While many American states are currently in the process of approving new rigorous privacy laws, it’s critical to know which ones have already passed into law and are coming into effect soon. One of the most pressing regulations to adhere to is Connecticut SB 6, also known as the Connecticut Data Privacy Act (CTDPA). The law outlines extensive provisions on controlling consumers’ data, processing data on behalf of another firm, and asserting one’s rights as a consumer to control how data is used. Let’s look at whether your organization falls under the law’s jurisdiction, what it requires from businesses and consumers, and what you need to do to prepare your organization.

The basics of the CTDPA

As with other laws inspired by the GDPR (like the Colorado Privacy Act), companies under the CTDPA are defined as either controller (who controls the way data is handled) or processors (who handle the data on behalf of controllers). They will both fall under the purview of the CTDPA if they control or process the personal data of at least 100,000 people living in the state; the threshold drops to 25,000 residents if more than 25% of their gross revenue comes from selling personal data.

Unlike some other laws (most notably recent California legislation), consumers don’t have the right to privately act against companies that violate the CTDPA, with the responsibility falling to the Connecticut Attorney General. Non-compliance with the CTDPA can cost up to $5,000 for each instance. While the law will go into effect on July 1, 2023, the Attorney General will warn companies in violation and provide them with a 60-day “cure period” once the law is active. This courtesy will go away on January 1, 2025.

What does the CTDPA/Connecticut SB 6 require?

Under the CTDPA, controllers must:

  1. Collect only the minimal amount of data needed to accomplish a given goal (also known as data minimization).
  2. Avoid using data for any reason other than the one for which it was officially obtained.
  3. Implement best practices to secure data however possible.
  4. Require explicit consent for processing “sensitive personal data” (e.g., biometric data, health diagnoses, and precise location) and a clear means to revoke consent.
  5. Handle children’s data in compliance with the Children’s Online Privacy Protection Rule (COPPA), as well as obtain consent to sell data for users between the ages of 13 and 16 or process it for targeted advertising.
  6. Avoid processing data for any discriminatory purpose or discriminating against consumers who choose to exercise their CTDPA rights.
  7. Complete data protection assessments for targeted advertising and other processes that could potentially harm the consumer (with the understanding that assessments completed for similar laws will also satisfy this requirement).
  8. Provide a detailed privacy notice outlining what the company wants to do, what rights the customer has, and whom to contact with concerns.
  9. Recognize Connecticut citizens’ “global opt-out” preferences to avoid targeted advertising (beginning January 1, 2025).

Processors also have their responsibilities, as they must:

  1. Sign data processing agreements with their partner controllers that specify how they process data.
  2. Be prepared to respond to consumers’ data subject requests.
  3. Support partner controllers by processing data as safely as possible and reporting breaches when they occur.
  4. Provide partner controllers with everything needed to carry out data protection assessments.
  5. Ensure that anyone involved in processing data keeps that data confidential.
  6. Obtain written agreements from subcontractors to ensure they also comply with the CTDPA requirements.

Consumers have the right to do the following under the CTDPA/Connecticut SB 6:

  1. To learn if a controller is processing their data.
  2. To access, correct, and delete any data on them stored by a controller.
  3. To obtain a copy of all data held on them (if feasible).
  4. To opt out of processing data for selling, advertising, or profiling.

The law also forbids “dark patterns,” misleading interfaces designed to get users to click on options that unknowingly provide consent.

Preparing to comply with the CTDPA

Suppose you are a local business in Connecticut and this is the first recent piece of legislation changing the way you handle customer data. In that case, you will need to determine if you qualify as a controller or processor. Controllers must complete data protection assessments, ensure their privacy notices are sufficient and ask their partner processors to sign data processing agreements. Processors need to be prepared to support controllers while also coordinating with subcontractors.

National or international firms that have made efforts to comply with other regulations that will soon take effect, like the Colorado Privacy Act or the California Privacy Rights Act, should primarily be prepared to handle the CTDPA. However, a few aspects of Connecticut SB 6 (such as creating a special sensitive data category) require particular attention. They may be especially challenging for firms that do not have a strong sense of where data is hiding.

The first step toward complying with the CTDPA is knowing what data you have, where you can find it, and how the CTDPA and other legislation impact it. When you need to kick-start the data discovery process promptly, choosing fast, accurate, and thorough technology is essential. Enterprise Recon by Ground Labs relies on proprietary GLASS technology to rapidly identify more than 300 types of data across your servers, networks, and platforms to ensure you are ready to comply with relevant data laws, including CTDPA/Connecticut SB 6.

Want to keep up with all our blog posts? Subscribe to our newsletter!

Subscribe