Connecticut enacts privacy law: what you need to know

Connecticut is the latest state to join California, Virginia, Colorado, and Utah in enacting comprehensive privacy laws which will take effect in 2023.

What’s going on with Connecticut’s new privacy law? 

Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring was passed by the state Senate and House in late April and signed by the Governoron May 10, making Connecticut the 5th U.S. state to enact a comprehensive privacy law after California, Virginia, Colorado and Utah. 

When does the Connecticut law go into effect? 

It will go into effect the same day as Colorado’s privacy law, on July 1, 2023. 

How is it similar to the California, Virginia, Colorado, and Utah privacy laws? 

Like the existing US privacy laws, including the California Consumer Privacy Act (CCPA), it is primarily an opt-out law, with the processing of sensitive data requiring consent. However, the Act borrows an additional requirement from the GDPR to offer a mechanism to revoke consent that is at least as easy as the mechanism to provide it.

For a more detailed comparison of current US state privacy laws, take a look at our always-up-to-date US state privacy law chart. 

Will Connecticut require opt-outs for targeted advertising?

Yes, it requires data controllers to clearly disclose whether they sell personal data to third parties or process personal data for targeted advertising, and to provide a means for consumers to request the opt out of processing for those purposes. 

How does Connecticut define targeted advertising? 

It defines targeted advertising as displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across non-affiliated Internet web sites or online applications to predict such consumer’s preferences or interests. 

The definition is subject to various exceptions, including advertisements based on activities within a controller’s own Internet web sites or online applications.

Does Connecticut have a provision that requires recognition of global opt-outs? 

Yes. Connecticut joins Colorado as the only state laws to explicitly require the recognition of global opt-outs. Businesses will be required to honor preference signals starting Jan 1, 2025. 

How is the Connecticut privacy law going to impact the advertising industry? 

Connecticut is the latest in a quick succession of recently passed privacy laws, reinforcing the need for comprehensive compliance management. As new laws are adopted, these complexities force companies to choose between adopting separate processes for each jurisdiction or a single process that folds in the requirements of each new law.

How will the Connecticut data privacy law be enforced? What do the penalties look like? 

It will be enforced by the Office of the Attorney General of Connecticut. Violations may result in civil fines of up to $5000 each. Violators must be given notice of violation and a 60-day period to cure until Dec 31, 2024. After that, the right to cure sunsets and the Attorney General has discretion over providing opportunities to cure. 

What types of businesses does Connecticut law apply to?

The law applies to entities that: 

Conduct business in Connecticut or produce products or services targeted to Connecticut residents and that during the preceding calendar year, either:

a. Controlled or processed the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing payment transactions; OR

b. Controlled or processed the personal data of at least 25,000 consumers and derived over 25% of their gross revenue from the sale of personal data. 

How will Sourcepoint and its clients need to adapt to comply with the Connecticut law?

Compliance with the Connecticut law should be covered by the same mechanisms as needed for the California laws, namely an explicit method to opt-out such as a link on the website. The law will also require the honoring of global opt-out signals beginning in 2025. 

Additionally, businesses looking to be compliant with the Virginia and Colorado laws will already be thinking about how to ensure that opt-in consent is collected before processing sensitive information. 

The Sourcepoint blog is provided for general, informational purposes only, does not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.