Who Is Covered: The CTDPA’s Applicability Thresholds

Connecticut’s Personal Data Privacy and Online Monitoring Act (CTDPA), Conn. Gen. Stat. § 42-515 et seq., applies to businesses that: (1) conduct business in Connecticut or produce products or services targeted to Connecticut residents; AND (2) during the preceding calendar year, either (a) controlled or processed the personal data of at least 100,000 consumers, or (b) controlled or processed the personal data of at least 25,000 consumers while deriving more than 25% of gross revenue from the sale of personal data. Unlike California’s CCPA, the CTDPA has no standalone revenue threshold, meaning even small data-heavy businesses can be covered.

Data Protection Assessments: What They Must Cover

One of the CTDPA’s most operationally demanding requirements is the data protection assessment (DPA). Under § 42-521, controllers must conduct and document a DPA before engaging in any of the following processing activities:

• Processing sensitive data
• Selling personal data
• Processing personal data for targeted advertising
• Processing for profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, disparate impact, intrusion upon privacy, financial, physical, or reputational injury, or other substantial injury to consumers

The DPA must weigh the benefits of the processing against its risks to consumers, taking into account the implementation of safeguards that can mitigate those risks. Critically, DPAs are protected from disclosure in response to a third-party discovery request — they are confidential business records — but the Connecticut AG may request them as part of an enforcement investigation. DPAs should therefore be substantive documents, not boilerplate. A thin or pro forma DPA may actually harm a business in an enforcement proceeding by suggesting that the required risk assessment was not genuinely conducted.

Sensitive Data: The Higher Standard

The CTDPA defines ‘sensitive data’ to include:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition or diagnosis
• Sexual orientation or gender identity
• Immigration status
• Financial account information (account number, credit card number, etc.)
• Biometric data processed for the purpose of unique identification
• Personal data of a known child
• Precise geolocation data (within a radius of 1,750 feet)

Processing sensitive data requires obtaining the consumer’s opt-in consent — an affirmative, freely given, specific, informed, and unambiguous indication of agreement. Pre-checked boxes, bundled consents buried in terms of service, and consent obtained as a condition of using a service are all problematic. For children’s data, the CTDPA imports the requirements of COPPA (Children’s Online Privacy Protection Act, 15 U.S.C. § 6501 et seq.), requiring verifiable parental consent for children under 13 and additional protections for teens under 16.

Vendor Contracts: Controller-Processor Agreements

Any business that shares personal data with a service provider — cloud storage, analytics, email marketing platforms, payment processors — must execute a written data processing agreement with that vendor before sharing data. Under § 42-522, the agreement must:

• Specify the nature and purpose of the processing
• Specify the type of data being processed and the duration of the processing
• Obligate the processor to process data only on the controller’s documented instructions
• Require the processor to delete or return all personal data at the end of the relationship
• Require the processor to allow and cooperate with reasonable audits by the controller
• Require the processor to notify the controller promptly of any data breach
• Require the processor to impose equivalent data-protection obligations on any sub-processors

CTDPA vs. CCPA: Key Differences for Multi-State Compliance

Businesses that are already CCPA-compliant cannot assume they are CTDPA-compliant. Key differences include:

• No revenue threshold: The CTDPA has no standalone revenue-based coverage trigger; the CCPA covers any business with annual gross revenue exceeding $25 million regardless of data volume.
• Opt-in for sensitive data: The CTDPA requires affirmative opt-in consent for all sensitive data processing; the CCPA/CPRA requires opt-in only for minors and otherwise uses an opt-out model.
• Cure period sunset: The CTDPA’s 60-day cure right expired on December 31, 2024; the CCPA still provides a 30-day cure period in some circumstances.
• No private right of action: Unlike the CPRA’s limited private right of action for data breaches, the CTDPA provides no private right of action.

Revision Legal’s privacy attorneys help businesses design and implement CTDPA compliance programs, draft controller-processor agreements, and prepare defensible data protection assessments. Contact us at revisionlegal.com/contact or visit our Privacy Law practice page.

The Connecticut Personal Data Privacy and Online Monitoring Act (“CPDPA”) will become fully effective as of the end of 2024. All provisions in the Act will be effective and the grace period for violations that is granted by the Act will expire.

In Part Two of articles related to the CPDPA, the Consumer Data Privacy Lawyers at Revision Legal provide a closer look at what businesses should know about the Act including the various obligations imposed by the Act. In related articles, we have provided a “high altitude” overview of the CPDPA, examined what rights are granted to consumers, how rights are exercised and other aspects of the CPDPA.

To whom does the Connecticut Personal Data Privacy Act​ apply?

The CPDPA applies to businesses:

• That conduct business in Connecticut, OR that produce products or services that are targeted to Connecticut residents AND
• That control or process personal consumer data for (i) at least 100,000 Connecticut consumers OR for (ii) at least 25,000 Connecticut consumers AND derive over 25% of their gross revenue from the sale of personal data

As can be seen, the focus of the Connecticut Personal Data Privacy Act​ is on businesses that collect and process consumer personal data. These businesses are broken out into two categories: “controllers” and “processors” of data. Basically, “controllers” decide what data is collected, and “processors” are businesses that manipulate or otherwise use the data. A controller might be an online retailer who collects payment and shipping information, whereas a processor actually processes the data so that payment is received from the consumer’s financial/credit card account and delivered to the retailer.

The applicability of the CPDPA also depends on what data is being collected and processed. The Act applies to the collection and processing of “consumer personal data,” which, as with similar statutes, the CPDPA defines with exacting detail. But, the CPDPA also excludes a great amount of other types of data. Personal data includes information like social security numbers, addresses, biometric information, precise geolocation data, and more. However, personal data does not include data collected when a person is acting in an employment or commercial capacity, disaggregated data, de-personalized data, pseudonymous data, and more.

What obligations are imposed by the Connecticut Personal Data Privacy Act​?

Most obligations imposed by the CPDPA are imposed on controllers. However, through mandated contractual obligations, these obligations are also imposed on data processors.

In terms of collection, controllers are required to limit data collection to what is “adequate, relevant, and reasonably necessary” for the purpose of the data collection. Further, controllers (and processors) are to manipulate/process the data only as much as reasonably necessary to accomplish the purpose of the transaction.

The CPDPA also requires controllers to give consumers notice about the personal data collected, the business purposes for which the data is collected, with whom the data is shared, and more. Such notices must be posted in a manner that is “reasonably accessible, clear, and meaningful.”

Where a controller shares or sells consumer personal data, controllers must also provide notice of that and give the consumer an “opt-out” for having such data shared or sold. The “opt-out” option must also be available if the controller engages or facilitates any sort of targeted advertising. Under the CPDPA, a “sale” means the exchange of personal data for money or any other “valuable” consideration.

In addition, a controller must provide an easily located email address or other online mechanism that allows consumers to contact the controller. A controller must also provide a mechanism for consumers to resolve disputes about the processing of their consumer personal data. Other obligations include:

• Adequate cybersecurity
• Contractual provisions and safeguards between controllers and processors obligating the processors to abide by the requirements of the CPDPA
• Preparation of data protection assessment reports for data processing of sensitive consumer personal data

Contact the Consumer Privacy Act Attorneys at Revision Legal

For more information, contact the experienced Consumer Privacy Act Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.