February 9, 2023

Volume XIII, Number 40


February 08, 2023

Subscribe to Latest Legal News and Analysis

February 07, 2023

Subscribe to Latest Legal News and Analysis

February 06, 2023

Subscribe to Latest Legal News and Analysis

Connecticut Steps up To the Consumer Privacy Law Plate

On April 28, 2022, the Connecticut House of Representatives joined the Connecticut Senate in passing the Connecticut Data Privacy Act (CTDPA), which now heads to Governor Ned Lamont for signature. Governor Lamont is expected to sign the bill (Senate Bill 6), making Connecticut the fifth state to pass a consumer privacy law.


CTDPA would apply to businesses that:

  1. Conduct business in Connecticut or produce products or services targeted to Connecticut residents and

  1. Either (1) control or process the personal data of at least 100,000 residents annually or (2) derive over 25% of its gross revenue from the “sale” of personal data and control or process the personal data of at least 25,000 residents annually.

As with other state laws, CTDPA contains broad exceptions for certain entities and data categories, including government entities, nonprofits, higher education institutions, national securities associations and information and entities regulated by both the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act. It also exempts personal data collected about employees and business contacts.

CTDPA, which would take effect on July 1, 2023, includes many of the same rights, obligations and exceptions that have become common in other consumer privacy laws and proposals:

  • The “personal data” protected by CTDPA includes information that is linked or reasonably linkable to an identified or identifiable individual. “Personal data” does not include de-identified data or publicly available information.

  • CTDPA requires opt-in consent for the collection and processing of “sensitive” information, which includes information revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status, genetic or biometric data, children’s data and precise geolocation data.

  • CTDPA would provide consumers with the familiar rights of notice, access, portability, correction and deletion. Certain rights, however, are qualified by reasonable business-use exemptions such as detecting fraud and complying with a company’s legal obligations, while others (like the right to delete) are broader than we have seen in other states.

  • Like other laws, CTDPA would allow consumers to opt out of the use of their information for certain purposes, including targeted advertising, the sale of personal data and automated profiling decisions that “produce legal or similarly significant effects concerning the consumer.” Beginning in 2025, consumers may exercise their right to opt out by using a global opt-out device setting.

  • CTDPA requires businesses to obtain opt-in consent from children under the age of 16 before selling their personal data or using it for targeted advertising. Businesses that comply with the verifiable consent requirements of the Children’s Online Privacy Protection Act would be deemed compliant with the parental consent obligations contained in CTDPA.

  • Consumers will have the right to appeal a denial of a consumer request, which mimics the rights to appeal provided under Colorado and Virginia laws.

  • CTDPA would be exclusively enforced through actions by the Connecticut Attorney General. Until December 31, 2024, there is a 60-day cure period for alleged violations. Beginning January 1, 2025, a cure period is granted at the discretion of the Connecticut Attorney General.


© 2023 McDermott Will & EmeryNational Law Review, Volume XII, Number 122

About this Author

Amy C. Pimentel, Global Privacy Staff Attorney, McDermott Will & Emery Law Firm

Amy Pimentel is an associate in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Boston office.  Amy is a member of the Firm’s Global Privacy and Data Protection Affinity Group.  She focuses her practice on consumer protection, privacy, information security and international law.

Amy received her J.D. in 2014 from Northeastern University School of Law.  While in law school, Amy worked at the U.S. Department of Justice in the Office of International Affairs and interned for a judge at the International Criminal Tribunal...

David Saunders Cybbersec Attorney McDermott Will Emery Law Firm

David P. Saunders (CIPP/US, CIPM) is an experienced litigator who focuses his practice on privacy and cybersecurity matters. David helps clients mitigate and manage risks related to data privacy and cybersecurity, from counseling on compliance with privacy regulations and managing data incident responses, to navigating regulatory investigations and handling biometric and other privacy-related litigation.


David works collaboratively with a diverse range of clients, from small business and pro bono clients to multinational Fortune 100 companies, understanding and advising on...

Cathy Lee IP Attorney McDermott Will & Emery

Cathy Lee focuses her practice on privacy and cybersecurity matters, including compliance and GDPR related matters.

Cathy’s experience encompasses, working with digital advertising companies to confirm compliance policies with the digital advertising ecosystem, as well as drafting training materials on the comprehensive data privacy laws globally including in Australia, Georgia, Hong Kong, Moldova, Montenegro, South Korea, Turkey and New Zealand.


During law school, Cathy was editor-in-chief for the American Intellectual Property Law Association Quarterly Journal...

202 756 8141