Connecticut Passes Data Privacy Law

Connecticut became only the fifth U.S. state to pass comprehensive legislation governing consumer data privacy earlier this month when Gov. Ned Lamont signed the Connecticut Data Privacy Act (CDPA) into law. The CDPA becomes effective July 1, 2023.

CDPA will limit how companies can collect and use personal information about Connecticut residents. It will require opt-in consent for the collection and processing of consumers’ information, including racial or ethnic origin, religious beliefs, mental or physical health, sexual orientation, citizenship or immigration status, genetic or biometric data, children’s data, and precise geolocation data. The DPA also requires companies to notify consumers about their data collection and use and gives consumers the ability to access, correct, or delete information. Consumers will also have the right to opt out of their information being used or sold for certain purposes, such as targeted advertising.

The new law will apply to all companies that do business in Connecticut or with Connecticut residents and either control or process the personal data of at least 100,000 Connecticut residents or derive more than a quarter of their annual gross revenue from the sale of personal data and control or process the personal data of at least 25,000 Connecticut residents. It does make exceptions for some organizations, including state and local governments, charities, higher education institutions, financial institutions, and healthcare providers.

In passing the CDPA, Connecticut joins Colorado, California, Utah, and Virginia as the only U.S. states with data protection laws. There has been talk of similar legislation on the national level, but so far nothing has been passed. Other countries, including the 27 members of the European Union and China, have also passed data privacy laws.