Connecticut Data Privacy Act: Safeguarding Privacy Rights
What is Connecticut’s CTDPA?
Connecticut’s CTDPA (Connecticut Data Privacy Act) is a state law that sets guidelines for how businesses collect, store, and use the personal information of Connecticut residents. The law applies to any company that conducts business in Connecticut, even if they are located outside of the state.
Under the CTDPA, businesses must provide clear and concise notices to consumers regarding what personal information is being collected, how it is being used, and with whom it is being shared. Consumers have the right to access and request the deletion of their personal information, and businesses must comply with these requests within specific timeframes
The CTDPA requires businesses to implement reasonable security measures to protect consumer personal information from unauthorized access, use, or disclosure. Additionally, businesses must provide annual data privacy training to all employees who have access to consumer personal information.
Why is Connecticut’s privacy law important?
In 2019, Yale University announced a data breach that potentially impacted 119,000 individuals, including students, faculty, staff, and alumni. The breach occurred when an unauthorized person accessed a database containing personal information, such as names, Social Security numbers, and dates of birth.
More recently, in 2020, the Connecticut Department of Labor suffered a data breach that potentially exposed the personal information of thousands of individuals who had filed for unemployment benefits. The breach occurred when a third-party vendor that provides services to the Department of Labor experienced a data breach.
These incidents highlight the importance of data privacy and the need for organizations to implement robust data security measures to protect sensitive personal information. It also underscores the significance of Connecticut’s Consumer Data Privacy Act (CTDPA), which requires organizations to take measures to safeguard consumer personal information and notify affected individuals in the event of a data breach.
CTDPA consumer rights
- The right to know what personal information businesses are collecting, why they are collecting it, and with whom it is being shared.
- The right to access and obtain a copy of their personal information held by businesses.
- The right to request that businesses delete their personal information.
- The right to opt-out of the sale of their personal information to third parties.
- The right to have their personal information corrected or updated.
- The right to receive notice of data breaches that expose their personal information.
- The right to file a complaint with the Connecticut Attorney General’s Office if they believe their data privacy rights have been violated.
- The right to bring a private cause of action against businesses that fail to comply with the CTDPA and seek damages and attorney’s fees.
Who must comply?
Connecticut’s CTDPA (Connecticut Data Privacy Act) applies to businesses that collect, use, or share the personal information of Connecticut residents. The law applies to businesses of all sizes, regardless of where they are located, as long as they meet certain criteria. Specifically, a business is subject to the CTDPA if it:
- Conducts business in Connecticut
- Targets its products or services to residents of Connecticut
- Collects personal information of Connecticut residents
The law defines personal information broadly and includes information such as name, address, Social Security number, driver’s license number, and biometric data. The law also covers online identifiers such as IP addresses and cookies, as well as browsing history and other online activity.
It is important for businesses to understand whether they are subject to the CTDPA and to take steps to comply with the law. Failure to comply with the CTDPA can result in significant legal and financial consequences, including fines and legal action by the Connecticut Attorney General’s Office.
Preparing for CTDPA compliance
Connecticut’s CTDPA (Connecticut Data Privacy Act) was signed into law on May 10, 2022, and will go into effect on July 1, 2023. The law provides businesses with a transition period to become compliant with the new requirements.
To comply with the CTDPA, businesses must take the following steps:
- Conduct a data inventory: Businesses must identify all the personal information they collect, store, and use, and determine the purpose of each data element.
- Update privacy policies: Businesses must update their privacy policies to reflect the new requirements under the CTDPA. The privacy policy should include information on what personal information is being collected, how it is being used, and with whom it is being shared.
- Provide notices: Businesses must provide clear and concise notices to consumers regarding their data collection and use practices. The notices must be easily accessible and understandable.
- Implement security measures: Businesses must implement reasonable security measures to protect consumer personal information from unauthorized access, use, or disclosure.
- Provide consumer rights: Businesses must provide consumers with the rights outlined under the CTDPA, including the right to access, correct, and delete their personal information.
- Train employees: Businesses must provide annual data privacy training to all employees who have access to consumer personal information.
- Develop a breach response plan: Businesses must develop a plan to respond to data breaches and notify affected consumers and the Connecticut Attorney General’s Office within 60 days of discovering the breach.
Failure to comply with the CTDPA can result in significant financial penalties and legal consequences, so it is essential for businesses to understand and follow the new requirements.
CTDPA Enforcement
The Connecticut Attorney General’s Office is responsible for enforcing Connecticut’s CTDPA (Connecticut Data Privacy Act). The office has the authority to investigate complaints and violations of the law, and to bring legal action against businesses that fail to comply with the law.
The CTDPA provides the Attorney General with broad enforcement powers, including the ability to issue subpoenas, conduct investigations, and seek injunctive relief and civil penalties. The Attorney General can impose a fine of up to $5,000 for each violation, with a maximum of $500,000 per incident. In addition to the fines, businesses may also be subject to injunctions, which can prohibit them from engaging in specific activities that violate the CTDPA.
The Attorney General’s Office may also work with other state and federal agencies to enforce the law. For example, the office may collaborate with the Federal Trade Commission (FTC) or other state attorneys general to investigate and prosecute data privacy violations.
To ensure compliance with the CTDPA, the Attorney General’s Office may conduct investigations and audits of businesses. The office may also rely on consumer complaints to identify potential violations of the law. Consumers who believe their data privacy rights have been violated may file a complaint with the Attorney General’s Office, which will investigate the matter and take appropriate action if necessary.
Achieving CTDPA Compliance with BigID
BigID can help organizations proactively prepare for and achieve Connecticut’s Consumer Data Privacy Act (CTDPA) compliance with its comprehensive data privacy management platform.
- Know your data: BigID brings great visibility to organizations—allowing them to understand the data they hold, where it resides, and whether it includes sensitive personal information that is subject to CTDPA regulations. This includes data discovery and classification, mapping data flows, and data lineage tracking.
- Automate DSARs: BigID manages data subject requests, such as access, deletion, and rectification requests, by automating the fulfillment process and providing a centralized dashboard for tracking and reporting.
- Implement DSPM: BigID reduces the attack surface and proactively mitigate risk across an organization’s data landscape. BigID’s risk scoring and remediation app identifies critical vulnerabilities and at-risk sensitive data so you can take the appropriate actions and improve your overall data security posture.
- PIA Assessment: BigID offers automated privacy impact assessments, data inventory reports, and remediation plans for identified risks to help organizations ensure compliance for CTDPA.
Schedule a 1:1 demo to see how BigID can accelerate your CTDPA compliance today.