2024 Report on the Connecticut Data Privacy Act

The Connecticut Data Privacy Act (CTDPA), which took effect in July 2023, is one of the nation’s pioneering consumer privacy laws. The CTDPA establishes responsibilities and privacy protection standards for organizations collecting and processing consumer data.

In compliance with the CTDPA, Connecticut Attorney General Tong released the first annual report on February 1, 2024.

The History of the Connecticut Data Privacy Act

The CTDPA requires certain businesses to limit the collection of personal data, practice transparency in how the data is used and secured and obtain consumer consent before collecting sensitive information. A few examples of sensitive data outlined are biometric data, location, and certain health information. In general, the law applies to people or businesses in Connecticut that control or process the personal data of:

• 100,000 or more consumers; or
• At least 25,000 consumers, from which they derive more than 25% of their gross revenue from selling personal data.

Some businesses, such as state agencies, nonprofit organizations, higher education institutes, businesses subject to HIPPA, specific national security associations, and financial institutions, may be exempt from CTDPA in certain circumstances. The full text of the law can be found here.

Attorney General Tong’s Report on the CTDPA

In addition to establishing responsibilities for organizations and employers, the CTDPA requires annual reports of violations from the Office of the Attorney General by February 1st of each year. The annual report must include:

• The number of notices of violation issued by the Attorney General
• The nature of each violation identified
• The number of violations that have been cured
• Any other matters deemed relevant by the Attorney General

Since the CTDPA took effect, the Office of the Attorney General has issued over a dozen notices of violations. These notices highlighted deficiencies in compliance, including:

• Lacking Disclosures: Some companies failed to provide consumer rights notices under the CTDPA.
• Inadequate Disclosures: Some companies provided disclosures with insufficient information about Connecticut residents’ rights under the law or provided inadequate information about Connecticut residents’ appeal rights related to their data rights.
• Confusing Disclosures: Some privacy policies created an impression that consumers may be charged for all appeal requests, rather than only for manifestly unfounded, excessive, or repetitive requests.
• Lacking Rights Mechanisms: Some companies failed to include a clear and conspicuous link to a webpage where consumers can opt out of targeted advertising or data sales.
• Burdensome Rights Mechanisms: Some privacy rights mechanisms failed to consider how consumers typically interact with the company.
• Broken/Inactive Rights Mechanisms: Non-working links or dead-end mechanisms preventing consumers from exercising their rights effectively.

Attorney General Tong’s report can be found here for more details.

Implications for Employers

The Connecticut Data Privacy Act is a small piece of a much bigger conversation that has swept the nation revolving around regulating bulk personal data. There is growing awareness of the importance of guarding and setting guidelines for personal data at both a state and federal level. For instance, a recent executive order to protect sensitive bulk data, Executive Order 14117, was released on February 28, 2024.

Employers hiring in Connecticut and handling consumer data of Connecticut residents may want to consult legal counsel to ensure that all guidelines under the CTDPA are being met. Verified Credentials will continue to monitor and report on the evolving conversation around data privacy laws.