Connecticut Data Privacy Act Overview

Create a free account to access. Already a member?Log In.

The Connecticut Data Privacy Act (CTDPA) was signed into law by Governor Ned Lamont on May 10, 2022, becoming the fifth comprehensive state privacy law to be passed in the US. The CTDPA will introduce new requirements for organizations operating in the state of Connecticut including new consumer rights, conditions for using sensitive data, and conducting data privacy risk assessments. Much like most other state privacy laws, the CTDPA will be exclusively enforced by the Connecticut Attorney General who will have the power to issue monetary and administrative sanctions for non-compliance with the law.

What is the CTDPA?

The CTDPA is a piece of comprehensive privacy legislation passed in the state of Connecticut that provides residents of Connecticut greater control over the use of their personal data. The law requires organizations to develop robust privacy programs in order to maintain compliance and requires them to put in place processes for collecting valid consent, fulfilling individuals' rights, and conducting risk assessments, among other things.

Key compliance areas under the CTDPA

The CTDPA closely resembles other US state privacy laws and grants individuals a range of consumer rights as well as placing obligations on the data controller to present clear and accessible privacy notices. Organizations covered by the CTDPA will need to consider a range of new obligations including:

Providing a “reasonably accessible, clear and meaningful privacy notice” to consumers Conduct data protection assessments for certain processing activities
Honoring universal opt-out mechanisms, e.g. Global Privacy Control
Entering into vendor contracts with data processors
Collecting valid consent prior to processing sensitive data