What's New | Articles & Press Releases


Recent Developments in Connecticut's Data Privacy Law

A new state law places potentially significant administrative burdens on companies that collect personal data, and gives consumers new rights regarding how their personal data is used. On May 10, 2022, Governor Ned Lamont signed The Connecticut Data Privacy Act (the “CTDPA”) into law. It took effect on July 1, 2023 and, with some exemptions, applies to people that:

(1) conduct business in Connecticut, produce products, or provide services targeted at Connecticut residents, and

(2) during the prior calendar year, controlled or processed the personal data of

(i) 100,000 or more consumers (excluding personal data controlled or processed solely for completing a payment transaction), or
(ii) 25,000 or more consumers, and derived over 25% of gross revenue from the sale of personal data.

The CTDPA creates obligations on such persons and businesses (“Controllers”) and grants consumers rights with respect to their personal data. Personal data is defined as any information that is linked or reasonably linkable to an identified or identifiable individual, excluding information generally available to the public.

Consumers now have the right to: (1) access collected data, (2) correct inaccuracies in their data, (3) delete personal data provided by or obtained about the consumer, (4) obtain a copy of personal data in a format that allows the consumer to transfer the data, and (5) opt out of the processing of personal data for purposes of (A) targeted advertising, (B) sales of personal data (with some exceptions), or (C) profiling that may have a legal or similarly significant effect on the consumer.

Controllers, on the other hand, must now, among other things: (1) provide notice to consumers regarding their use of the personal data, (2) limit the collection of the personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, (3) obtain consent before processing certain “sensitive data” (a subset of “personal data” as defined in the CTDPA), (4) respond to the consumer requests outlined above, and (5) implement and maintain safeguards to protect personal data.

If you are a consumer interested in safeguarding your personal data or a business/individual controlling or processing the personal data of others, the CTDPA affects you. The CTDPA may place significant administrative duties upon Controllers.