Connecticut’s Governor signed the state’s comprehensive privacy law into effect on May 10, 2022, adding yet another category of state privacy law. The Connecticut legislature largely drew upon provisions found in existing comprehensive U.S. state privacy laws in California, Virginia, Colorado, and Utah to draft “An Act Concerning Protection of Consumer Data Privacy and Online Monitoring” (the “Connecticut Privacy Act” or “CTPA”). The CTPA does not introduce any novel consumer rights, although it does differ in some details from its predecessors. Most of its provisions are operative on July 1, 2023, while some provisions take effect later.

In previous posts, we covered steps that companies can take now to prepare for state privacy laws in 2023, as well as specific developments related to the California Privacy Rights Act, (“CPRA”), the Colorado Protect Personal Data Privacy Act (“ColoPA”), the Virginia Consumer Data Protection Act (“VCDPA”), and the Utah Consumer Privacy Act (“UCPA”).

Here, we highlight key aspects of the CTPA with a focus on the provisions that companies should consider in their compliance preparations. We also provide an overview of the CTPA’s enforcement mechanisms and explain how the CTPA modifies prior laws’ safe harbor with a nod towards prosecutorial discretion. This post wraps up by summarizing the CTPA’s Task Force, considering the implications it might have for the future of the CTPA, and providing a table that compares the rights provided by the CTPA and the other comprehensive U.S. state privacy laws.

Applicability:  A New Scope

The CTPA applies to those controllers or processors who, in addition to doing business in the state or targeting state residents, meet one of two data-processing thresholds: they either (1) control or process the personal data of 100,000 or more state residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) control or process personal data of 25,000 or more state residents and derive more than 25 percent of their gross revenue from personal data. CTPA § 2. The CTPA’s payment transaction exemption is new. In effect, businesses that process payment transactions for numerous Connecticut residents, but do not otherwise control or process personal data of 100,000 or more Connecticut residents, might not be subject to the CTPA.

Like other state privacy laws, the CTPA contains a number of entity-based and data-based exemptions, including financial institutions covered by the Gramm-Leach-Bliley Act, national securities associations that are registered under the Securities Exchange Act of 1934, and data regulated by the Fair Credit Reporting Act, among other exemptions.

Bottom Line: Businesses that operate in Connecticut or target Connecticut residents will need to apply slightly different analysis than previous state laws to determine if they are subject to the CTPA.

Broad Consumer Rights

Like the other state privacy laws, the CTPA generally provides the rights to know, access, correct, delete, and portability, as well as robust opt-out rights, including to sales, profiling, and targeted advertising. CTPA § 4(a). The CTPA directs controllers to consider the nature of the personal data and the purposes for which it is processed when responding to correction requests. CTPA § 4(a)(2).

The right to delete under the CTPA generally aligns with the right to delete in the CCPA/CPRA, ColoPA, and VCDPA as it covers both data provided by consumers and data obtained about those consumers. CTPA § 4(a)(3). Under the CTPA, controllers who purchase personal data from data brokers will need to comply with deletion requests from Connecticut residents with respect to the purchased data.

Like the CCPA/CPRA and ColoPA, the CTPA defines “sale” to include the exchange of data for monetary or other valuable consideration. CTPA § 1(26). This contrasts with the VCDPA’s and the UCPA’s definition of “sale,” which is limited to an exchange of personal data for only monetary consideration.

The CTPA bolsters opt-out rights by requiring controllers to recognize a global opt-out preference by January 1, 2025.  CTPA § 6(e)(1)(A)(ii). The global opt-out preference signal is not new. Under ColoPA, controllers will also have to recognize global opt-out signals as of   July 1, 2024—six months before this requirement is operative in Connecticut. Under the CCPA/CPRA, businesses must provide two methods for consumers to opt-out of the sale of their personal data. A global opt-out signal is one method that businesses must recognize.

The CTPA’s opt-out provisions appear to be consumer friendly. A controller does not need to authenticate the consumer’s identity to comply with an opt-out request, though the controller may decline to honor the request if it has a good-faith, reasonable basis to believe the request is fraudulent. CTPA § 4(c)(4). Consumers may appoint an authorized agent to exercise their right to opt-out of data processing. CTPA § 4(b).

The CTPA defines “sensitive data” similarly to other state privacy laws, and it requires affirmative opt-in consent before processing sensitive data or compliance with the Children’s Online Privacy Protection Act to process children’s sensitive data. CTPA §§ 1(27) & 6(a)(4). The CTPA’s definition of “consent” excludes consent obtained through the use of “dark patterns.” CTPA § 1(6). Under the CTPA, “dark patterns” refer to user interfaces that subvert or impair user autonomy. CTPA § 1(11). The CTPA also explicitly allows consumers to revoke such consent. CTPA § 6(a)(6). Controllers must cease processing a consumer’s data “as soon as practicable” and under no circumstances later than 15 days after receiving such a request. Id.

Bottom Line: Controllers and processors subject to the CTPA should focus on key compliance issues, none of which should be net new for companies already preparing for compliance with other state privacy laws:

  • Provide the rights to correct and to opt-out of data profiling;
  • Prepare to delete personal data obtained from data brokers upon consumer request;
  • Treat data exchanged for any valuable consideration as a “sale” of data;
  • Recognize global opt-out preference signals;
  • Determine how to assess fraudulent opt-out requests;
  • Use opt-in provisions before processing sensitive data; and
  • Do not use dark patterns to obtain consent.

Controller Obligations

None of the controller obligations are net new when compared to other state privacy laws, although some of the details may differ.

Like the CPRA, VCDPA, and ColoPA, the CTPA sets the baseline for responsible consumer-data processing by encoding the principle of data minimization.  Controllers must ensure that any data processed is “reasonably necessary and proportionate” to the controller’s processing needs, as well as “adequate, relevant and reasonably limited to what is necessary.” CTPA § 10(f). Personal data must be subject to reasonable physical, technical, and administrative safeguards to protect the data’s confidentiality, integrity, and accessibility and to reduce the risk of harm to consumers. Id.

Controllers must perform data risk assessments prior to processing consumer data when such processing presents a “heightened risk of harm.” CTPA § 8(a). These situations include processing for targeted advertising, sale, and certain profiling activities, as well as processing sensitive data. Id. This requirement is similar to the data protection impact assessments in the VCDPA and ColoPA.

The CTPA requires controllers to provide consumers with a privacy notice covering the same topics as those identified in the VCDPA, UCPA, and ColoPA, namely: (1) the categories of personal data processed; (2) the purpose for processing personal data; (3) how consumers may exercise their rights, including the right to appeal a controller’s response to a consumer request; (4) the categories of personal data shared with third parties, if any; (5) the categories of third parties with which the controller shares data, if any; and (6) an online method to contact the controller.  CTPA § 6(c). The requirement to specify an online method to contact the controller is a new requirement as other state privacy laws required only notice of a method to contact the controller.

As in ColoPA and VCDPA, under the CTPA controllers must establish a process through which consumers may appeal the controller’s refusal to act on a consumer’s request under the CTPA’s consumer rights provisions. The process must be similar to the processes used to submit consumer requests, and it must be conspicuously available.  CTPA § 4(d). Controllers have 60 days to respond to the consumer’s appeal, and when doing so, controllers must provide consumers with a method through which the consumer can contact the Attorney General to submit a complaint.  Id.

The CTPA sets detailed requirements for contracts between controllers and processors. CTPA    § 7(b), generally following the precedent set by the VCDPA and ColoPA. Like the VCDPA and ColoPA, the CTPA adopts an audit requirement. The audit requirement obligates processors to make available all information necessary for the controller to ensure the processor’s compliance with the state privacy law. Under the CTPA, processors must give controllers an opportunity to object to hiring a subcontractor before the processor may engage a subcontractor to process consumer data. The CTPA requires processors, in turn, to only engage subcontractors pursuant to contracts that impose on the subcontractor all of the obligations of the processor with respect to consumers’ data. These requirements mirror ColoPA’s subcontractor contract requirements.

Bottom Line: Controllers and processors are subject to similar obligations under CTPA as other state privacy laws, though nuances such as the length of time given to respond to consumer appeals vary.

Enforcement

The CTPA gives enforcement authority to the state’s Attorney General without any private right of action. CTPA § 11. Violations of the CTPA constitute unfair trade practices under Connecticut law. While private rights of action are generally available under the Connecticut Unfair Trade Practices Act, the Attorney General has the sole right to prosecute unfair trade practices based on the CTPA. If the Attorney General successfully prosecutes a CTPA violation, a court may impose a number of penalties, including restraining orders and fines. Despite granting the Attorney General exclusive authority to enforce the CTPA, the law does not give the Attorney General any rule-making authority.

From July 1, 2023 through December 31, 2024, the Attorney General must give notice and a 60-day opportunity to cure before initiating an enforcement action, unless the Attorney General determines that the violation cannot be cured. CTPA § 11(b). As of January 1, 2025, the CTPA will not require the Attorney General to provide notice and a right to cure. Rather, the CTPA vests the Attorney General with the prosecutorial discretion to provide an opportunity to cure. CTPA § 11(c). The CTPA sets out a number of factors for the Attorney General to consider when deciding whether to provide an opportunity to cure, including the likelihood of injury to the public and whether the violation was likely caused by human or technical error. Id.

Connecticut’s choice to sunset its right to cure aligns with California and Colorado. As such, an opportunity to coordinate joint enforcement actions between the attorneys general of California, Colorado, and Connecticut is on the horizon. It seems plausible that in at least some instances, these attorneys general will pool their resources, as this is an approach taken in other areas of the law.

Bottom Line: While controllers and processors won’t have to face private actions, the Attorney General is vested with significant discretion to enforce the CTPA.

Task Force

The CTPA concludes by establishing a task force to investigate various aspects of data privacy and security. CTPA § 12. Notably, the task force is set to investigate algorithmic decision-making and make recommendations aimed at reducing the risk of bias in such processing. CTPA § 12(a)(2). We discussed the ways that companies can reduce regulatory and reputational artificial intelligence (“AI”) risks in this post, part of our four-part series on the future of AI regulation.

The task force will also consider possible expansions to the CTPA. CTPA § 12(a)(6). A report is due on January 1, 2023, six months before the law goes into effect.

***

Controllers and processors that fall within the scope of the CTPA should work towards compliance with its provisions and keep an eye out for any changes before the law takes effect.

With yet another state privacy law that does not completely align with the data regulations of other states, companies will need to reassess whether to take a highest-common-denominator approach or a state-by-state approach for their overall privacy compliance program.

To subscribe to our Data Blog, please click here.

Comprehensive State Privacy Laws:  Consumer Rights Comparison
  CCPA CPRA VCDPA ColoPA UCPA CTPA
Know/Access
Correct
Delete
Opt-Out of Sales/Sharing/Targeted Advertising

Selling

Selling/Sharing/

Targeted Advertising

Selling/Targeted Advertising

Selling/Targeted Advertising

Selling/Targeted Advertising

Selling/Targeted Advertising

Opt-Out of Certain Profiling /Automated Decision-Making
Opt-In for Sales/Sharing/Targeted Advertising for Minors

Up to 16

Up to 16

Up to 13

Up to 13

Up to 13

Up to 16

Portability
Non-discrimination
Consent to Processing of “Sensitive Personal Information” (defined differently by state privacy laws)
Opt-Out of Processing of “Sensitive Personal Information” (defined differently by state privacy laws)
Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Johanna Skrzypczyk (pronounced “Scrip-zik”) is a counsel in the Data Strategy and Security practice of Debevoise & Plimpton LLP. Her practice focuses on advising AI matters and privacy-oriented work, particularly related to the California Consumer Privacy Act. She can be reached at jnskrzypczyk@debevoise.com.

Author

Michael R. Roberts is a senior associate in Debevoise & Plimpton’s global Data Strategy and Security Group and a member of the firm’s Litigation Department. His practice focuses on privacy, cybersecurity, data protection and emerging technology matters. He can be reached at mrroberts@debevoise.com.

Author

Andres Gutierrez is an associate in the Litigation Department. He can be reached at asgutierrez@debevoise.com.

Author

Alessandra G. Masciandaro is an associate in the Litigation Department. She can be reached at amasciandaro@debevoise.com.