As always, this is meant to be general guidance and should not be viewed as legal advice. Please consult with your legal counsel to ensure your actions align with the interpretations and requirements of your legal team.
On May 10, 2022, Connecticut became the fifth state in the United States to put privacy legislation into law when the governor signed the Connecticut Data Privacy Act (CTDPA). Similar to the Virginia, Colorado, and Utah laws, the CTDPA follows a controller/processor model and lays out both specific rights for users, as well as specific obligations for businesses that process users’ data. Here we will explore the key points that marketers and advertisers with users in Connecticut need to be aware of in advance of July 1, 2023 when the law goes into effect.
Who does the law apply to?
Persons (businesses) that conduct business in Connecticut or produce products or services targeted to residents of Connecticut and meet one of the following thresholds during the previous calendar year:
- Controlled or processed personal data of not less than 100,000 consumers, excluding processing solely for purpose of payment processing, or
- Controlled or processed personal data of not less than 25,000 consumers and derived more than 25% of gross revenue from the sale of personal data
What rights are granted to consumers?
Connecticut consumers are granted the right to:
- Confirm whether or not a controller is processing their personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret;
- Correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data;
- Delete personal data provided by, or obtained about, the consumer;
- Obtain a copy of their personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance;
- Opt out of the processing of the personal data for purposes of:
- Targeted advertising
- The sale of personal data
- Profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer
There are some fancy terms being used in that explanation—what are you talking about?
Some important definitions to be aware of:
- Consumer – an individual who is a resident of Connecticut (ex. a user living in Connecticut who is accessing your website)
- Controller – individual who, or legal entity that, determines the purpose and means of processing personal data (generally the owner of a website being visited)
- Processor – individual who, or legal entity that processes personal data on behalf of a controller (ex. your web analytics platform provider)
- Processing – an operation or set of operations performed on personal data or on sets of personal data such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data
- Personal data – information that is linked or reasonably linkable to an identified or an identifiable individual (for example, a unique user ID assigned to a user when they visit your website). This does not include de-identified data or publicly available information.
- De-identified data – data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such individual, if the controller that possesses such data:
- Takes reasonable measures to ensure that such data cannot be associated with an individual
- Publicly commits to process such data only in a de-identified fashion and not attempt to re-identify such data and
- Contractually obligates any recipients of such data to satisfy the criteria set forth in the above
- Sale of personal data – exchange of personal data for monetary or other valuable consideration by the controller to a third party
- Targeted advertising – displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests
- It does not include advertising:
- Based on a consumer’s activities within a controller’s website or online application
- Based on the context of a consumer’s current search query or visit to a website or online application
- Directed to a consumer in response to the consumer’s request for information or feedback
- Processing personal data solely to measure or report advertising:
- Performance
- Reach
- Frequency
- It does not include advertising:
- Sensitive data – data that:
- Reveals racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship/immigration status
- Processing of genetic or biometric data for the purpose of uniquely identifying an individual
- Personal data collected from a known child
- Precise geolocation data
So … what do I need to be doing?
When trying to apply the legal requirements to the everyday work of marketers and advertisers, I like to approach the requirements through a few general categories: transparency and disclosure; user choice; user access and deletion; and privacy practices.
Transparency & Disclosure
First and foremost, the controller (this is likely your business as you own the website and are defining data strategy) must provide consumers with a reasonably accessible and clear privacy notice. This must include:
- Categories of personal data being processed;
- Purpose for processing personal data;
- How consumers may exercise a right;
- Categories of personal data that the controller shares with third parties, if any;
- Categories of third parties, if any, with whom the controller shares personal data; and
- Active email address or other online mechanism that the consumer may use to contact the controller
In addition, if the controller sells a consumer’s personal data or if they process personal data for targeted advertising, they must clearly and conspicuously disclose such processing, as well as the manner in which the consumer can exercise their right to opt-out of such processing.
To enable this process, as a marketer, you need to clearly define the use cases for which personal data is used. This will likely include any kind of audience creation and targeting strategies. Once these use cases are clearly defined, identify what personal data is being used for such activities. An example of likely personal data would be a User ID or email which is included in audience lists for activation. Document all of this personal data, how it is used, platforms it is being shared with, etc. This data mapping activity will provide the foundation from which your compliance teams can easily update disclosures for users and ensure you are compliantly processing the data.
The disclosure portion of this law is extremely important as one obligation of the controller (your company) is that you must not process personal data for purposes which are not disclosed to the consumer.
User Choice
If the controller is engaging in the sale of personal data or targeted advertising, the controller shall clearly and conspicuously disclose such processing as well as the manner in which the consumer may exercise the right to opt-out of such processing.
As a marketer, you must identify if these activities are occurring and ensure there are mechanisms in place to confirm user choice selections are able to be respected so the user’s data is no longer sold nor processed for targeted advertising.
The mechanisms for respecting a user’s privacy preference indication (opt-out) will vary from platform to platform. In many cases, this will involve a technical modification to the tags responsible for collecting data on your website or mobile application.
User Access & Deletion
When a user submits a request for access or deletion of their personal data, the controller has 45 days to take action on the consumer’s request and to inform the consumer of any action taken. This period can be extended for an additional 45 days if reasonably necessary so long as notice is given to the consumer of the extension within the initial 45-day period.
Any processing of personal data for purposes of marketing and advertising needs to be documented in order to enable adherence to these requests and also structured and stored in such a way as to be able to trace, access, and/or delete the data in question.
Privacy Practices
The CTDPA goes a bit further than some other U.S. privacy laws in explicitly outlining privacy practices that must be followed, effectively codifying best practices into law.
Data minimization
Controllers must “limit collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed and disclosed to the user”.
For all of the use cases where personal data is being used, ask yourself “what is the minimum amount of personal data necessary to accomplish this?”. In many cases, there may even be a way to accomplish the same outcome without the use of personal data. Get creative here and think outside the box for new privacy-centric solutions to traditional marketing and advertising challenges.
Protections for personal data
Another obligation of controllers is to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect personal data appropriate to the volume and nature of personal data at issue”.
Have your partners that are responsible for the data collection and processing architecture ensure all personal data is being protected. There is nothing worse than the double whammy of fines and reputational damage that comes from leaks and misuse of personal data by unauthorized parties.
Data protection assessments
It is required by law to “conduct and document a data protection assessment for processing activities that present a heightened risk of harm to a consumer. These include:
- Targeted advertising
- Sale of personal data
- Processing for purposes of profiling when profiling represents foreseeable risk of:
- Unfair treatment
- Injury to consumers
- Intrusion on private affairs or solitude of a reasonable person
- Substantial injury to consumers
- Processing of sensitive data”
The activities specifically outlined are many activities that advertisers and marketers are responsible for. It is important to document all of these use cases and clearly define any personal data being used.
Further, you must “identify and weigh the benefits that may flow from the processing to the controller against the risks to the rights of the consumer”. This means it’s not enough to simply define a tactic—you must strategically think about the benefit of the activity and weigh it against the risk of harm to the consumer. All advertising activities need to be evaluated in this manner.
What happens in the event of a violation?
Enforcement for the Connecticut Data Privacy Act lies with the state Attorney General. The Connecticut Attorney General is tasked with investigating and identifying instances of noncompliance. For the first 18 months of enforcement (until December 31, 2024), the Attorney General must provide notice of a violation at least 60 days before an enforcement action can be made. Within this period, organizations have the ability to demonstrate the issue has been fixed in a way that is compliant with the law. If this is not completed, an enforcement action can be brought against the violating organization resulting in a fine and reputational damage. Beginning on January 1, 2025 the Attorney General may determine whether to grant the opportunity to cure an alleged violation—but they don’t have to! This means all of the processes need to be airtight by the date when the opportunity for a cure period concludes.
When does the law go into effect?
The effective date of the Connecticut Data Privacy Act is July 1, 2023.
Create Your Privacy Best Practices Now
As you can see, the CTDPA ushers in a number of new requirements for your business. If you operate in Connecticut or have users in Connecticut, you need to start ramping up now to ensure you’re compliant—that July 1, 2023 date is quickly approaching and a number of operational updates need to be in place before then.
You must be strategic and purposeful around what data you collect and how you use it. Any practices involving personal data must be documented, evaluated, and ultimately disclosed to your users, giving them the right to opt-out of various uses of their personal data. Now that you know the needs, it’s time to execute. Reach out to us today to get started on your journey to privacy-centric data enablement.