In the United States, there isn't a single comprehensive federal data protection law like the EU's GDPR. Instead, some states have their own privacy regulations with unique provisions. One significant piece of legislation is the Connecticut Data Privacy Act (CTDPA), which became effective on 1 July 2023.
Similar to the California Consumer Privacy Act , the Virginia Consumer Data Privacy Act (VCDPA), and the Colorado Privacy Act (CPA) , the CTDPA focuses on protecting consumers' personal data, giving them more control over how it's collected, used, and shared.
In this article, we'll take a closer look at the Connecticut Data Privacy Act, exploring its purpose, scope, and what your business should be doing in order to comply.
The CTDPA is a law that grants consumers control over their personal information that’s being collected and processed by businesses and organizations. To allow this, it establishes responsibilities and privacy protection standards for businesses and organizations in Connecticut (more on scope below).
The CTDPA defines "personal data" as any information linked or reasonably linkable to an identifiable individual, such as:
|
|
There’s also a subset of personal data, called “sensitive data”, which might sound like the same thing but it isn’t. Sensitive data is extra personal information that gets enhanced protection under the CTDPA and its processing requires explicit consent from the individual. It includes information like:
|
|
The CTDPA aims to balance safeguarding consumer privacy and allowing businesses to handle personal data responsibly. It gives individuals more control over their information, respecting their privacy preferences and empowering them to make informed choices.
The law also holds organizations accountable by outlining data processing obligations, security practices, and transparent consent procedures, encouraging fair and ethical data practices within the business community.
One crucial aspect of the CTDPA is its approach to handling data breaches. It requires businesses to quickly inform affected individuals and relevant authorities if a breach occurs.
Finally, by implementing this comprehensive data protection law, Connecticut aligns with national and global trends in data privacy regulation, showing its dedication to addressing data protection concerns.
First of all, let’s distinguish the two types of entities the CTDPA talks about: data controllers and data processors. A "controller" is an organization or business that determines the purposes and means of processing personal data. On the other hand, a "processor" processes personal data as instructed by the controller, but doesn’t have decision-making authority over personal data.
Like the Colorado Privacy Act , the CTDPA does not include a revenue threshold, potentially catching a broader range of businesses in its scope. So, even if you own or manage a smaller business, but you still handle a lot of personal data, the CTDPA may apply to you.
Now that we’ve talked about what the CTDPA does for consumers, it’s time to understand the practical implications for businesses. How are businesses supposed to ensure that consumer personal data is protected in a way that complies with Connecticut’s new data privacy law?
Controllers and processors must sign clear and comprehensive data processing agreements that outline the responsibilities of each party.
The CTDPA requires businesses to conduct a data protection assessment (DPA) for activities involving personal data that could potentially cause harm to consumers. The DPA aims to carefully analyze the risks and benefits of these data processing activities for consumers, the company doing the processing, and the public at large.
If requested by the Connecticut Attorney General, businesses must provide this assessment for investigation. It applies to data processing activities taking place after 1 July 2023 and doesn't apply retroactively.
It's crucial for businesses to be aware of these new obligations so that they can put processes in place to ensure compliance with the CTDPA. Not only will they maintain consumer trust, but they’ll also avoid being penalized.
The enforcement of the CTDPA falls under the exclusive authority of the Connecticut Attorney General, who can take action against violations.
There is a "Notice and Cure" period in place until 31 December 2024, which means that the Attorney General will notify businesses of CTDPA violations and give them an opportunity to correct any non-compliance concerns within 60 days. Starting in 2025, whether or not a business gets a chance to rectify violations before they are penalized will be under the Attorney General’s discretion.
Penalties for non-compliance may include fines of up to USD 5,000 per violation.
When it comes to complying with the CTDPA, Safetica's Data Loss Protection (DLP) software offers a valuable solution for businesses. With its user-friendly features, Safetica can help organizations navigate the complexities of the CTDPA and ensure consumer data is handled responsibly.
One of the essential aspects of CTDPA compliance is conducting data protection assessments. Safetica's DLP software simplifies this process, allowing businesses to identify and assess potential risks associated with data processing activities.
By partnering with Safetica, you can proactively address the challenges of data privacy and compliance. We’ll help you navigate the complexities of data protection while maintaining productivity and efficiency.
Learn how to be compliant with CTDPA