Connecticut Enacts a New Data Privacy and Online Monitoring Act

Connecticut is the fifth state in the U.S. to enact a comprehensive privacy protection law, following California, Virginia, Colorado, and Utah. The new act on personal data privacy and online monitoring will enter into force in July 2023. Its provisions are similar to those of the corresponding acts in Virginia and Colorado.

The new Act applies to any person who conducts business in Connecticut or targets products or services to Connecticut residents, provide the business also either controls or processes the personal data of at least 100,000 Connecticut residents a year or controls or processes the personal data of at least 25,000 Connecticut residents a year while deriving more than 25% of the gross revenue from the sale of personal data. However, the act does not apply to certain bodies, such as state agencies, non-profit organizations, higher education institutions and financial institutions. It also does not apply to certain types of data such as health information protected under HIPAA, employment-related information, and information regarding consumers’ credit worthiness, standing, or capacity.

The Act affords data subjects a variety of rights regarding their data, such as the right to confirm whether a business is processing their personal data and to obtain a copy of such data; the right to correct inaccuracies in their personal data; the right to delete personal data obtained about them or provided by them; and the right opt-out of targeted advertising or sale of their personal data, and automated decision making.

In addition, the act requires a set of substantial data protection obligations for businesses, including:

  • Limiting the collection of personal data to adequate, relevant, and reasonably necessary data.
  • Processing personal data solely for purposes reasonably necessary to, and compatible with, the disclosed purposes for which such data is processed.
  • Establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices.
  • Implementing effective mechanisms to support consumers’ withdrawal of consent.

CLICK HERE to read the Act Concerning Personal Data Privacy and Online Monitoring.