller needs more time (up to an additional 45 days), it must notify you in writing and explain why.
Your right to delete requires the controller to erase your personal data from its records and direct its processors and sub-processors to do the same — unless retention is required by law or necessary to complete a transaction you initiated. Your right to correction requires the controller to correct inaccurate personal data, taking into account the nature of the data and the purposes of processing.
If a business denies your request — or fails to respond within the 45-day window — you have options:
Note: the CTDPA does not give you a private right of action — you cannot sue the business directly for a CTDPA violation. Your recourse is through the AG’s enforcement process. However, the same underlying conduct may give rise to claims under other statutes that do permit private lawsuits, such as the CCPA (for California residents) or state common-law claims for invasion of privacy.
Connecticut’s law provides heightened protections for categories of data that are especially sensitive. For sensitive data — which includes health information, racial or ethnic origin, sexual orientation, precise geolocation, biometric data, and children’s data — businesses must obtain your affirmative opt-in consent before collecting or processing it. If you did not affirmatively consent, the processing is unlawful regardless of any other disclosure or notice.
If you believe a business is processing your sensitive data without your consent, your AG complaint should specifically identify: (1) the category of sensitive data at issue, (2) the processing activity you believe occurred, and (3) the fact that you never provided opt-in consent. This specificity will help the AG’s office prioritize your complaint.
You have the right to opt out of three categories of processing at any time: (1) the sale of your personal data, (2) targeted advertising, and (3) profiling in furtherance of decisions with legal or significant effects. Businesses must honor opt-out requests promptly — no later than 45 days — and may not condition your access to their services on your agreement to forego the opt-out right (with limited exceptions).
Starting January 1, 2025, covered businesses must also recognize opt-out preference signals — automated signals sent by your browser or device to indicate your opt-out preferences — without requiring you to submit a separate request. This makes compliance more automatic, provided your browser is configured to send the signal.
If you are a parent or guardian, the CTDPA provides additional protections for your child’s data. Businesses that know they are processing the data of a child under 13 must comply with COPPA and obtain verifiable parental consent. For children aged 13–15, businesses may not process personal data for targeted advertising or sell the data without the teen’s consent. You have the right to exercise all CTDPA rights on behalf of your minor child.
If you have questions about your privacy rights under the CTDPA or need assistance navigating a data rights request dispute, Revision Legal’s privacy attorneys can advise you. Contact us at revisionlegal.com/contact or visit our Privacy Law practice page.
At the end of 2024, the Connecticut Personal Data Privacy and Online Monitoring Act (“CPDPA”) will become fully effective.
In other articles related to the CPDPA, the Consumer Data Privacy Lawyers at Revision Legal have provided an overview of the Act and looked closer at what obligations the CPDPA imposes on controllers and processors of personal data. In this article, we examine what rights are granted to Connecticut consumers.
To what consumer data does the Connecticut Personal Data Privacy Act apply?
As with similar consumer data privacy statutes, the Connecticut Personal Data Privacy Act is aimed at providing some protection for the collection, use, sale, and storage of “consumer personal data.” More specifically, the CPDPA is concerned with personal data that can be used or manipulated in such a manner as to personally identify specific and unique individuals. Thus, the CPDPA does not apply de-identified, anonymized, or disaggregated data and other types of data that cannot be used to uniquely identify a person. Further, publicly available information and data that has been voluntarily released to the public by a consumer are also excluded from the definition of “consumer personal data.”
Also, the CPDPA’s emphasis is on “consumer” data. Thus, the CPDPA does not apply to data collected and processed when a person is acting in an employment capacity — such as applying for a job — or in a commercial capacity — such as when he or she is operating a small business.
All that being said, “consumer personal data” generally includes things like social security numbers, names, addresses, financial and credit card account numbers, and more. Certain personal data is considered “sensitive” personal data. This data includes data with respect to:
What consumer rights are granted by the Connecticut Personal Data Privacy Act?
In broad outline, consumers in Connecticut are given notice, consent, opt-out, correction, deletion, portability, and dispute resolution rights under the CPDPA. With respect to notice rights, businesses that collect and process consumer personal data must provide notices to consumers that are “reasonably accessible, clear, and meaningful.” Among other things, the notices must identify what categories of personal data are being collected, with whom the data is shared, the business purposes for which the data is collected/shared, with whom the data is shared, and more. When businesses sell/share the data or use the data for targeted advertising or in connection with automated decision-making that could have significant effects on the consumer (such as an application for a loan), then the notices must provide that information AND obtain the consumer’s consent for collection and processing of the data. Further, under those conditions, businesses must give the consumer a method of “opting out” of having their information sold or used for targeted advertisement.
Further, businesses must allow consumers to obtain a copy or access to their personal data collected and stored, must allow for correction or deletion of that data, and must possess the data in a format that allows it to be transferred (portability). Businesses must also provide contact information for consumers and must have dispute resolution methods and procedures available for circumstances where a consumer wishes to dispute a decision made by a data controller (such as to deny access, refuse to correct, etc.).
Contact The Consumer Privacy Act Attorneys At Revision Legal
For more information, contact the experienced Consumer Privacy Act Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?