What Businesses Should Know About the Connecticut Personal Data Privacy Act (Part Two) featured image

What Businesses Should Know About the Connecticut Personal Data Privacy Act (Part Two)

by John DiGiacomo

Partner

Internet Law

The Connecticut Personal Data Privacy and Online Monitoring Act (“CPDPA”) will become fully effective as of the end of 2024. All provisions in the Act will be effective and the grace period for violations that is granted by the Act will expire.

In Part Two of articles related to the CPDPA, the Consumer Data Privacy Lawyers at Revision Legal provide a closer look at what businesses should know about the Act including the various obligations imposed by the Act. In related articles, we have provided a “high altitude” overview of the CPDPA, examined what rights are granted to consumers, how rights are exercised and other aspects of the CPDPA.

To whom does the Connecticut Personal Data Privacy Act​ apply?

The CPDPA applies to businesses:

  • That conduct business in Connecticut, OR that produce products or services that are targeted to Connecticut residents AND
  • That control or process personal consumer data for (i) at least 100,000 Connecticut consumers OR for (ii) at least 25,000 Connecticut consumers AND derive over 25% of their gross revenue from the sale of personal data

As can be seen, the focus of the Connecticut Personal Data Privacy Act​ is on businesses that collect and process consumer personal data. These businesses are broken out into two categories: “controllers” and “processors” of data. Basically, “controllers” decide what data is collected, and “processors” are businesses that manipulate or otherwise use the data. A controller might be an online retailer who collects payment and shipping information, whereas a processor actually processes the data so that payment is received from the consumer’s financial/credit card account and delivered to the retailer.

The applicability of the CPDPA also depends on what data is being collected and processed. The Act applies to the collection and processing of “consumer personal data,” which, as with similar statutes, the CPDPA defines with exacting detail. But, the CPDPA also excludes a great amount of other types of data. Personal data includes information like social security numbers, addresses, biometric information, precise geolocation data, and more. However, personal data does not include data collected when a person is acting in an employment or commercial capacity, disaggregated data, de-personalized data, pseudonymous data, and more.

What obligations are imposed by the Connecticut Personal Data Privacy Act​?

Most obligations imposed by the CPDPA are imposed on controllers. However, through mandated contractual obligations, these obligations are also imposed on data processors.

In terms of collection, controllers are required to limit data collection to what is “adequate, relevant, and reasonably necessary” for the purpose of the data collection. Further, controllers (and processors) are to manipulate/process the data only as much as reasonably necessary to accomplish the purpose of the transaction.

The CPDPA also requires controllers to give consumers notice about the personal data collected, the business purposes for which the data is collected, with whom the data is shared, and more. Such notices must be posted in a manner that is “reasonably accessible, clear, and meaningful.”

Where a controller shares or sells consumer personal data, controllers must also provide notice of that and give the consumer an “opt-out” for having such data shared or sold. The “opt-out” option must also be available if the controller engages or facilitates any sort of targeted advertising. Under the CPDPA, a “sale” means the exchange of personal data for money or any other “valuable” consideration.

In addition, a controller must provide an easily located email address or other online mechanism that allows consumers to contact the controller. A controller must also provide a mechanism for consumers to resolve disputes about the processing of their consumer personal data. Other obligations include:

  • Adequate cybersecurity
  • Contractual provisions and safeguards between controllers and processors obligating the processors to abide by the requirements of the CPDPA
  • Preparation of data protection assessment reports for data processing of sensitive consumer personal data

Contact the Consumer Privacy Act Attorneys at Revision Legal

For more information, contact the experienced Consumer Privacy Act Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

Internet Law

In May 2024, Minnesota enacted the Minnesota Consumer Data Privacy Act (“MCDPA”). In Part One of this two-part article, the Consumer Data Protection Attorneys at Revision Legal discussed the consumer rights and consumer-facing business obligations imposed by the MCDPA, including additional consumer rights related to automated decisions that utilize profiling data. The MCDPA allows consumers […]

Read more about The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

Advantages of Forming Corporate Entities for Operating Your Business

Advantages of Forming Corporate Entities for Operating Your Business

Corporate

Under most circumstances, the experienced Business Lawyers at Revision Legal deem it prudent for clients to operate their businesses through a corporate entity like a standard corporation or a limited liability company. Of course, there are some circumstances where a partnership of some type might be the better option, but it would be a rare […]

Read more about Advantages of Forming Corporate Entities for Operating Your Business

The Minnesota Consumer Data Privacy Law: Summary For Consumers

The Minnesota Consumer Data Privacy Law: Summary For Consumers

Internet Law

In May 2024, Minnesota enacted a consumer data privacy statute called the Minnesota Consumer Data Privacy Act (“MCDPA”). About 20 States have enacted consumer data privacy statutes similar to the MCDPA, and the MCDPA follows the general template of those statutes. However, there are some unique and additional features of the MCDPA that are very […]

Read more about The Minnesota Consumer Data Privacy Law: Summary For Consumers

Put Revision Legal on your side

Let's Discuss Your Case