At the end of 2024, the Connecticut Personal Data Privacy and Online Monitoring Act (“CPDPA”) will become fully effective.

This is part four of a series of articles related to the CPDPA. In this article, the Consumer Data Privacy Lawyers here at Revision Legal take a granular-level look at the mandated dispute resolution procedures required by the CPDPA. The value of this detailed examination is that the procedures mandated by the CPDPA are nearly the same as the procedures mandated in nearly all of the similar statutes passed by State legislatures. One could say that State-level lawmakers are “cutting and pasting” these legislative provisions from one statute to another. Thus, by examining the procedures in the CPDPA, businesses, and consumers will have a fairly good understanding of what procedures are required by all of the consumer data privacy statutes.

Why would dispute resolution be required?

There are likely two reasons that dispute resolution mechanisms are mandated by these consumer data privacy statutes. First, all of the consumer data privacy statutes give consumers certain rights with respect to their personal data that is collected and processed by businesses. For example, under certain circumstances, consumers have a right to “opt-out” of having their data collected and processed. Also, consumers can demand to see a copy of the data collected about them and to have a copy provided to them in a portable format. Consumers can also demand that incorrect data be corrected by the business that has the data.

Because consumers have the ability to demand/request certain actions be taken by a business that collects and processes data, there is a need for dispute resolution if the business refuses or fails to take the requested action. Without some sort of dispute resolution, a consumer has little recourse if, for example, the consumer demands a copy of their data, but the copy is never tendered.

The second reason for mandating dispute resolution is the fact that many businesses make decisions via the use of automated computer programs. By requiring some form of dispute resolution, it is likely that some level of human involvement will be triggered.

What is the dispute resolution procedure mandated by the Connecticut Personal Data Privacy Act?

The CPDPA mandates that “controllers” of consumer personal data “establish a process for a consumer to appeal the controller’s refusal to take action.” The consumer must be able to request an appeal “within a reasonable period of time” after the consumer’s receipt of an adverse decision. The appeal process must:

• Be conspicuously available — on a website, for example
• Be similar to the process for submitting requests to initiate action — controllers will create a process for allowing consumers to request action; a similar process must be created for allowing a consumer to initiate an appeal
• Be completed no later than 60 days after receipt of an appeal
• Must provide the consumer with a written response informing the consumer of any action taken or not taken in response to the appeal and explaining the reasons for the decision(s)
• If the appeal is denied, the consumer must be provided with information on how to contact the Connecticut Attorney General to file a complaint

Contact the Consumer Privacy Act Attorneys at Revision Legal

For more information, contact the experienced Consumer Privacy Act Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.