Connecticut Data Privacy Act (CTDPA)

Overview

In May 2022, Governor Ned Lamont signed Senate Bill 6: An Act Concerning Personal Data Privacy and Online Monitoring (also known as The Connecticut Data Privacy Act or “CTDPA”), making Connecticut one of the first states to pass a comprehensive consumer privacy law.

Key Dates

• Signed into law: May 10, 2022
• Effective date: July 1, 2023

Thresholds

The CTDPA applies to people who conduct business in Connecticut or who produce products or services targeted to Connecticut residents and that, during the prior calendar year, controlled or processed the personal data of:

• at least 100,000 consumers; or
• 25,000 or more consumers and derived over 25% of gross revenue from the sale of personal data.

However, the CTDPA applies to all Consumer Health Data Controllers who do business in Connecticut, regardless of their size or the nature of their data processing activities (see below section regarding Consumer Health Data Controllers).

The CTDPA also applies to service providers (called “processors”) that maintain or provide services involving personal data on behalf of covered businesses.

Consumer Rights

• The right to access personal data that a controller has collected about them.
• The right to correct inaccuracies in their personal data.
• The right to delete their personal data, including personal data that a controller collected through third parties.
• The right to obtain a copy of their personal data in a portable and readily usable format that allows them to transfer the data to another controller with ease.
• The right to opt-out of the sale of their personal data, the processing of personal data for the purposes of targeted advertising, and profiling that may have a legal or other significant impact.

Sensitive Data

The law defines sensitive data to include personal data revealing:

• Any data revealing racial or ethnic origins, religious beliefs, mental or physical health conditions or diagnoses, sexual activity or orientation, citizenship, or immigration status;
• Consumer Health Data – which means data used to identify a consumer’s physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive health data;
• Genetic or biometric data used to uniquely identify an individual;
• Personal data of a child under the age of 13; and
• Information that identifies an individual’s specific location with a defined degree of precision and accuracy (called “precise geolocation data”).

Penalties

Up to $5,000 per violation.

Configure Your Consent Banner for CTDPA

Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like GDPR in the EU vs. CTDPA in Connecticut). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like CTDPA in Connecticut).

Recommended Consent Settings

Based on the current laws, we recommend the following regional settings:

• Consent Mode: Implied
• Blocking Mode: Strict
• Google Consent Mode V2: Basic
• Consent Duration: 12 months
• Enable Limit Sensitive Information: Enabled
• Enable Do Not Sell Consent: Enabled
• Enable Global Privacy Control: Enabled

For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document https://www.concord.tech/docs/configure-consent-banner-difference-regions.

Important Note: While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.