Data Laws Reach Connecticut
In the recent months, we have seen the rollout worldwide of data laws. Many of them focus on issues of privacy and data protection of individuals. As covered in our
blog, the European Union has already made great strides to protect user data. In the United States, Connecticut is now the latest state to pass a data privacy law making it
the fifth U.S. state to do so. Read on to find out what the Connecticut Data Privacy Act (CTDPA) consists of and how it will affect you.
The Main Goals of CTDPA
Before going into detail, some key terms are crucial to understanding the new law. Data controllers are mentioned frequently and refer to: “An individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.” Data Processors, another common term, are “an individual who, or legal entity that processes personal data on behalf of a controller.” These two terms are essential for comprehension.
CTDPA took effect July 1st, 2023. The overall purpose of the CTDPA is to give Connecticut citizens rights over the processing of their personal data. The law protects the privacy of Connecticut residents when in the context of personal time, meaning acts committed in the context of employment are not protected.
The CTDPA lays out a clear and comprehensive explanation of its principles. Data minimization is one of the main goals of the law. Collection of personal data should be limited only to what is considered “adequate, relevant, and reasonably necessary” based on the context of the situation.
Another important concern of the law is Purpose Limitation. Personal data should not be processed for unnecessary or unsuitable reasons that do not align with the "disclosed purposes”. In essence, companies must not stray from their original reasons for collecting data without consent of the consumer.
Lastly, the final major stressor of the CTDPA is Confidentiality and Integrity. Data controllers are not just expected, but required to protect users’ information. Specifically, they must have sufficient security protocols in place. The level of protection must fit the size and seriousness of the data. The law adds that data has to be processed legally in accordance with federal and state law which forbid discrimination against individuals.
Who Does CTDPA Apply To?
CTDPA is applicable to businesses and individuals that operate in the state. Also it applies to companies that have products or services directed at Connecticut residents. Data processors that facilitate services involving personal data for businesses are also subject to the law. The Attorney General of Connecticut is the office in charge of enforcing the CTDPA.
Data Controller and Processor Obligations and Penalties
Data controllers and processors of data are responsible for maintaining requirements of CTDPA. One of the key responsibilities is to de-identify data. Data should not be identifiable to a person; the CTDPA is very strict on this point. Furthermore, data controllers must document a Data Protection Assessment. In this assessment, data controllers are examining data processes that create a heightened risk to consumers like targeted advertising. Children’s data is another point of contention for the CTDPA. Controllers are not permitted to process the data of known children without parental consent, meaning children cannot receive targeted advertising.
The processing of sensitive data is not allowed either without consent.
Sensitive data includes data revealing race, ethnicity, religious beliefs, sexual orientation, citizenship, immigration status, information regarding an individual's mental or physical health condition or diagnosis, the processing of genetic personal data or biometric data, personal data collected from a known child, or precise geolocation data.
Data Subject Rights
Many consumers and businesses might wonder what exactly are the rights of Connecticut residents. CTDPA specifically outlines seven main rights designated to consumers:
- Right to be Informed
- Consumers have the right to know if a controller is processing their personal data.
- Controllers are required to provide consumers with a privacy notice.
- Right to Access
- Consumers have the right to confirm whether or not a controller is processing their data and accessing personal data.
- Right to Rectification
- Consumers have the right to correct inaccuracies in their data.
- Right to erasure
- Consumers have the right to delete personal data about themselves, regardless of whether it was provided or obtained.
- Right to object/opt out
- Consumers have the right to opt out of the processing of personal data for the purpose of targeted advertising, sale of personal data, and profiling for automated decisions.
- Right to data portability
- Consumers have the right to obtain a copy of their personal data.
- Right not to be subject to automated decision-making
- Consumers have the right to opt out of the processing of personal data for profiling purposes.
Connections To Other Laws
CTDPA resembles a very similar law in Europe. The European Union GDPR law and Digital Services Act strongly resemble CTDPA. For more information about European laws, check out our blog post on the latest EU news. Although Connecticut took longer to address these topics than Europe, it is still one of the leading states in the U.S. for data protection and privacy.
So, what does this law have to do with marketing? Well, laws like these are changing the entire landscape of today’s marketers. Targeted advertising is a slippery slope. Companies need to tread carefully on who they are targeting, how they are targeting, and when to give notice to users.
As we move forward into this new environment, you can count on SparkShoppe to deliver quality information on all marketing developments. Make sure to stay informed with our blog!
