The CTDPA’s Dispute Resolution Framework in Detail

Connecticut’s Personal Data Privacy and Online Monitoring Act, Conn. Gen. Stat. § 42-515 et seq. (effective July 1, 2023), imposes robust dispute resolution obligations on data controllers — obligations that go beyond what several other state privacy statutes require. Understanding the full scope of these requirements is critical for any business that collects personal data from Connecticut residents.

Internal Appeal Process: Required Elements

Under § 42-520(b) of the CTDPA, a controller that receives a consumer rights request — such as a request to delete personal data, correct inaccuracies, or opt out of data sales — must respond within 45 days. If the controller denies the request (in whole or in part), it must establish and conspicuously disclose an internal appeal process. The appeal process must satisfy all of the following requirements:

• Be conspicuously available and easy to locate — burying the appeal process in a privacy policy footer is likely insufficient.
• Use a mechanism substantially similar to the one used for the underlying request — if consumers submit requests via an online portal, the appeal must be accessible through the same or equivalent portal.
• Be completed within 60 days of receiving the appeal — the controller must notify the consumer of its decision within that window.
• Provide a written response explaining any action taken or not taken, along with a written explanation of the reasons for the decision.
• If the appeal is denied, inform the consumer of the right to submit a complaint to the Connecticut Attorney General, and provide the contact information necessary to do so.

Complaint Rights With the Connecticut Attorney General

The CTDPA does not create a private right of action for consumers. Instead, § 42-524 assigns enforcement authority exclusively to the Attorney General’s Office. A consumer who has exhausted the internal appeal process and received a denial may file a complaint with the AG. The AG has authority to investigate, seek injunctive relief, and impose civil penalties of up to $5,000 per willful violation. Importantly, the AG may issue a notice of cure to an alleged violator and allow 60 days to remediate before imposing penalties — but the cure period expired on December 31, 2024, after which no cure right is guaranteed.

Automated Decision-Making and Appeals: A Higher Standard

One area where Connecticut’s law is notably stricter than the Iowa CDPA is automated decision-making. Under § 42-520(a)(6), consumers have the right to opt out of any processing of personal data for the purpose of profiling in furtherance of decisions that produce legal or similarly significant effects. When a controller makes such a decision using automated means — for example, an algorithm that denies a loan application — the consumer has a right not only to opt out prospectively but also to appeal the automated decision and receive a meaningful human review.

This human-review requirement is one of the most operationally challenging aspects of the CTDPA for businesses that rely heavily on algorithmic decision-making. Controllers must build processes — and staff them with qualified personnel — to conduct genuine human review of appeals, not rubber-stamp the automated output.

Practical Compliance Checklist for Controllers

Controllers subject to the CTDPA should audit their dispute-resolution infrastructure against this checklist:

• Is an internal appeal mechanism disclosed in the privacy notice and easy to locate on the website?
• Does the mechanism mirror the original request submission process?
• Is the 60-day response deadline tracked for every appeal received?
• Does the denial notice include a reasoned written explanation and AG contact information?
• For automated-decision appeals, is a qualified human reviewer assigned — not just the algorithm re-run?
• Are appeal records retained for at least two years for potential AG investigation?
• Have all customer-service and compliance personnel been trained on the appeal process?

How Revision Legal Can Help

Revision Legal’s privacy attorneys advise businesses on designing CTDPA-compliant appeal processes, drafting privacy notices and appeal disclosures, and responding to AG investigations. Whether you are building a compliance program from scratch or auditing an existing one, we can help. Contact us at revisionlegal.com/contact or visit our Privacy Law practice page.

At the end of 2024, the Connecticut Personal Data Privacy and Online Monitoring Act (“CPDPA”) will become fully effective.

This is part four of a series of articles related to the CPDPA. In this article, the Consumer Data Privacy Lawyers here at Revision Legal take a granular-level look at the mandated dispute resolution procedures required by the CPDPA. The value of this detailed examination is that the procedures mandated by the CPDPA are nearly the same as the procedures mandated in nearly all of the similar statutes passed by State legislatures. One could say that State-level lawmakers are “cutting and pasting” these legislative provisions from one statute to another. Thus, by examining the procedures in the CPDPA, businesses, and consumers will have a fairly good understanding of what procedures are required by all of the consumer data privacy statutes.

Why would dispute resolution be required?

There are likely two reasons that dispute resolution mechanisms are mandated by these consumer data privacy statutes. First, all of the consumer data privacy statutes give consumers certain rights with respect to their personal data that is collected and processed by businesses. For example, under certain circumstances, consumers have a right to “opt-out” of having their data collected and processed. Also, consumers can demand to see a copy of the data collected about them and to have a copy provided to them in a portable format. Consumers can also demand that incorrect data be corrected by the business that has the data.

Because consumers have the ability to demand/request certain actions be taken by a business that collects and processes data, there is a need for dispute resolution if the business refuses or fails to take the requested action. Without some sort of dispute resolution, a consumer has little recourse if, for example, the consumer demands a copy of their data, but the copy is never tendered.

The second reason for mandating dispute resolution is the fact that many businesses make decisions via the use of automated computer programs. By requiring some form of dispute resolution, it is likely that some level of human involvement will be triggered.

What is the dispute resolution procedure mandated by the Connecticut Personal Data Privacy Act?

The CPDPA mandates that “controllers” of consumer personal data “establish a process for a consumer to appeal the controller’s refusal to take action.” The consumer must be able to request an appeal “within a reasonable period of time” after the consumer’s receipt of an adverse decision. The appeal process must:

• Be conspicuously available — on a website, for example
• Be similar to the process for submitting requests to initiate action — controllers will create a process for allowing consumers to request action; a similar process must be created for allowing a consumer to initiate an appeal
• Be completed no later than 60 days after receipt of an appeal
• Must provide the consumer with a written response informing the consumer of any action taken or not taken in response to the appeal and explaining the reasons for the decision(s)
• If the appeal is denied, the consumer must be provided with information on how to contact the Connecticut Attorney General to file a complaint

Contact the Consumer Privacy Act Attorneys at Revision Legal

For more information, contact the experienced Consumer Privacy Act Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.