Data Laws Reach Connecticut

Jul 28, 2023

In the recent months, we have seen the rollout worldwide of data laws. Many of them focus on issues of privacy and data protection of individuals. As covered in our blog, the European Union has already made great strides to protect user data. In the United States, Connecticut is now the latest state to pass a data privacy law making it the fifth U.S. state to do so. Read on to find out what the Connecticut Data Privacy Act (CTDPA) consists of and how it will affect you.

The Main Goals of CTDPA

Before going into detail, some key terms are crucial to understanding the new law. Data controllers are mentioned frequently and refer to: “An individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.” Data Processors, another common term, are “an individual who, or legal entity that processes personal data on behalf of a controller.” These two terms are essential for comprehension. 


CTDPA took effect July 1st, 2023. The overall purpose of the CTDPA is to give Connecticut citizens rights over the processing of their personal data.  The law protects the privacy of Connecticut residents when in the context of personal time, meaning acts committed in the context of employment are not protected.

The CTDPA lays out a clear and comprehensive explanation of its principles. Data minimization is one of the main goals of the law. Collection of personal data should be limited only to what is considered “adequate, relevant, and reasonably necessary” based on the context of the situation.


Another important concern of the law is Purpose Limitation. Personal data should not be processed for unnecessary or unsuitable reasons that do not align with the "disclosed purposes”. In essence, companies must not stray from their original reasons for collecting data without consent of the consumer. 


Lastly, the final major stressor of the CTDPA is Confidentiality and Integrity. Data controllers are not just expected, but required to protect users’ information. Specifically, they must have sufficient security protocols in place.  The level of protection must fit the size and seriousness of the data. The law adds that data has to be processed legally in accordance with federal and state law which forbid discrimination against individuals.

Who Does CTDPA Apply To?

CTDPA is applicable to businesses and individuals that operate in the state. Also it applies to companies that have products or services directed at Connecticut residents. Data processors that facilitate services involving personal data for businesses are also subject to the law. The Attorney General of Connecticut is the office in charge of enforcing the CTDPA. 

Data Controller and Processor Obligations and Penalties 

Data controllers and processors of data are responsible for maintaining requirements of CTDPA. One of the key responsibilities is to de-identify data. Data should not be identifiable to a person; the CTDPA is very strict on this point. Furthermore, data controllers must document a Data Protection Assessment. In this assessment, data controllers are examining data processes that create a heightened risk to consumers like targeted advertising. Children’s data is another point of contention for the CTDPA. Controllers are not permitted to process the data of known children without parental consent, meaning children cannot receive targeted advertising. 

The processing of sensitive data is not allowed either without consent. Sensitive data includes data revealing race, ethnicity, religious beliefs, sexual orientation, citizenship, immigration status, information regarding an individual's mental or physical health condition or diagnosis, the processing of genetic personal data or biometric data, personal data collected from a known child, or precise geolocation data.

Data Subject Rights

Many consumers and businesses might wonder what exactly are the rights of Connecticut residents. CTDPA specifically outlines seven main rights designated to consumers:

  1. Right to be Informed 
  2. Consumers have the right to know if a controller is processing their personal data. 
  3. Controllers are required to provide consumers with a privacy notice. 
  4. Right to Access 
  5.  Consumers have the right to confirm whether or not a controller is processing their data and accessing personal data.
  6. Right to Rectification
  7.  Consumers have the right to correct inaccuracies in their data.
  8. Right to erasure 
  9. Consumers have the right to delete personal data about themselves, regardless of whether it was provided or obtained. 
  10. Right to object/opt out
  11. Consumers have the right to opt out of the processing of personal data for the purpose of targeted advertising, sale of personal data, and profiling for automated decisions. 
  12. Right to data portability 
  13.  Consumers have the right to obtain a copy of their personal data. 
  14. Right not to be subject to automated decision-making
  15. Consumers have the right to opt out of the processing of personal data for profiling purposes.

Connections To Other Laws 

CTDPA resembles a very similar law in Europe. The European Union GDPR law and Digital Services Act strongly resemble CTDPA. For more information about European laws, check out our blog post on the latest EU news. Although Connecticut took longer to address these topics than Europe, it is still one of the leading states in the U.S. for data protection and privacy. 


So, what does this law have to do with marketing? Well, laws like these are changing the entire landscape of today’s marketers. Targeted advertising is a slippery slope. Companies need to tread carefully on who they are targeting, how they are targeting, and when to give notice to users.

As we move forward into this new environment, you can count on SparkShoppe to deliver quality information on all marketing developments. Make sure to stay informed with our blog!

Sean Downey at NewFronts

Navigating the New Frontier: Google's Pivot to CTV & OTT

09 May, 2024
Are streaming services the future of digital advertising? Check out the moves that Google and major streaming services are making to improve their ad experience and improvements for advertisers to get the most bang for their buck.

Navigating the Cookie Crumble: Google's Third-Party Cookie Delay Explained

07 May, 2024
In the ever-evolving landscape of online privacy, Google's recent announcement of yet another delay in the phase-out of third-party tracking cookies has stirred significant debate and speculation. This latest decision signifies the third delay since Google first introduced its plan in 2020 to cease the use of cookies. Initially scheduled for a complete phase-out by 2022, the timeline was extended to the end of 2024. Now, with the most recent postponement, the tech giant is considering 2025 as a potential deadline, indicating a prolonged transition period for the advertising industry.

The Mastermind Behind Marketing The Tortured Poets Department

24 Apr, 2024
Learn more about the release of Taylor Swift's newest album and the strategy she used to market to and engage with her fan base!

Marketing Trend Tracker - Series 9

By Sierra Levine 23 Apr, 2024
April 2024 has ushered in notable shifts within the digital marketing sphere, marked by significant updates from platforms LinkedIn and X, and a proposed federal privacy act aimed at transforming how businesses handle data collection, usage, and sharing.

American Privacy Rights Act of 2024 (APRA): A Pivotal Leap in Data Privacy Rights

By Sierra Levine 19 Apr, 2024
The American Privacy Rights Act of 2024 (APRA) marks a major turning point in U.S. data privacy legislation. This blog dives deep into the implications of the Act, the push for federal and state privacy regulation and the challenges and opportunities it presents for businesses and consumers alike.
Person using phone

CTV: The Channel of Choice for Millennials & Gen Z

11 Apr, 2024
Learn more about why CTV is the preferred platform for Millennials and Gen Z!
More Posts
Share by: