Connecticut Becomes Fifth US State to Enact Consumer Privacy Law

Connecticut Governor Ned Lamont officially signed into law the Public Act No. 22-15, titled ‘An Act Concerning Personal Data Privacy and Online Monitoring’ on May 10.

Commonly referred to as the Connecticut Privacy Act (CTPA), the new legislation provides consumers with enhanced privacy rights, including the right of access, rectification and deletion of data.

It also provides the right of data portability, which empowers consumers to ask for a copy of their personal data which is processed by the controller in a “portable and, to the extent technically feasible, readily usable format,” and the right to opt out in cases in which their data is to be used for purposes of targeted advertising, sold, or profiled by automated systems that can produce “legal or similarly significant effects concerning the consumer.”

Additionally, the CTPA establishes obligations on data controllers and assigns enforcement powers to the Attorney General (AG).

In terms of data controllers and organizations, the CTPA's scope applies to entities that conduct business in Connecticut or that target Connecticut residents, as well as those who in the preceding calendar year processed the personal data of at least 100,000 consumers.

Moreover, the legislation targets businesses that in the preceding calendar year processed the personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

Businesses falling in one of these categories will have to “provide consumers with a reasonably accessible, clear, and meaningful privacy notice” and to “implement the data minimization principle by restricting the collection of personal data to 'what is adequate, relevant and reasonably necessary.’”

For context, the CTPA makes Connecticut the second state in the US to establish a comprehensive consumer privacy law this year, following Utah in March, and fifth overall, with the California Consumer Privacy Act being enacted in February 2020.

Just like the UCPA and CCPA, the CTPA describes some exceptions regarding its applicability, excluding state and local government entities, non-profits, and higher education institutions, among others.

For more information about exceptions and AG enforcing powers, the full CTPA text is available at this link here.

What’s Hot on Infosecurity Magazine?