Complying with the Connecticut Data Privacy Act (CDPA)

4 minute read. Learn the basics of the Connecticut Data Privacy Act (CDPA) and how it impacts your business.

‍

In this article, we provide information that can help business owners successfully navigate the Connecticut Data Privacy Act (CDPA).

Taking effect on July 1, 2023, CDPA seeks to protect consumer privacy by defining how companies gather, use, store, and manage customer data.

The CDPA employs the same general framework as privacy laws in Virginia and Colorado.

It doesn’t matter where your business is located-–the CDPA applies to your company if your customers reside in Connecticut. If you fail to comply with CDPA regulations, you may face expensive financial penalties and possible damage to your reputation. But there are solutions that simplify compliance.

Protecting Consumer Privacy

The law defines a “consumer” as a Connecticut resident and explicitly excludes individuals “acting in a commercial or employment context.” Consumers gain the right to:

1. Access their personal data
2. Correct their personal data
3. Delete their personal data
4. Data portability
5. Opt out of the processing of the personal data for the purposes of targeted advertising, the sale of personal data, or profiling.

The law applies to entities that:

• Conduct business in Connecticut or produce products or services targeted to Connecticut residents and that during the preceding calendar year, either:
• Controlled or processed the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing payment transactions.
• Controlled or processed the personal data of at least 25,000 consumers and derived over 25% of their gross revenue from the sale of personal data.

Because the CDPA does not impose a revenue threshold, a business cannot become subject to the law merely due to its annual revenues; however, smaller, regional businesses that meet other thresholds may find that they need to comply with it.

The law explicitly excludes personal data processed solely for payment transactions. Entities that process debit or credit cards only to the extent necessary to complete a sale will not be subject to the law’s requirements.

The law exempts certain types of entities and data from its requirements. The following types of entities are exempt from the law:

1. State and local governments.
2. Nonprofits.
3. Higher education institutions.
4. National securities associations registered under the Securities Exchange Act of 1934.
5. Financial institutions and data subject to the Gramm-Leach-Bliley Act.
6. Covered entities and business associates as defined by the Health Insurance Portability and Accountability Act.

Satisfying the Connecticut Data Privacy Act

To cost-effectively ensure they are complying with CDPA, businesses will have to manage and track consumers’ requests to opt-out, review, access, delete, and obtain their data.

Business owners and leaders need a system for tracking consumer requests to opt-out, review, access, delete, and obtain their data. Without an accurate system for tracking the status of each request, business owners risk costly penalties and damage to their reputations.

To strengthen and enhance customer loyalty, PrivacyCare offers a system that features:

1. Customizable data-subject-request (DSR) forms that consumers can use to initiate their data request.
2. Consumer authentication.
3. A flexible record-keeping system that can support any DSR process, helping businesses comply with multi-state data privacy laws.
4. A database of the DSRs and their status.
5. A cost-effective solution that avoids unnecessary upgrades involving data analytics, data management, and data security functions.
6. A SaaS platform that eliminates the need for businesses to purchase and manage hardware or software.
7. Up-to-date with latest changes to data privacy laws across the U.S.

‍

For help with your data privacy compliance challenges, contact PrivacyCare today.

‍