In 2022, Connecticut enacted its version of a consumer data privacy act officially called the Connecticut Personal Data Privacy and Online Monitoring Act (“CPDPA”). It is unclear why Connecticut lawmakers used the words “online monitoring” in the statute’s name since the words do not appear together anywhere else in the text of the Act.

In any event, at the time of enactment, Connecticut was the fifth State to enact such a law. As of early 2024, eleven versions of these privacy acts have been enacted, with all of them currently in force or coming into force by the end of 2024. Most of the provisions of the CPDPA have become effective as of late 2023/early 2024. The remainder of the Act will be fully effective as of December 31, 2024. That is also the date on which the Act’s grace period for non-compliance expires.

In this Part One of articles related to the CPDPA, the Consumer Data Privacy Lawyers at Revision Legal provide a “high altitude” overview of the CPDPA with a few comments on how it compares to similar statutes. In related articles, we examine various obligations imposed by the CPDPA on businesses, what rights are granted to consumers, how rights are exercised, and other aspects of the Act.

Is the CPDPA “friendly” to consumers or businesses?

On the spectrum of “friendliness” to consumers or businesses, the CPDPA lies towards the middle of the spectrum. For example, the CPDPA applies to businesses:

• That conduct business in Connecticut, OR that produce products or services that are targeted to Connecticut residents AND
• That control or process personal consumer data for (i) at least 100,000 Connecticut consumers OR for (ii) at least 25,000 Connecticut consumers AND derive over 25% of their gross revenue from the sale of personal data

On the side of being “business-friendly,” for these thresholds, the CPDPA excludes data processed solely for processing payment transactions. That is a large chunk of data processing that is eliminated when determining applicability. So, this can be seen as “business-friendly.” By contrast, the “25% of gross revenue” threshold is much lower than in similar statutes. So, this can be seen as “consumer friendly.”

For another couple of examples, the CPDPA can be seen as “business friendly” by not permitting any sort of private right of action for consumers. However, the Act can be seen as “consumer friendly” by deeming violations of the CPDPA to be violations of Connecticut’s unfair trade practices statutes. Such statutes impose substantial penalties if violations are proven. Whether the CPDPA will be “business-friendly” or “consumer-friendly”  will ultimately be determined by how the Connecticut Attorney General enforces the Act.

What is the framework of the Connecticut Personal Data Privacy Act​?

The framework of the Connecticut Personal Data Privacy Act​ is similar to that used in other privacy statutes. That is, the CPDPA defines “consumer data” and focuses on “controllers” and “processors” of that data. Consumers are given certain rights with respect to how their data is processed, and various obligations are imposed on “controllers” and “processors.”

What obligations are imposed by the Connecticut Personal Data Privacy Act​?

In many respects, the obligations imposed by the CPDPA on businesses — “controllers” and “processors” — overlap with the obligations imposed by similar statutes. These include giving notices to consumers, obtaining consent, limiting the processing of data, ensuring cybersecurity, etc. Some of the more onerous requirements are imposed — such as the need for written data protection assessments for processing activities that present “a heightened risk of harm to a consumer.” Some of the newer requirements are also imposed — such as the requirement that businesses accept a consumer’s privacy and opt-out choices “signaled” by technology, software, and/or platforms such as browser settings. In another article related to the Connecticut Personal Data Privacy Act, we delve into the details.

What consumer rights are granted by the Connecticut Personal Data Privacy Act​?

As with obligations, the rights granted to consumers by the Connecticut Personal Data Privacy Act overlap with the rights granted by similar statutes. The rights include the right to receive notices, to give (or withhold) consent, to have dispute resolution, to be free from retaliation, and more. We delve into more detail in a related article.

Contact the Consumer Privacy Act Attorneys at Revision Legal

For more information, contact the experienced Consumer Privacy Act Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.