April 2024

1. Governing Texts

The Connecticut State Governor signed, on May 10, 2022, Senate Bill ('SB') 6 for An Act Concerning Personal Data Privacy and Online Monitoring ('CTDPA'), making Connecticut the fifth US State to enact a comprehensive privacy legislation. The CTDPA establishes rights including a right to access, deletion, as well as portability for consumers, and provides the right to opt out of targeted advertising, sale of personal data, and automated profiling. The CTDPA also establishes various controller and processor obligations, and privacy notice requirements, and grants the Connecticut Attorney General ('AG') exclusive authority to enforce its provisions. The CTDPA will enter into effect on July 1, 2023.

On June 12, 2023, the CTDPA was amended by the Act on online privacy, data, and safety protections ('the Act'). The Act introduces requirements regarding the protection of minors and health information.

Sections 6 and 17 of the Act took effect from July 1, 2023, Sections 1 to 5 entered into effect on October 1, 2023, Sections 14 to 15 of the Act from January 1, 2024, Section 7 of the Online Privacy Act from July 1, 2024, and Sections 8 to 13 from October 1, 2024.

This Guidance Note provides an overview of the CTDPA as amended by the Act.

1.1. Key acts, regulations, directives, bills

• the CTDPA
• the Act

1.2. Guidelines

The AG has issued FAQs on the CTDPA.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The CTDPA applies to (§2-(1) and (2) of the CTDPA):

• any controller or processor who:
  • conducts business in the state; or 
  • produces a product or service that is targeted to consumers who are residents of the state; 
• any controller or processor who satisfies one or more of the following thresholds:
  • processed the personal data of at least 100,000 consumers excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  • processed the personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

However, the CTDPA does not apply to, among others (§3-a of the CTDPA):

• body, authority, board, bureau, commission, district, or agency of this state or of any political subdivision of the state;  
• non-profit organisation; 
• institution of higher education; 
• national securities association that is registered under the Securities Exchange Act of 1934; 
• financial institution or data subject under the Gramm-Leach-Bliley Act of 1999; or 
• covered entity or business associate under the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'). 

2.2. Territorial scope

The CTDPA applies to controllers or processors who conduct business in the State of Connecticut or produce a product or service that is targeted to consumers who are residents of Connecticut (§2-(1) of the CTDPA).

2.3. Material scope

The CTDPA applies to the personal data of individuals, which is defined as any information that is linked or reasonably linkable to an identified individual or an identifiable individual and excludes de-identified data or publicly available. (§1-(18) of the CTDPA).

The CTDPA does not apply to, among other things (§3-(b) of the CTDPA):

• protected health information under HIPAA;
• patient identifying information for purposes of §42-290dd-2 of Article 6a of Title of the U.S Code;
• identifiable private information for purposes of the federal policy for the protection of human subjects under the Protection of Human Subjects of Subpart A of Part 46 of Subchapter A of Subtitle A of Title 42 of the Code of Federal Regulation;
• identifiable private information or personal data collected as part of human subjects research pursuant to the Good Clinical Practice guidelines issued by the International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use; and
• data processed or maintained:
  • in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, consumer health data controller, or third party, to the extent that the data is collected and used within the context of that role;
  • as the emergency contact information of an individual under §1 to 11 of the CTDPA used for emergency contact purposes; or
  • that is necessary to retain to administer benefits for another individual relating to the individual who is the subject of the information under §3-(b)-(1) of the CTDPA and used for the purposes of administering such benefit.

In addition, the CTDPA does not apply to any person's processing of personal data in the course of such person's purely personal or household activities (§10-(e)-(2) of the CTDPA).

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The AG is the regulator of the CTDPA.

3.2. Main powers, duties and responsibilities

The AG has the exclusive authority to enforce the CTDPA (§11-(a) of the CTDPA. Furthermore, not later than 1 February 2024, the AG shall submit a report to the joint standing committee of the General Assembly having cognizance of matters relating to general law disclosing:

• the number of notices of violation the Attorney General has issued;
• the nature of each violation;
• the number of violations that were cured during the 60-cure period; and
• any other matter the AG deems relevant for the purposes of such report (§11-(b) of the CTDPA).

Lastly, no later than 1 September 2022, the chairpersons of the joint standing committee of the General Assembly shall convene a task force to study (§12-(a) of the CTDPA):

• information sharing among health care providers and social care providers and make recommendations to eliminate health disparities and inequities across sectors;
• algorithmic decision-making and make recommendations concerning the proper use of data to reduce bias in such decision-making;
• possible legislation that would require an operator, as defined in the Children's Online Privacy Protection Act of 1998 ('COPPA'), to, upon a parent's request, delete the account of a child and cease to collect, use, or maintain, in retrievable form, the child's personal data on the operator's Internet web site or online service directed to children, and provide parents with an accessible, reasonable and verifiable means to make such a request;
• any means available to verify the age of a child who creates a social media account;
• issues concerning data colocation;
• possible legislation that would expand the provisions of the CTDPA; and
• other topics concerning data privacy.

Furthermore, the Act confirms the establishment of a Children Task Force within the Division of Scientific Services the Connecticut Internet Crimes Against, which will consist of affiliate law enforcement agencies in the State. The task force will use State and Federal money appropriated to it in a manner that is consistent with the duties.

4. Key Definitions

Data controller: A person who, alone or jointly with others determines the purpose and means of processing personal data (§1-(11) of the CTDPA).

Data processor: A person who, processes personal data on behalf of a controller (§1-(21) of the CTDPA).

Personal data: Information that is linked or reasonably linkable to an identified individual or an identifiable individual, and does not include deidentified data, aggregated data, or publicly available information (§1-(26) of the CTDPA).

Sensitive data: Sensitive data is defined as personal data that includes (§1-(38) of the CTDPA):

• data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status;
• consumer health data;
• the processing of genetic or biometric data for the purpose of uniquely identifying an individual;
• personal data collected from a known child; or
• data concerning an individual's status as a victim of crime; and
• precise geolocation data.

Health data: The CTDPA does not expressly define 'health data', but instead refers to consumer health data which means any personal data that a controller uses to identify a consumer's physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data (§1-(9) of the CTDPA):

Biometric data: Data that is generated by automatic measurements of an individual's unique biological characteristics, specifically, by automatic measurements of an individual's fingerprint, voiceprint, eye retinas, irises, or any other unique biological pattern or characteristic that is used to identify a specific individual (§1-(3) of the CTDPA).

'Biometric data' does not however include (§1-(4) of the CTDPA):

• a physical or digital photograph;
• a video or audio recording; and
• data generated from a physical or digital photograph or a video or audio recording, unless such data is generated to identify a specific individual.

Pseudonymization: The CTDPA does not define 'pseudonymization' but instead defines 'pseudonymous data' as personal data that cannot be attributed to a specific individual without the use of additional information, provided such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual (§1-(32) of the CTDPA).

Data subject: The CTDPA does not expressly define 'data subject', but instead refers to 'consumers' which is defined as an individual who is a resident of Connecticut. However, consumer does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit, or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, non-profit or government agency (§1-(8) of the CTDPA).

5. Legal Bases

The CTDPA notes that personal data processed by a controller or consumer health data controller for a purpose authorized under Section 10 of the CTDPA may be processed to the extent that such processing is (§10-(f) of the CTDPA (§10-(f) of the CTDPA):

• reasonably necessary and proportionate to the purposes listed;
• adequate, relevant, and limited to what is necessary in relation to the specific purposes listed;
• pursuant to Section 10-(b) of the CTDPA take into account the nature and purposes of such collection, use, or retention; and
• subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data.

Where a controller or consumer health data controller processes personal data pursuant to an exemption in §10 of the CTDPA, the controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements in (§10-(f) of the CTDPA (§10-(g) of the CTDPA).

5.1. Consent

The CTDPA defines 'consent' as an affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer (§1-(6) of the CTDPA). Consent may include a written statement, including by electronic means, or any other unambiguous affirmative action (§1-(6) of the CTDPA).

Notably, consent does not include (§1-(7) of the CTDPA):

• acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information;
• hovering over, muting, pausing, or closing a given piece of content; or
• agreement obtained through the use of dark patterns.

Furthermore, the controller must provide an effective mechanism for a consumer to revoke their consent that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than 15 days after the receipt of such request (§6-(a)-(6) of the CTDPA).

The CTDPA also notes that controllers are deemed to be in compliance with any obligation to obtain parental consent under the CTDPA if they comply with the verifiable parental consent mechanisms under COPPA and its implementing regulations and exemptions (§3-(c) of the CTDPA).

5.2. Contract with the data subject

The CTDPA does not expressly provide that personal data can be processed for the performance of a contract with a data subject.

However, the CTDPA states that its requirements do not restrict a controller, consumer health data controller, or processor's ability to perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty and taking steps at the request of a consumer prior to entering into a contract (§10-(a)- (6) and (7) of the CTDPA).

Moreover, the CTDPA's requirements do not restrict a controller, consumer health data controller, or controller's processor's ability to collect, use, or retain personal data to perform an internal operation that is reasonably aligned with the consumer's expectations based on their existing relationship with the controller, or otherwise compatible with processing to aid the controller or processor in providing a product or service specifically requested by a consume or the performance of a contract to which they are a party (§10-(b)-(4) of the CTDPA).

5.3. Legal obligations

The CTDPA does not expressly provide that personal data can be processed based on legal obligations.

However, the CTDPA provides that its requirements do not restrict a controller, consumer health data controller, or processor's ability to among others (§10-(a)-(1) to (4) of the CTDPA):

• comply with a federal, state, or local law, rule, or regulation;
• comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, state, local, or other governmental entity;
• cooperate with a law enforcement agency concerning activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; or
• investigate, establish, exercise, prepare for, or defend a legal claim.

Moreover, the CTDPA states that it does not apply to the obligations imposed on controllers, consumer health data controllers, or processors where compliance by the controller or processor would violate an evidentiary privilege under Connecticut law. Importantly, nothing in the CTDPA must be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Connecticut law as part of a privileged communication (§10- (e) of the CTDPA).

5.4. Interests of the data subject

The CTDPA does not expressly provide that personal data can be processed based on the interests of the data subject.

However, the CTDPA states that nothing within shall be construed to (§10-(e) of the CTDPA):

• impose any obligation on a controller, consumer health data controller, or processor that adversely affects the rights or freedoms of any person, including, but not limited to:
  • the rights of any person to freedom of speech or freedom of the press guaranteed in the First Amendment to the United States Constitution; or
  • under §52-146t of Chapter 899 of Title 52 of the Connecticut General Statutes;

Additionally, the CTDPA provides that its requirements do not restrict a controller, consumer health data controller, or processor's ability to take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual, and the processing cannot be manifestly based on another legal basis (§10-(a)-(8) of the CTDPA).

5.5. Public interest

The CTDPA provides that its requirements do not restrict a controller, consumer health data controller, or processor's ability to process personal data for reasons of public interest in the area of public health, community health, or population health, but solely to the extent that such processing is (§10-(a)-(12) of the CTDPA):

• subject to suitable and specific measures to safeguard the rights of the consumer whose personal data is being processed; and
• under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law.

In addition, nothing provided within may restrict the ability of controllers, consumer health data controllers, or processors to engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities, that determine the following (§10-(a)-(10) of the CTDPA):

• if the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;
• the expected benefits of the research outweigh the privacy risks; and
• if the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification.

5.6. Legitimate interests of the data controller

The CTDPA does not expressly provide that personal data can be processed based on the legitimate interest of the data controller.

However, the CTDPA provides that its requirements do not restrict a controller, or consumer health data controller, or processor's ability to detect, prevent, protect against, or respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any illegal activity, or to investigate, report, or prosecute a person responsible for any of the aforementioned actions, as well as assist another controller, processor or third party with any of the obligations under the CTDPA (§10-(a)-(9) and (11) of the CTDPA).

5.7. Legal bases in other instances

The obligations imposed on controllers, consumer health data controller processors under the CTDPA will not restrict a controller's or processor's ability to collect, use, or retain data for internal use to (§10-(b) of the CTDPA):

• conduct internal research to develop, improve, or repair products, services, or technology;
• effectuate a product recall; or
• identify and repair technical errors that impair existing or intended functionality.

6. Principles

The CTDPA provide for the following principles (§6-(a)-(1) of the CTDPA):

Data minimization: Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.

Purpose limitation: Controllers shall not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent.

Confidentiality and Integrity: The controller establishes, implements, and maintains reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.

Moreover, personal data must not be processed in violation of the laws of Connecticut and US federal laws that prohibit unlawful discrimination against consumers (§6-(a)-(5) of the CTDPA).

7. Controller and Processor Obligations

De-identified data and pseudonymous data

In particular, a controller processing de-identified data must (§9-(a) of the CTDPA):

• take reasonable measures to ensure the data cannot be associated with an individual;
• publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and
• contractually obligate recipients of the de-identified data to comply with all provisions of the CTDPA.

In addition, the CTDPA clarifies that it must not be construed to require a controller or processor to (Section 10 (2) of the Act):

• re-identify de-identified data or pseudonymous data;
• maintain data in the identifiable form; or
• collect, obtain, retain, or access any data or technology to is capable of associating an authenticated consumer request with personal data.

Furthermore, a controller that discloses pseudonymous data or deidentified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data is subject and take appropriate steps to address any breaches of those contractual commitments (Section 10(5) of the Act).

Lastly, a controller that discloses pseudonymous data or de-identified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data is subject and shall take appropriate steps to address any breaches of those contractual commitments (§9-(e) of the CTDPA).

Online dating operators

Each online dating operator that offers services to Connecticut users must maintain an online safety center, which must be reasonably designed to provide Connecticut users with resources concerning safe dating. Each online safety center must provide:

• an explanation of the online dating operator's reporting mechanism for harmful or unwanted behavior;
• safety advice for use when communicating online and meeting in person;
• a link to an internet website or a telephone number where a Connecticut user may access resources concerning domestic violence and sexual harassment; and
• educational information concerning romance scams.

Importantly, each online dating operator that offers services to Connecticut users must adopt a policy for the online dating platform's handling of harassment reports by or between users.

The above will enter into effect on January 1, 2024.

7.1. Data processing notification

The CTDPA does not expressly provide for data processing notification requirements.

7.2. Data transfers

The CTDPA does not expressly provide for requirements for cross-border data transfer.

However, the sale of personal data means the exchange of personal data for monetary or other valuable consideration by the controller to a third party. Importantly, the CTDPA confirms that the sale of personal data does not include:

• the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
• the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
• the disclosure or transfer of personal data to an affiliate of the controller; and
• the disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party;
• the disclosure of personal data that the consumer:
  • intentionally made available to the general public via a channel of mass media  and did not restrict to a specific audience; or
  • the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction, in which the third party assumes control of all or part of the controller's assets.

Furthermore, the CTDPA stipulates that a controller or processor that discloses personal data to a processor or third-party controller in accordance with the CTDPA shall not be deemed to have violated said sections if the processor or third-party controller that receives and processes such personal data violates said sections, provided, at the time the disclosing controller or processor disclosed such personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate said sections data (§10-(d) of the CTDPA). In addition, a third-party controller or processor receiving personal data from a controller or processor in compliance with CTDPA is likewise not in violation of said sections for the transgressions of the controller or processor from which such third-party controller or processor receives such personal data (§10-(d) of the CTDPA).

7.3. Data processing records

The CTDPA does not expressly provide for record-keeping requirements.

However, controllers are required to document Data Protection Assessments ('DPAs') please see the section on DPIAs below.

7.4. Data protection impact assessment

The CTDPA provides a controller shall conduct and document a DPA for each of the controller's processing activities that presents a heightened risk of harm to a consumer (§8-(a) of the CTDPA). Processing that represents a heightened risk of harm to a consumer includes (§8-(a) of the CTDPA):

• the processing of personal data for the purposes of targeted advertising;
• the sale of personal data;
• the processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of:
  • unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
  • financial, physical, or reputational injury to consumers;
  • a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or
  • other substantial injury to consumers; and
• the processing of sensitive data.

DPA requirements apply to processing activities created or generated after July 1, 2023, and are not retroactive (§8-(f) of the CTDPA). A single DPA may address a comparable set of processing operations that include similar activities (§8-(d) of the CTDPA). Moreover, where a controller conducts a DPA for the purpose of complying with another applicable law or regulation, shall be deemed to satisfy the requirements established above if such DPA is reasonably similar in scope and effect to the DPA that would otherwise be conducted pursuant to the CTDPA (§8-(e) of the CTDPA).

In addition, DPIAs conducted pursuant to the CTDPA must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks (§8-(b) of the CTDPA). The controller must factor into any such DPIA the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed (§8-(b) of the CTDPA).

A controller shall make the data protection assessment available to the AG upon request. The AG may evaluate the assessment for compliance with the duties contained in §1 to 11 of the CTDPA.

Data protection assessments are confidential and exempt from public inspection and copying under §1-200 to 1-242 of Chapter 14 of Title 1 of the Connecticut General Statutes ('the Freedom Information Act'). Moreover, to the extent any information contained in a DPIA disclosed to the AG includes information subject to attorney-client privilege or work product protection, such disclosure shall not constitute a waiver of such privilege or protection. (§8-(C) of the CTDPA).

Minors

The Act establishes specific requirements for the conducting of DPAs by controllers that offer online service, product, or feature to consumers and have actual knowledge, or wilfully disregard that their consumers are minors, must conduct a DPA for such online service, product or feature (§10-(a) of the Act). The DPA must be conducted in a manner that is consistent with the requirements above and that addresses (§10-(a) of the Act):

• the purpose of such online service, product, or feature;
• the categories of minors' personal data that such online service, product, or feature processes;
• the purposes for which such controller processes minors' personal data with respect to such online service, product, or feature; and
• any heightened risk of harm to minors that is a reasonably foreseeable result of offering such online service, product, or feature to minors.

Where a controller conducts a DPA and determines that the online service, product, or feature that is the subject of such assessment poses a heightened risk of harm to minors, such controller shall establish and implement a plan to mitigate or eliminate such risk (§10- (e) of the Act). Each controller that conducts a DPA must review the DPA as necessary to account for any material change to the processing operations of the online service, product, or feature that is subject to the same; and maintain documentation concerning such DPA for the longer of the three-year period beginning on the date on which such processing operations cease, or as long as such controller offers such online service, product or feature (§10-(b) of the Act).

In line with general DPAs a single DPA may address a comparable set of processing operations that include similar activities. In addition, where a controller conducts a DPA for the purpose of complying with another applicable law or regulation, the DPA will be deemed to satisfy the requirements established in this section if such DPA is reasonably similar in scope and effect to the DPA (§10- (c) and d of the Act).

The above will enter into effect on October 1, 2024.

7.5. Data protection officer appointment

The CTDPA does not expressly address data protection officer appointments.

7.6. Data breach notification

The CTDPA does not provide for breach notification requirements. 

However, processors are required to assist the controller in meeting their obligations, including obligations related to the security of processing personal data and notification of a breach of security system under §36a-701b of Chapter 669 of Title 36a of the Connecticut General Statutes (§7-(a)-(2) of the CTDPA). 

For further information see Connecticut – Data Breach Notification.

7.7. Data retention

The CTDPA does not explicitly address data retention. 

7.8. Children's data

Controllers, consumer health data controllers, and processors that comply with the verifiable parental consent requirements of COPPA will be deemed compliant with any obligation to obtain parental consent pursuant to the CTDPA (§3-(c) of the CTDPA). A controller must not discriminate against a consumer for exercising any of the consumer rights including denying goods or services, charging different prices or rates for goods or services or providing a different level of quality of goods(§6-(a)-(7) of the CTDPA). This should not be construed to require a controller to provide a product or service that requires the personal data of a consumer which the controller does not collect or maintain, or prohibit a controller from offering a different price, rate, level, quality or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts or club card program (§6-(b) of the CTDPA).

In addition, the controller must not process the personal data of a consumer for purposes of targeted advertising or sell the consumer's personal data without the consumer's consent, under circumstances where a controller has actual knowledge, and wilfully disregards, that the consumer is at least 13 years of age but younger than 16 years of age (§6-(a)-(7) of the CTDPA). In the case of processing personal data concerning a known child, the parent or legal guardian of the known child will have the authority to exercise a right on the child's behalf (§4-(b) of the CTDPA). In the case of processing personal data concerning a consumer subject to a guardianship, conservatorship, or other protective arrangement, the guardian or the conservator of the consumer may exercise such rights on the consumer's behalf (§4-(b) of the CTDPA).

Please note that child has the same meaning as provided in COPPA and is considered 'sensitive' information; therefore, personal data collected from an individual the controller knows is under 13 years old must be processed in accordance with the COPPA (§1-(5), (27) and §6-4 of the CTDPA).

Under the Act, minor means any consumer who is younger than 18 years of age (§7-(3) of the Act). In addition, subject to the consent requirement established in §9-(b)(3) of the Act, no controller that offers any online service, product, or feature to consumers whom such controller has actual knowledge, or wilfully disregards, are minors shall process any minor's personal data for the purposes of (i) targeted advertising; (ii) any sale of personal data; (iii) profiling in furtherance of any fully automated decision made by such controller that produces any legal or similarly significant effect concerning the provision or denial by such controller of any financial or lending services, housing, insurance, education enrolment or opportunity, criminal justice, employment opportunity, health care services, or access to essential goods or services unless certain exceptions apply (§9-(b)(1) of the Act).

Furthermore, §9-(b)(2) of the Act establishes requirements regarding the collection of precise geo-location data, and notes that no controller must engage in the activities described in §9-(b)(1) and (2) of the Act unless the controller obtains the minor's consent or, if the minor is younger than 13 years of age, the consent of such minor's parent or legal guardian. A controller that complies with the verifiable parental consent requirements established in the COPPA, and the regulations, rules, guidance, and exemptions adopted pursuant to COPPA, as may be amended from time to time, will be deemed to have satisfied any requirement to obtain parental consent under the Act (§9-(b)(3)of the Act).

On consent, the Act clarifies that no controller that offers any online service, product, or feature to consumers whom such controller has actual knowledge, or wilfully disregards, are minors shall:

1. provide any consent mechanism that is designed to substantially subvert or impair, or is manipulated with the effect of substantially subverting or impairing, user autonomy, decision-making, or choice; or
2. offer any direct messaging apparatus for use by minors without providing readily accessible and easy-to-use safeguards to limit the ability of adults to send unsolicited communications to minors with whom they are not connected.

The Act provides an exception to point two in which the predominant or exclusive function is: electronic mail; or direct messaging consisting of text, photos, or videos that are sent between devices by electronic means, where messages are shared between the sender and the recipient, only visible to the sender and the recipient, and not publicly posted.

Social media

In relation to social media, not later than 15 business days after a social media platform receives a request from a minor or, if the minor is younger than 16 years of age, from such minor's parent or legal guardian to unpublish such minor's social media platform account, the social media platform shall unpublish such minor's social media platform account age (§7-(6)(b)(1) of the Act).

Please note the above on social media platforms will enter into effect on July 1, 2024.

Enforcement

In addition, each controller that offers any online service, product, or feature to consumers and has actual knowledge, or wilfully disregards, that the consumer is a minor must use reasonable care to avoid any heightened risk of harm to minors caused by such online service, product, or feature. In any enforcement action brought by the AG pursuant to Section 13 of the Act, there will be a rebuttable presumption that the controller used reasonable care as required if the controller complied with the provisions of Section 10 of the Act concerning DPAs.

7.9. Special categories of personal data

Under §6-(a)-(4) of the CTDPA, and except as otherwise provided in the CTDPA, a controller may not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA.

In addition, a controller must conduct and document a DPIA for each of the controller's processing activities which include the processing of sensitive data (§8-(a)-(4) of the CTDPA).

7.10. Controller and processor contracts

A contract must be in place between controllers and processors as well as subcontractors.

Specifically, before a processor performs processing on behalf of a controller, they must enter into a binding contract that clearly sets forth (§7-(b) of the CTDPA):

• instructions for processing personal data;
• the nature and purpose of the processing;
• the type of data subject to processing;
• the duration of the processing; and
• the rights and obligations of both parties;

Moreover, the contract shall:

• require the processor to ensure each person processing personal data is subject to a duty of confidentiality with respect to the personal data;
• at the controller's direction, require the processor to delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
• provide that, upon the reasonable request of the controller, the processor must make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations of the CTDPA;
• establish that, after providing the controller an opportunity to object, the processor may engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and
• provide for the processor to allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or provide that the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations under the CTDPA, inclusive of using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request.

In addition, a processor must adhere to the instructions of a controller and assist the controller in meeting the controller's obligations under the CTDPA. Such assistance must include (§7-(a) of the CTDPA):

• taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as is reasonably practicable, to fulfill the controller's obligation to respond to consumer rights requests;
• taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security, of the system of the processor, in order to meet the controller's obligations; and
• providing necessary information to enable the controller to conduct and document DPAs.

Nothing above should be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of such controller's or processor's role in the processing relationship CTDPA (§7-(c) of the CTDPA).

Furthermore, determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. A person who is not limited in such person's processing of personal data pursuant to a controller's instructions, or who fails to adhere to such instructions, is a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller's instructions with respect to specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to such processing and may be subject to enforcement action under the CTDPA (§7-(d) of the CTDPA).

8. Data Subject Rights

A controller must respond to the consumer without undue delay, but not later than 45 days after receipt of the request (§4-(c)-(1) of the CTDPA). The controller may extend the response period by 45 additional days when reasonably necessary, considering the complexity and number of the consumer's requests, provided the controller informs the consumer of any such extension within the initial 45-day response period and of the reason for the extension (§4-(c)-(1) of the CTDPA).

In addition, if a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but not later than 45 days after receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision (§4-(c)-(2) of the CTDPA).

Fees

Information provided in response to a consumer request must be provided by a controller, free of charge, once per consumer during any 12-month period (§4-(c)-(3) of the CTDPA). If requests from a consumer are manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request (§4-(c)-(3) of the CTDPA). The controller bears the burden of demonstrating the manifestly unfounded, excessive, or repetitive nature of the request (§4-(c)-(3) of the CTDPA).

Authentication

If a controller is unable to authenticate a request to exercise any of the rights afforded under §4-(c)-(1) to (4) of the CTDPA using commercially reasonable efforts, the controller must not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the consumer that the controller is unable to authenticate the request to exercise such right or rights until such consumer provides additional information reasonably necessary to authenticate such consumer and such consumer's request to exercise such right or rights (§4-(c)-(4) of the CTDPA). A controller must not be required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that such request is fraudulent (§4-(c)-(4) of the CTDPA). If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller must send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request (§4-(c)-(4) of the CTDPA).

Social media

Where a social media platform is unable to authenticate a request, the social media platform will not be required to comply with such request, and must provide a notice to the consumer who submitted such request disclosing that such social media platform is unable to authenticate such request, and will not be able to authenticate such request until such consumer provides the additional information that is reasonably necessary to authenticate such request (§7-(6) – (c) of the Act).

Appeals

A controller must establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision (§4-(d) of the CTDPA). The appeal process must be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section (§4-(d) of the CTDPA). Not later than 60 days after receipt of an appeal, a controller must inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions (§4-(d) of the CTDPA). If the appeal is denied, the controller must also provide the consumer with an online mechanism, if available, or other methods through which the consumer may contact the AG to submit a complaint (§4-(d) of the CTDPA).

Exemptions

Nothing in the CTDPA should be construed to require a controller or processor to comply with an authenticated consumer rights request if the controller (§9-(c) of the CTDPA):

• is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data;
• does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and
• does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in the CTDPA.

Further, the consumer rights afforded (§4-(a)-(1) to (4) of the CTDPA) will not apply to pseudonymous data in cases where the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information (§9-(d) of the CTDPA).

8.1. Right to be informed

Consumers have the right to confirm whether a controller is processing the consumer's personal data (§4-(a)-(1) of the CTDPA). Additionally, controllers are required to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes (§6-(c)) of the CTDPA):

• the categories of personal data processed by the controller; 
• the purpose for processing personal data;
• how consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision with regard to the consumer's request;
• the categories of personal data that the controller shares with third parties (if any); 
• the categories of third parties, if any, with whom the controller shares personal data; and
• an active electronic mail address or other online mechanisms that the consumer may use to contact the controller.

In addition, where the controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing (§6-(d) of the CTDPA)

Furthermore, a controller must establish, and describe in the privacy notice, one or more secure and reliable means for consumers to submit a request to exercise their consumer rights pursuant to the CTDPA. Such means must take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to verify the identity of the consumer making the request (§6-(e) – (1) of the CTDPA). 

Social media

Specifically, social media platforms must establish, and describe in a privacy notice, one or more secure and reliable means for submitting a request. A social media platform that provides a mechanism for a minor or, if the minor is younger than 16 years of age, the minor's parent or legal guardian to initiate a process to delete or unpublish such minor's social media platform account shall be deemed to be in compliance this subsection (§7-(6) – (b)(3) of the Act).

8.2. Right to access

A consumer has the right to confirm whether or not a controller is processing the consumer's personal data and accessing such personal data unless such confirmation or access would require the controller to reveal a trade secret (§4-(a)-(1) of the CTDPA). 

8.3. Right to rectification

A consumer has the right to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data (§4-(a)-(2) of the CTDPA).

8.4. Right to erasure

A consumer has the right to delete personal data provided by, or obtained, about them (§4-(a)-(3) of the CTDPA).

A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data by (§4-(a)-(3) of the CTDPA):

• retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the controller's records and not using such retained data for any other purpose; or
• opting the consumer out of the processing of such personal data for any purpose except for those exempted from the CTDPA.

Social media

In relation to social media, not later than 45 business days after a social media platform receives a request from a minor or, if the minor is younger than 16 years of age, from such minor's parent or legal guardian to delete such minor's social media platform account, the social media platform must delete such minor's social media platform account and cease processing such minor's personal data except where the preservation of such minor's social media platform account or personal data is otherwise permitted or required by applicable law. A social media platform may extend such 45-business day period by an additional 45 business days if such extension is reasonably necessary considering the complexity and number of the consumer's requests, provided the social media platform informs the minor or minor's parent or legal guardian if the minor is younger than 16 years of age within the initial 45 business day response period of such extension and the reason for such extension. (§7-(6)(b)(2) of the Act).

Please note the above on social media platforms will enter into effect on July 1, 2024.

8.5. Right to object/opt-out

Consumers have the right to opt out of the processing of personal data for purposes of (§4-(c)-(5) of the CTDPA):

• targeted advertising;
• the sale of personal data except as provided in §6 of the CTDPA; or
• profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

A consumer may designate an authorized agent to exercise the rights of such consumer to opt out of the processing of such consumer's personal data (§4-(b) of the CTDPA). The consumer may designate such authorized agent by way of, among other things, a technology, including, but not limited to, an Internet link or a browser setting, browser extension, or global device setting, indicating such consumer's intent to opt out of such processing. A controller must comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on such (§5-(b) of the CTDPA).

In regard to the reliable means for consumers to submit a request to exercise their consumer rights, the CTDPA includes providing a clear and conspicuous link on the controller's Internet website to an Internet web page that enables a consumer, or an agent of the consumer, to opt out of the targeted advertising or sale of the consumer's personal data; and not later than January 1, 2025, allowing a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer's consent, by a platform, technology or mechanism to the controller indicating such consumer's intent to opt out of any such processing or sale (§6-(e)-(1)-(A) of the CTDPA).

The abovementioned platform, technology or mechanism must (§6-(e)-(1)-(A)-(ii) of the CTDPA):

• not unfairly disadvantage another controller;
• not make use of a default setting, but, rather, require the consumer to make an affirmative, freely given, and unambiguous choice to opt out of any processing of such consumer's personal data;
• be consumer-friendly and easy to use by the average consumer;
• be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation; and
• enable the controller to accurately determine whether the consumer is a resident of this state and whether the consumer has made a legitimate request to opt out of any sale of such consumer's personal data or targeted advertising.

8.6. Right to data portability

Consumers have the right to obtain a copy of their personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means, provided such controller will not be required to reveal any trade secret (§4-(a)-(4) of the CTDPA).

8.7. Right not to be subject to automated decision-making

Under §4-(a)-(5)-(C) of the CTDPA consumers have the right to opt out of the processing of personal data for purposes of profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

8.8. Other rights

Not applicable.

9. Penalties

The CTDPA grants the AG with the exclusive authority to enforce its provisions (§11-(a) of the CTDPA).

Furthermore, §11-(b) the CTDPA provides for an enforcement grace period beginning on the entry into effect date of July 1, 2023, and ending on December 31, 2024. In this timeframe, the AG must, prior to initiating any action for any violation of the CTDPA, issue a notice of violation to the controller or consumer health data controller if the AG determines that a cure is possible. If the controller or consumer health data controller fails to cure a violation within 60 days of receipt of the notice of violation, the AG may initiate an enforcement action.

Once this cure period has ended, therefore after December 31, 2024, the AG has discretionary authority to provide an opportunity to cure alleged violations, subject to the following considerations (§11-(c) of the CTDPA):

• the number of violations;
• the size and complexity of the controller or processor;
• the nature and extent of the controller or processor's processing activities;
• the substantial likelihood of injury to the public;
• the safety of persons or property; and
• whether such alleged violation was likely caused by human or technical error.

Nothing in the CTDPA should be construed as providing the basis for, or be subject to, a private right of action for violations of said sections or any other law (§11-(d) of the CTDPA).

Beginning on January 1, 2026, at the AG's discretion, they may provide to a controller or processor the opportunity to cure any alleged violation of the provisions of §8 to 12. In determining whether to grant the controller or processor an opportunity to cure such alleged violation, the AG may consider (§13-(b) of the Act):

• the number of such violations that such controller or processor is alleged to have committed;
• the size and complexity of such controller or processor;
• the nature and extent of such controller's or processor's processing activities;
• whether there exists a substantial likelihood that such an alleged violation has caused or will cause public injury;
• the safety of persons or property;
• whether such alleged violation was likely caused by a human or technical error; and
• the sensitivity of the data.

9.1 Enforcement decisions

Not applicable.