Support Centre

Connecticut

Summary

Law: Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTDPA')

Regulator: The Connecticut Attorney General ('AG')

Summary: On 10 May 2022, the Connecticut State Governor signed Senate Bill 6 for an Act Concerning Personal Data Privacy and Online Monitoring into law, thereby enacting the CTDPA which is due to take effect on 1 July 2023. The CTDPA introduces various new consumer rights such as access, rectification, deletion, portability, and the right to opt out of targeted advertising, sale of personal data, and profiling. Furthermore, the CTDPA outlines various controller and processor responsibilities and provides the AG with enforcement powers.

Additionally, Connecticut has enacted §36a-701b of Title 36A the Connecticut General Statutes ('Conn. Gen. Stat.') ('the Data Breach Law'), regulating data breach notification requirements, and Conn. Gen. Stat. §42-471 ('the Personal Information Safeguarding Law'). The Personal Information Safeguarding Law regulates and protects both paper and electronic information, requiring any person who possesses the personal information to implement reasonable security measures to safeguard the personal information. Both the Data Breach Law and the Personal Information Safeguarding Law are regulated and enforced by the Privacy and Data Security Department of the AG.

Insights

On June 2, 2023, the Connecticut legislature passed Senate Bill 3, An Act Concerning Online Privacy, Data and Safety Protections, which was later issued as Public Act 23-56 (the Act). This wide-ranging new bill imposes an array of new requirements concerning access to and sharing of health data, geo-fencing, social media platforms, and online dating operators. The Act also makes revisions to the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA), the state's new comprehensive consumer data privacy law that comes into effect July 1, 2023. William J. Roberts, Stephanie M. Gomes-Ganhão, and Colton J. Kopcik, from Day Pitney LLP, summarize the Act's key points relating to consumer healthcare data, children's online safety, and online dating operators.

In this Insight article, Bart Huffman, Wendell Bartnick, and Haylie Treas, from Holland & Knight, address opt-out rights and related requirements under certain US state privacy laws that are currently in effect and/or will take effect in 2023.

Part two analyses the processing of opt-out requests, consent and opt-in requests, other compliance considerations, and the interplay with other major federal privacy laws, whereas part one explores opt-out rights, disclosures related to these opt-out rights, and opt-out mechanisms.

In this Insight article, Bart Huffman, Wendell Bartnick, and Haylie Treas, from Holland & Knight, address opt-out rights and related requirements under certain US state privacy laws that are currently in effect and/or will take effect in 2023.

Part one explores opt-out rights, disclosures related to these opt-out rights, and opt-out mechanisms, whereas part two analyses the processing of opt-out requests, consent and opt-in requests, other compliance considerations, and the interplay with other major federal privacy laws.

Just as the Gramm-Leach-Bliley Act of 1999 ('GLBA') permits US states to extend greater protections than afforded by the same, states can also choose to exempt GLBA-regulated entities from compliance with state privacy statutes. In this Insight article, David Zetoony and Jena Valdetero, from Greenberg Traurig LLP, discuss how the California Consumer Privacy Act of 2018 ('CCPA') and the California Privacy Rights Act of 2020 ('CPRA') apply to financial institutions, whilst also drawing comparisons to other state privacy statutes' exemptions for financial institutions.

The Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTDPA') was signed on 10 May 2022, entering into effect on 1 July 2023. OneTrust DataGuidance Research answers frequently asked questions ('FAQs') surrounding the CTDPA.

Over the past few months, there has been an increased interest in consumer privacy laws across the US, with the states of Virginia, Utah, Colorado, California, and Connecticut having recently enacted comprehensive privacy legislation that will enter into effect in 2023. The enactment of these laws means that organisations in the US are subject to new privacy obligations, while consumers welcome their elevated data protection rights, aimed at better protecting consumer privacy.

Both the California Privacy Rights Act of 2020 ('CPRA') and the Virginia Consumer Data Protection Act ('CDPA') will come into force on 1 January 2023. The Colorado Senate Bill 21-190 for the Colorado Privacy Act ('CPA') and the Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTDPA') will take effect on 1 July 2023, whereas the Utah Consumer Privacy Act ('UCPA') will enter into force on 31 December 2023. Though the aforementioned laws do not expressly refer to the use of cookies, many of their requirements (for example, in relation to disclosure) apply to the use of cookies – and organisations should therefore familiarise themselves with these requirements.

In this Insight article1, we examine the convergences and divergences between the privacy laws of Virginia, Utah, Colorado, California, and Connecticut where they affect cookies, with a view to mapping out a possible harmonised approach to compliance.

On 10 May 2022, Connecticut became the fifth state to enact broad consumer data privacy legislation when Connecticut Governor Ned Lamont signed Senate Bill 6 - the Connecticut Data Privacy Act ('CTDPA'). David M. Stauss and Shelby E. Dolen, from Husch Blackwell LLP, provide an overview of the CTDPA and draw comparisons between the bill and other state privacy laws in California, Colorado, Virginia, and Utah.

On 10 May 2022, the Connecticut State Governor signed Senate Bill 6, thereby enacting the Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTDPA') and making Connecticut the fifth State in the US to pass a comprehensive privacy law, joining the likes of California, Colorado, Utah, and Virginia. In particular, the CTDPA provides several privacy rights for consumers, establishes obligations on data controllers, and assigns enforcement powers to the Attorney General ('AG'). OneTrust DataGuidance addresses some of the key requirements introduced by the CTDPA that organisations will have to keep in mind in the operationalisation of their privacy program.

Connecticut's state law on data breaches is set for an update, bringing it more in line with modern legal standards in this regard. William J. Roberts, Partner at Day Pitney LLP, discusses the updates to Connecticut's legal framework and their impact. 

House Bill ('HB') 6607 for an Act Incentivizing the Adoption of Cybersecurity Standards for Businesses entered, on 24 June 2021, into law without signature by Governor Ned Lamont and establishes an exemption for businesses facing penalties as a result of a data breach.