The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Connecticut Set to Pass Nation's Next Data Privacy Law

by Chris Brook on Monday May 2, 2022

Contact Us
Free Demo
Chat

The bill, which is similar to the privacy laws recently passed in Colorado, Virginia and Utah, would give Connecticut consumers more control over the personal data collected about them by companies online.

The state of Connecticut, like a handful of others lately, appears poised to pass the nation's latest data privacy act.

The state will be the latest in a line of states to pass a consumer privacy act, including California, Colorado, Virginia, and Utah, assuming its governor, Ned Lamont, signs the legislation, an Act Concerning Personal Data Privacy and Online Monitoring – already being referred to as the Connecticut Data Privacy Act (CTDPA) – into law.

That's the act's final hurdle after it cruised through the Senate 35-0 last month and the House a few days later 144-5. Assuming it's passed, the bill would go into effect on July 1, 2023

Like others, the bill would give consumers more control of and access to personal data collected on them from companies. Just because it follows in their footsteps doesn’t mean it’s a carbon copy of any of the other state-specific data privacy laws that have been passed lately however.

At first glance the bill hews closer to Colorado and Virginia's than Utah's UPCA (Utah Consumer Privacy Act) which has been called the most business-friendly of the states who’ve passed, and California, whose CCPA (California Consumer Privacy Act) law is regarded as one of the most stringent.

Like Colorado's law, Connecticut's looks more pro-consumer than, giving residents of the Nutmeg State the ability to opt out of the sale of, or use of their data for targeted advertising, and profiling. Portions of the legislation also restricts targeted advertising to children and sale of their data.

In addition to the ability to opt out, consumers can also ask organizations to access and correct data and delete any data that a controller may have obtained through a third party, a request which mirrors a recent amendment to Virginia’s data privacy law.

A “controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer’s request to delete such data . . . by (A) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the controller’s records and not using such retained data for any other purpose pursuant to the [the CTDPA], or (B) opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant to” the law.

To address these requests, beginning January 1, 2025, organizations will have to have privacy controls in place so they can recognize opt-out signals.

Organizations that maintain data on at least 100,000 Connecticut residents will be required to comply with the soon-to-be law; businesses that trade in data sales will have to comply if they have data on a quarter that number: 25,000 residents.

Connecticut will have a right to cure, essentially a grace period to cure any potential violations. Similar to California and Colorado, Connecticut's right to cure won't last forever, it's scheduled to sunset on December 31, 2024. California's fades away on January 1, 2023; Colorado's on the same date in 2025. After this time, states can enforce the law against organizations who fail to comply.

While the law is quite a ways from being a concern for most companies in Connecticut, the fact that it's passage is imminent serves as yet another reminder to organizations, even those that may not be based in Connecticut, to be aware of its requirements.

Being aware of what kind of user data is being collected and where its stored, in addition to having tools in place to facilitate that collection, will be key in the months leading up to its go-live date.

Tags: Data Privacy

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.