The Connecticut Data Privacy Act (CTDPA) is an extensive data privacy law that came into effect on July 1st, 2023, and gives Connecticut residents certain rights over how their personal data is used, stored, and processed for any purposes. It establishes responsibilities and a standard for privacy protection that businesses, processing personal data, will need to adhere to. The act will ensure businesses are held accountable for any violations that put the individual privacy of Connecticut residents at risk.
The CTDPA is a significant piece of legislation that gives Connecticut residents more control over their personal data, and some of their key provisions are:
Right to Access: Individuals have the right to request access to their personal data that is held by a business. Businesses must provide individuals with access to their personal data within 45 days of receiving such a request.
Right to Correct: Residents of Connecticut have the right to request that a business correct any inaccurate information in their personal data. Businesses will need to correct the aforementioned inaccuracies within 45 days of receiving said request.
Right to Delete: Individuals have the right to request that a business delete their personal data. Businesses must delete personal data within 45 days of receiving a request, unless the business has a legitimate reason to retain the data.
Right to Port: Individuals have the right to request that a business provide them with a copy of their personal data in a portable format. This allows individuals to transfer their personal data to another business.
Right to Opt-Out: Individuals have the right to opt-out of the sale of their personal data. Businesses must provide individuals with an opportunity to opt-out of the sale of their personal data at the point of collection. Individuals would also have the right to opt-out of the processing of their personal data for the purposes of targeted advertising. Businesses must provide individuals with an opportunity to opt-out of targeted advertising at the point of collection.
Following other data protection laws in the states of the US, the CTDPA emphasizes the need to put their citizens’ privacy and choice as the most important factors, when considering the structure of businesses that are data-centric in nature. Specifically, the CTDPA applies to businesses that conduct business in Connecticut or that produce products or services targeted to Connecticut residents and that controlled or processed the personal data of :
100,000 or more consumers; or
25,000 or more consumers whose personal data is collected from children under the age of 16.
It is important to note that the CTDPA excludes institutions of higher education, state and local governments, non-profits, and a few national security associations. There are a few absolutely recognisable facets to the CTDPA and those include:
Security: The businesses need to be absolutely certain they are capable of handling the physical and technical security of the data they are handling. As it is personal data and could be sensitive information, proper methods of security need to exist to secure their databases.
Valid Consent: There are proper clauses in place to ensure consent is given in clear affirmative ways and can be revoked (by the individual) if the need arrives. There should be no “dark patterns” in play, so the consent given is fair and not using interfaces that could trick the individual into giving consent.
Data Minimization: Businesses need to analyze what information needs to be stored and what can be left out of the equation to ensure they are not hoarding unnecessary information that is personal to the consumer. That may or may not include biometrics(facial recognition and fingerprint access), physical or digital photographs etcetera.
Maintaining Transparency: The individuals have a right to be informed about how their data is being processed, stored or used. They can ask for any information about how the business is maintaining that data and the business would have to grant them access to view, edit, delete, or port their data however the individual would choose.
Discrimination: Businesses need to make sure there are no chances of any individual being discriminated against on the basis of their personal data being stored or processed. This needs to be in place to maintain the dignity of the individual and the credibility of the business as well.
Conclusively, the CTDPA is a significant step forward in protecting the privacy of Connecticut residents. Businesses that are subject to the CTDPA should take steps to understand the law's requirements and understand that violations would cost them heavy fines and consequences.