Connecticut Data Privacy Act (CTDPA)
The CTDPA gives Connecticut residents certain rights over their personal data and establishes responsibilities and privacy protection standards for data controllers that process personal data. It protects a Connecticut resident acting in an individual or household context, such as browsing the Internet or making a purchase at a store. It does not protect an individual acting in an employment context, such as applying for a job.
Is Complying with CTDPA Mandatory?
The CTDPA applies to people who conduct business in Connecticut or who produce products or services targeted to Connecticut residents and that, during the prior calendar year, controlled or processed the personal data of:
at least 100,000 consumers; or
25,000 or more consumers and derived over 25% of gross revenue from the sale of personal data.
It also applies to service providers (called “processors”) that maintain or provide services involving personal data on behalf of covered businesses.
What are the penalties for not complying with CTDPA?
Entities or individuals that violate the CTDPA may face civil penalties up to $5,000 per violation, pursuant to the Connecticut Unfair Trade Practices Act. In addition to civil penalties, the Attorney General can also seek injunctive relief, restitution, and/or disgorgement.
Keep in mind, a violation of one consumer’s rights equates to one violation. If the rights of 100 consumers are violated, this amounts to 100 violations, potentially leading to a penalty of up to $500,000. Fines can accumulate rapidly.