The next data privacy law coming into effect this year will be the Connecticut Data Privacy Act (CTDPA). The CTDPA comes into effect on July 1st, 2023, with enforcement beginning on the same day. Like the remaining data privacy laws that we’ll discuss, CTDPA was largely modeled after the Virginia Consumer Data Protection Act (VCDPA) with influences from the California Privacy Rights Act (CPRA). However, the cure provision that allows organizations the opportunity to cure a violation before the Attorney General takes action will end on December 31st, 2024.
The guiding influence of VCDPA on the creation of CTDPA is apparent when you look at the privacy rights protected by CDPA. CDPA protects a consumer’s right to access, right to data portability, right to delete, right of rectification, right to opt-out of sale, right to opt-out of profiling, and the right to opt-out of targeted advertising. However, unlike CPRA, CTDPA does not protect the right to opt out of automated decision-making. This means if you do not opt out of profiling an organization can make choices based on that profile without human input. An area where CTDPA has superior consumer privacy protections over CPRA is with processing sensitive personal data. CTDPA requires opt-in for data processors to process a consumer’s sensitive personal data, whereas CPRA allows consumers to opt-out. Sensitive personal data for CTDPA is defined as “personal data that includes (A) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, (B) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (C) personal data collected from a known child, or (D) precise geolocation data.”
Much like CPRA and VCDPA, CTDPA will require data protection assessments under certain circumstances. Fortunately, CTDPA states that if a data controller conducts a data protection assessment for the purpose of complying with a similar regulation, that assessment will satisfy the CTDPA requirements as long as it is similar in scope and effect. Therefore, conducting a thorough data protection assessment is critical as it will eliminate the need for redundant assessments. Additionally, it would be advisable for any organization subject to CTDPA to conduct a privacy impact assessment. A PIA assesses how an organization handles personal data and will tell whether the organization will be in compliance with new state data privacy laws or not.