The Connecticut Data Privacy Act

Who Is Protected And What Rights Do They Have?

The CTDPA is designed to protect “consumers,” which means individuals who are Connecticut residents. The statute specifically states that “consumer” does not include an individual acting in a commercial or employment context, so employees and B2B contacts are permanently exempted from the CTDPA. For consumers acting in their personal capacity, the CTDPA grants them a series of data privacy rights. These rights are:

  • Right of Access - Consumers have a right to confirm whether a controller is processing personal data about them and to access that data.
  • Right to Correct Inaccuracies - If controllers possess inaccurate personal data about a consumer, the consumer has a right to correct the inaccuracies.
  • Right to Delete - Consumers can request the deletion of their personal data, subject to some exceptions.
  • Right to Portability - Consumers have the right to obtain a copy of their data in a portable and readily usable format so that it may be transmitted to another controller.
  • Right to Opt Out - At any time, consumers can opt out of the processing of their personal data for the purposes of (1) targeted advertising, (2) the sale of personal data, and (3) automated decision making that produces legal or similarly significant effects for the consumer

What Is a Sale of Personal Data?

“Sale” is defined as any exchange of personal data for monetary or other valuable consideration. The “or other valuable consideration” component is taken from the CCPA, and as with the CCPA, it is vague and open to interpretation. However, this section of the law strongly suggests that a discount on products or services is considered valuable consideration, possibly qualifying many disclosures of personal data as sales.

For example, if a business uses a free cloud-based software and enters consumers personal data into that program, that could be considered a discount; unless the exchange of data falls under one of the exceptions to the definition of selling, it may be a sale of personal data.

Privacy Notice

As with other state privacy laws, a major part of complying with the CTDPA involves posting privacy disclosures on a business’s website (and anywhere else it collects personal data). These disclosures must include the following information:

  • The categories of personal data collected
  • The purposes for processing person data
  • How consumers may exercise their privacy rights, and how to appeal a controller’s decision regarding privacy requests
  • The categories of personal data shared with third parties
  • The categories of third parties with which the controller shares data
  • An email address or other online mechanism for contacting the controller
  • If the controller sells personal data or uses it for targeted advertising, it must also disclose that fact