The CTDPA introduces a range of new consumer rights and obligations for controllers and processors.

The CTDPA will introduce new rights for consumers, as well as a number of and obligations for companies, including requirements:

• surrounding the provision of a privacy notice;
• to conduct a data protection assessment in certain circumstances;
• of data controllers to contract with data processors; and
• to obtain opt-in consent for the processing of sensitive data.

When will the CTDPA come into effect?

The key dates that companies should be aware of are:

• 1 July 2023 - which is when the CTDPA becomes effective;
• 31 December 2024 - which is the last date of the enforcement grace period; and
• 1 January 2025 - which is when companies will need to have controls in place to collect consent and respond to consumer opt-out requests.

During the grace period beginning on 1 July 2023 and ending on 31 December 2024, the Connecticut Attorney General ('AG') shall, before initiating any action for a violation of the act, issue a notice of violation to the controller if the AG determines a solution is possible.

What organisations will the CTDPA affect?

The CTDPA will apply to businesses in Connecticut that produce products or services that are targeted to residents of Connecticut and that, during the preceding calendar year, either:

• controlled or processed the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

'Consumer' is defined in the CTDPA to mean Connecticut residents not acting in a commercial or employment context.

Organisations which are subject to the Health Insurance Portability and Accountability Act of 1996 ('HIPPA') and the Gramm-Leach Bliley Act of 1999, alongside non-profits, are not subject to the provisions of the CTDPA. The CTDPA contains further exemptions which must be reviewed by organisations on a case-by-case basis.

What consumer rights will the CTDPA introduce?

• Right of access - which allows consumers to confirm whether or not a controller is processing their personal data, and to access such personal data, unless such confirmation or access would require the controller to reveal a trade secret.
• Right of rectification - which allows consumers to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of this personal data.
• Right of deletion - which allows consumers to delete personal data which they have previously provided.
• Right of data portability - which allows consumers to obtain a copy of their personal data which is processed by the controller, and to obtain this data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means, provided that such controller shall not be required to reveal any trade secret.
• Right to opt out - which allows consumers to opt out of the processing of their personal data for:
  • purposes of targeted advertising;
  • the sale of personal data, except for in certain circumstances as outlined in Section 6(b) of the CTDPA; or
  • profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Are there requirements regarding privacy notices?

Further to the above rights, the CTDPA provides that a controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice which includes:

• the categories of personal data processed by the controller;
• the purpose for processing personal data;
• how consumers may exercise their consumer rights, including how to appeal a controller's decision with regard to their request;
• the categories of personal data that the controller shares with third parties, if any;
• the categories of third parties, if any, with which the controller shares personal data; and
• an active electronic mail address or other online mechanism that the consumer may use to contact the controller.

What are the main processing obligations?

The CTDPA lays out a series of obligations for controllers including in relation to:

• data minimisation - requiring controllers to limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer;
• purpose limitation - requiring controllers not to process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent;
• security - requiring controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue;
• sensitive personal data - requiring controllers not to process sensitive data concerning a consumer without obtaining the consumer's consent (see below for further information on sensitive data);
• minor's data – requiring controllers, in the case of minor's sensitive personal data, to process such data in accordance with the California Online Privacy Protection Act, and namely obtain opt-in consent from children under the age of 16 before selling their personal data or using it for targeted advertising;
• revoking consent - requiring controllers to provide an effective mechanism for a consumer to revoke consent, that is at least as easy as the mechanism for providing consent, and to cease processing the data within 15 days of receiving a revocation request;
• state laws - requiring controllers not to process personal data in violation of federal and state anti-discrimination laws; and
• data processing contracts - requiring controllers to enter into a contract with processors, which shall govern the processor's data processing procedures with respect their processing performed on behalf of the controller (see below for further information on contracts).

How is the sale of personal data defined?

The CTDPA provides that the 'sale of personal data' means the exchange of personal data for monetary or other valuable consideration by the controller to a third party. However, this does not include:

• the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
• the disclosure of personal data to a third party for purposes of providing a product or service requested by the customer;
• the disclosure or transfer of personal data to an affiliate of the controller;
• the disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party;
• the disclosure of personal data that the consumer:
  • intentionally made available to the general public via a channel of mass media; and
  • did not restrict to a specific audience; or
• the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction, in which the third party assumes control of all or part of the controller's assets.

What activities are considered as profiling?

Under the CTDPA, 'profiling' means any form of automated processing performed on personal data to evaluate, analyse, or predict personal aspects related to an identified or identifiable individuals' economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

Consumers have the right, under the CTDPA, to opt-out of profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

In addition, controllers are required to conduct and document a data protection assessment for each of their processing activities that presents a heightened risk of harm to a consumer. The CTDPA provides a list of such activities which includes the processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of:

• unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
• financial, physical, or reputational injury to consumers;
• a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or
• other substantial injury to consumers.

What constitutes sensitive data?

'Sensitive data' is defined under the CTDPA as personal data which includes:

• data revealing racial or ethnic origin, religious beliefs, mental, or physical health condition or diagnosis, sex life, sexual orientation, citizenship, or immigration status;
• the processing of genetic or biometric data for the purpose of uniquely identifying an individual;
• personal data collected from a known child; or
• precise geolocation data.

As noted above, the CTDPA outlines that a controller shall not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of processing the sensitive data of a known child, without processing data in accordance with the Children's Online Privacy Protection Act of 1998 ('COPPA').

In addition, controllers are required to conduct and document a data protection assessment for each of their processing activities that presents a heightened risk of harm to a consumer. The CTDPA provides a list of such activities which includes the processing of sensitive data.

How is employee data treated?

The CTDPA specifies that 'consumer' does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit, or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, non-profit, or government agency.

The CTDPA, like other US state laws, exempts information and data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role, from Sections 1 to 11 of the CTDPA.

Under what circumstances do data protection assessment need to be conducted?

The CTDPA outlines that controllers must conduct a data protection assessment for controller's processing activities which present a heightened risk of harm to consumers. This includes processing where:

• the processing of personal data is for the purpose of targeted advertising;
• the sale of personal of personal data;
• the processing is for the purpose of profiling, where the profiling represents a reasonably foreseeable risk of:
  • unfair or deceptive treatment of, or unlawful disparate impact on, consumer;
  • financial, physical, or reputational injury to consumer;
  • a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumer, where such intrusion would be offensive to a reasonable person; or
  • other substantial injury to consumers; and
• the processing concerns sensitive data.

What do data protection assessments need to consider?

The CTDPA provides that data protection assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with such processing, as mitigated safeguards that can be used by the controller to reduce such risks.

Controllers must also take account of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and relationship between the controller and consumer whose personal data will be processed.

What should data processing contracts include?

The CTDPA mandates that processors must adhere to the instructions of a controller and assist the controller in meeting their obligations. Contracts between controllers and processors must require processors to:

• ensure that each person is subject to a duty of confidentiality with respect to the data;
• at the controller's direction, delete and return all personal data to the controller as requested at the end of the provision of service, unless the retention of personal data is required by law;
• on reasonable request by the controller, make available all information necessary to demonstrate processor compliance;
• after providing controllers with an opportunity to object, engage any subcontractor with a written contract with the same obligations of the processor; and
• allow and cooperate with reasonable assessments by the controller or designated successor, when conducting an assessment of the processor's policies and technical and organisational measures.

Who is the regulator?

The CTDPA grants enforcement authority to the Connecticut AG's office, although the CTDPA does not create a private right of action. In addition, the CTDPA does not grant the Connecticut AG rulemaking authority.

Are there any provisions governing enforcement?

The CTDPA notes that, if a controller fails to rectify a violation within 60 days of receiving notification of the violation (the cure period), the Connecticut AG may initiate an enforcement action.

Will the CTDPA impact federal privacy regulation?

The CTDPA amends Connecticut legislation and does not directly impact federal legislation.

Harry Chambers Senior Privacy Analyst
[email protected]