On May 10, 2022, Governor has signed into law, “An Act Concerning Personal Data Privacy and Online Monitoring,” to enact consumer data privacy legislation. The law will come into effect from July, 2023.
Applicability:
- ‘Consumers’ defined as individuals who are residents of Connecticut. However, the CTDPA’s definition of ‘consumer’ does not include individuals acting in a commercial or employment context.
- With respect to data controllers and organisations, the CTDPA’s scope extends to entities that:
- conduct business in Connecticut, or produce products or services that are targeted to Connecticut residents;
- during the preceding calendar year, either:
- processed the personal data of at least 100,000 consumers; or
- processed the personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.
Note: “Personal Data” is broadly defined and means any information linked or reasonably linkable to an identified or identifiable individual. “Sensitive Data” is personal data that includes racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data collected from a known child, or precise geolocation data.
Consumer Rights
- Access their personal data and confirm whether it is being processed;
- Correct inaccuracies in their personal data;
- Delete personal data provided by or obtained about them;
- Obtain a copy of their personal data in a portable, readily usable, and transmissible format; and
- Opt out of the processing of their personal data for the purposes of targeted advertising, sale, or profiling.
Obligations of Businesses
Controllers will be required to:
- Implement the data minimisation principle by restricting the collection of personal data to ‘what is adequate, relevant and reasonably necessary’ to the purposes for processing, as disclosed to the consumer;
- Implement the purpose limitation principle by processing personal data only for purposes that are reasonably necessary to, and compatible with, the purposes for processing, as disclosed to the consumer (unless the controller obtains the consumer’s consent);
- Establish, implement, and maintain reasonable administrative, technical, and physical data security practices;
- Obtain opt-in consent for the collection and processing of ‘sensitive’ data, which includes information revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status, genetic or biometric data, children’s data, and precise geolocation;
- Enter into a contract with processors, which shall govern the processor’s data processing procedures with respect their processing performed on behalf of the controller;
- Restrain processing personal data in violation of federal and state anti-discrimination laws;
- Provide an effective mechanism for a consumer to revoke consent, that is at least as easy as the mechanism for providing consent, and to cease processing the data within 15 days of receiving a revocation request; and
- Obtain opt-in consent from children under the age of 16 before selling their personal data or using it for targeted advertising.
- Provide consumers with a reasonably accessible, clear, and meaningful privacy notice.