Connecticut Data Privacy Act (CTDPA)

In this guide:

Key facets of the CTDPA

The CTDPA gives Connecticut residents rights over their personal data and establishes more stringent privacy protection standards for people and organizations processing personal data, referred to as “controllers.” This legislation protects a Connecticut resident acting as an individual or in a household context, for example when browsing the Internet or making a purchase at a brick and mortar store. It does not protect an individual acting in an employment context, like when applying for a job. The CTDPA also gives businesses interested in protecting employees—including highly-visible company executives—plus customers and vendors, the authority needed to takedown sensitive, private information that could be detrimental to operations.

This act regulates people who conduct business in Connecticut or who produce products or services targeted to Connecticut residents that, during the prior calendar year, controlled or processed the personal data of:

• At least 100,000 consumers, OR
• 25,000 or more consumers and derived over 25% of gross revenue from the sale of personal data.

It also applies to service providers (called “processors”) that maintain or provide services involving personal data on behalf of covered businesses.

The CTDPA provides Connecticut residents the following enumerated rights:

• The right to access personal data that a controller has collected about them.
• The right to correct inaccuracies in their personal data.
• The right to delete their personal data, including personal data that a controller collected through third parties.
• The right to obtain a copy of their personal data in a portable and easy-to-use format that allows them to transfer the data to another controller with ease.
• The right to opt-out of:
  • The sale of their personal data;
  • The processing of personal data for the purposes of targeted advertising; and
  • Profiling that may have a legal or other significant impact.

In addition, the CTDPA protects the personal data of children and teens. If a child’s personal data is being processed, the child’s parent or legal guardian may exercise rights on the child’s behalf. Those processing the data must follow all regulations concerning children’s online privacy established in the Children’s Online Privacy Protection Act (“COPPA”), including parental consent requirements. In addition, the CTDPA requires controllers to obtain opt-in consent before selling a consumer’s personal data, or processing personal data for the purposes of targeted advertising, when the consumer is under 16 years old.

Source: Connecticut’s Official State Website

Maintaining compliance

To maintain compliance under the CTDPA, people and organizations processing personal data (“controllers”) must:

• Provide notice regarding the types of personal data the controller processes, the purpose(s) for processing, whether and why the controller shares personal data with third parties, and information about how consumers can exercise their various rights (e.g. access, deletion) over their personal data.
• Limit collection of personal data to what is adequate, relevant, and reasonably necessary for the specific purpose(s) for which the data is processed (also known as “data minimization”).
• Obtain consent before processing a consumer’s sensitive data.
• Respond to requests to exercise consumer rights granted under the CTDPA.
• Conduct assessments before processing personal data in a manner that presents a heightened risk of harm to consumers (called “Data Protection Assessments”). This includes processing personal data for the purposes of targeted advertising, sale, or profiling, and processing sensitive data.
• Use reasonable safeguards to secure personal data.
• Not discriminate against consumers who exercise their rights under CTDPA or process personal data in a manner that would otherwise result in unlawful discrimination.

How Privacy Bee helps you

As a consumer or business, the CTDPA allows you to designate a third party (that’s us!) to opt-out on your behalf, because doing this process manually on your own is incredibly time-consuming. This means Privacy Bee, with your permission, can mitigate the sale of you or your employees’ personal data across the internet, including the dark web, to reduce the digital attack surface a cybercriminal can exploit while enhancing external data privacy in general.

Data Brokers hoard your information for a profit, buying and selling it to unknown entities that you have no control over. And as you might imagine, having all sorts of private information floating around the web makes for some dangerous situations in the hands of a hacker. All it takes is one inevitable data breach before your identity is stolen. When even one identity is stolen, it can open the door for cybercriminals to compromise other members of your family, or your most sensitive business data.

Before this occurs, use Privacy Bee to find all the locations across the web where your data is exposed and scrub it away with little to no effort on your part, proactively protecting you from identity theft (or if you’re a business, a data breach) along with any others you choose to bring into the service. We believe privacy should not be contested, bartered, nor political, but rather a basic human right, which is why we work so hard to monitor user data for security breaches and obligate businesses that are collecting and storing their data to erase it and opt out of any further data collection.

Privacy Bee protects users against:

• Spam emails
• Telemarketer calls
• Cyberstalking
• Swatting
• Doxxing
• Blackmail
• And, of course, identity theft

For businesses, Privacy Bee improves your organization’s digital hygiene, reduces spam outreach to increase worker productivity, defends against employee poaching and expensive data breaches, and so much more.

Whether you’re an individual looking to proactively protect yourself and your family, or a business looking to protect employees and customers alike, Privacy Bee is here to give you control of all your private data.