On May 10, 2022, Connecticut Governor Ned Lamont signed “An Act Concerning Personal Data Privacy and Online Monitoring” (also known as the Connecticut Data Privacy Act (CTDPA)) making Connecticut the fifth state to pass a comprehensive data privacy law, along with California, Virginia, Colorado and Utah. The new law goes into effect on July 1, 2023 and only protects Connecticut consumers, not individuals acting in a business-to-business relationship.
Who is Covered?
The CTDPA applies to individuals and entities conducting business in Connecticut or producing products or services targeted to Connecticut residents that, during the preceding calendar year, either “Controlled” or “Processed” (i) the Personal Data (as defined below) of at least 100,000 consumers, or (ii) the Personal Data of at least 25,000 consumers, deriving more than 25% of their gross revenue from the sale of Personal Data. Similar to the EU General Data Protection Regulation (“GDPR”), the CTDPA uses the term “Controller” to mean the entity that determines the purpose and means of processing Personal Data and the term “Processor” to mean the entity that performs an operation (e.g., collection, use, storage, etc.) on Personal Data on behalf of a Controller. The new law exempts certain entities, including nonprofit organizations, institutions of higher learning, financial institutions subject to the Gramm-Leach-Bliley Act and “Covered Entities” or “Business Associates” subject to the Health Insurance Portability and Accountability Act (“HIPAA”).
