February 3, 2023

Volume XIII, Number 34


February 02, 2023

Subscribe to Latest Legal News and Analysis

February 01, 2023

Subscribe to Latest Legal News and Analysis

January 31, 2023

Subscribe to Latest Legal News and Analysis

Connecticut Fifth State to Pass a Comprehensive Privacy Law

Connecticut just joined CaliforniaColoradoUtah, and Virginia in passing a comprehensive privacy law. The Connecticut Data Privacy Act (CTDPAgoes into effect July 1, 2023, the same time as Colorado’s very similar law. Companies preparing for these new laws (Virginia goes into effect January 1, 2023 and Utah December 31, 2023) will want to keep in mind the following five things about this fifth general US state privacy law.

  1. Applicability. It applies to businesses that (1) conduct business in Connecticut, or produce products or services targeted to CT residents; and (2) during the preceding calendar year either (a) controlled/processed the personal data of at least 100,000 consumers (excluding for payment transactions), or (b) controlled/processed the personal data of at least 25,000 consumers and derived more than 25% of gross revenue from the sale of personal data. A “consumer” is not an employee or individual acting in their role as an employee. Similar to other state laws, there are exemptions. The law does not apply to government entities or nonprofits or institutions in higher education. The law also exempts financial institutions subject to GLBA and entities and information subject to HIPAA.

  2. Individual Rights. Like other states, Connecticut provides consumers with the right to access, correction, portability and deletion. Taking its cue from Virginia and Colorado, it also gives consumers the right to opt-out of processing data for targeted advertising, sales, and profiling. “Sales” is defined broadly as in California and Colorado: “monetary or other valuable consideration.” This opt-out requirement will go into effect January 2025, six months after Colorado’s similar requirement. As with Virginia, Colorado, and GDPR, companies must get consent to process sensitive data.

  3. Contractual Requirements. Similar to other state laws, data controllers will need to enter into contractual agreements with processors. Those contracts must hold a processor to at least the same protections as the controller.

  4. Data Security and Governance. Connecticut currently has a broad data security law, requiring “safeguarding” of personal information. This new law provides more detailed requirements. Companies will need to establish, implement and maintain reasonable administrative, technical and physical data security practices. Connecticut also joins California, Virginia, and Colorado in requiring controllers to conduct data protection assessments prior to engaging in data processing activities that present a heightened risk of harm to consumers. The Attorney General may request copies of these assessments.

  5. Enforcement. Similar to the other general state privacy laws, this law does not provide for a private right of action. Enforcement rests with the Attorney General. Businesses will be given a temporary 60-day right to cure violations until December 31, 2024. Starting in 2025, the Attorney General will have discretion to determine whether to grant a cure period. Violations can result in civil penalties of up to $5,000 per violation plus actual and punitive damages, and attorneys’ fees and costs.

Putting it into Practice: The passing of this law is yet another reminder of the importance of adaptive privacy programs. As 2023 approaches, companies will want to balance these laws’ similarities -providing rights, contractual provisions, security obligations- with the laws’ nuances.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 132

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...


Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

Dhara Shah Law Clerk Chicago Shephard Mullin Richter & Hampton LLP
Law Clerk

Dhara Shah is an law clerk in the Intellectual Practice Group in the firm’s Chicago office.