The Connecticut Personal Data Privacy and Online Monitoring Act (“CPDPA”) will become fully effective as of the end of 2024. All provisions in the Act will be effective and the grace period for violations that is granted by the Act will expire.

In Part Two of articles related to the CPDPA, the Consumer Data Privacy Lawyers at Revision Legal provide a closer look at what businesses should know about the Act including the various obligations imposed by the Act. In related articles, we have provided a “high altitude” overview of the CPDPA, examined what rights are granted to consumers, how rights are exercised and other aspects of the CPDPA.

To whom does the Connecticut Personal Data Privacy Act​ apply?

The CPDPA applies to businesses:

• That conduct business in Connecticut, OR that produce products or services that are targeted to Connecticut residents AND
• That control or process personal consumer data for (i) at least 100,000 Connecticut consumers OR for (ii) at least 25,000 Connecticut consumers AND derive over 25% of their gross revenue from the sale of personal data

As can be seen, the focus of the Connecticut Personal Data Privacy Act​ is on businesses that collect and process consumer personal data. These businesses are broken out into two categories: “controllers” and “processors” of data. Basically, “controllers” decide what data is collected, and “processors” are businesses that manipulate or otherwise use the data. A controller might be an online retailer who collects payment and shipping information, whereas a processor actually processes the data so that payment is received from the consumer’s financial/credit card account and delivered to the retailer.

The applicability of the CPDPA also depends on what data is being collected and processed. The Act applies to the collection and processing of “consumer personal data,” which, as with similar statutes, the CPDPA defines with exacting detail. But, the CPDPA also excludes a great amount of other types of data. Personal data includes information like social security numbers, addresses, biometric information, precise geolocation data, and more. However, personal data does not include data collected when a person is acting in an employment or commercial capacity, disaggregated data, de-personalized data, pseudonymous data, and more.

What obligations are imposed by the Connecticut Personal Data Privacy Act​?

Most obligations imposed by the CPDPA are imposed on controllers. However, through mandated contractual obligations, these obligations are also imposed on data processors.

In terms of collection, controllers are required to limit data collection to what is “adequate, relevant, and reasonably necessary” for the purpose of the data collection. Further, controllers (and processors) are to manipulate/process the data only as much as reasonably necessary to accomplish the purpose of the transaction.

The CPDPA also requires controllers to give consumers notice about the personal data collected, the business purposes for which the data is collected, with whom the data is shared, and more. Such notices must be posted in a manner that is “reasonably accessible, clear, and meaningful.”

Where a controller shares or sells consumer personal data, controllers must also provide notice of that and give the consumer an “opt-out” for having such data shared or sold. The “opt-out” option must also be available if the controller engages or facilitates any sort of targeted advertising. Under the CPDPA, a “sale” means the exchange of personal data for money or any other “valuable” consideration.

In addition, a controller must provide an easily located email address or other online mechanism that allows consumers to contact the controller. A controller must also provide a mechanism for consumers to resolve disputes about the processing of their consumer personal data. Other obligations include:

• Adequate cybersecurity
• Contractual provisions and safeguards between controllers and processors obligating the processors to abide by the requirements of the CPDPA
• Preparation of data protection assessment reports for data processing of sensitive consumer personal data

Contact the Consumer Privacy Act Attorneys at Revision Legal

For more information, contact the experienced Consumer Privacy Act Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.