05.12.22
05.11.22
Connecticut has become the second state in 2022 to enact a comprehensive privacy law and the fifth US state overall. By passing the Connecticut Data Privacy Act (CTDPA), Connecticut joins California, Virginia, Colorado, and Utah in regulating businesses that collect, maintain, and/or sell consumers' personal data. It is set to go into effect on July 1, 2023, the same day as the Colorado Privacy Act.
Similar to other state privacy laws, the CTDPA places security and disclosure requirements on businesses that meet certain thresholds. Specifically, the CTDPA applies to businesses that either conduct business in the state or produce products or services targeted to consumers in the same and meets one of the following in the preceding calendar year:
The CTDPA exempts nonprofit organizations, organizations regulated under GLBA or HIPAA, and employee and business-to-business information.
As we've seen with the other state laws, the CTDPA requires businesses to establish, implement, and maintain reasonable administrative, technical, and physical data security practices. The CTDPA also gives consumers the right to access, delete, and/or correct their personal data, as well as the right to opt out of targeted advertising, the sale of personal data, and/or profiling. Additionally, of note under the CTDPA:
The CTDPA does not include a private right of action. Rather, it is enforceable solely by action of the Connecticut attorney general. Initially, the CTDPA provides for a 60-day cure period for businesses to correct violations before the attorney general can bring an enforcement action. This cure period expires, however, on December 31, 2024. You can find the full text of the CTDPA here.
Nixon Peabody advises domestic and international companies of every size as they address critical privacy and security issues, including these location-specific regulatory requirements. Subscribe to our mailing list for the latest legal developments and events in data privacy and security.