Data Privacy Alert Library
A collection of summaries of important privacy news with expert analyses.
Alert shelved under State Laws
Connecticut Becomes Fifth State to Enact a Comprehensive Consumer Data Privacy Law
Connecticut Becomes Fifth State to Enact a Comprehensive Consumer Data Privacy Law
May 25, 2022
Why This Alert Is Important

On May 10, 2022, Connecticut joined California, Colorado, Utah, and Virginia as states that have passed comprehensive consumer data privacy laws. The provisions of the Act Concerning Personal Data Privacy and Online Monitoring will go into effect on July 1, 2023, the same date as the Colorado Privacy Act goes into effect.


The Connecticut consumer privacy law contains many of the same rights, obligations, and exceptions seen in the previously enacted state-level privacy laws, most closely following the trends set by Colorado and Virginia. Of course, the law does contain several differences from other state privacy laws, which organizations must account for in their compliance efforts.

As in most new privacy legislation, the law imposes limits on collection and use of data, so organizations can only collect what is “adequate, relevant, and reasonably necessary… to the purposes for which such data is processed” and may not use data “for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes.” Organizations have an obligation to establish and implement administrative, technical, and physical data security practices. A consumer’s consent must be “freely given, specific, informed and unambiguous.”

Who It Applies To

The law applies to organizations that conduct business in Connecticut and either (1) control or possess personal data belonging to 100,000 Connecticut citizens excluding data tied solely to the purpose of completing payment transactions, or (2) control or possess personal data belonging to 25,000 consumers and derive 25% of their revenue from the sale of personal data. The law draws on the same framework used in Virginia and Colorado for determining eligibility but strikes a balance between the two (50% of revenue in VA and any revenue in CO). With no annual revenue threshold for organizations, it takes a different approach than either California, where all organizations over a certain size must comply, and Utah, where smaller organizations may be exempted.

Six types of organizations are exempt from the law:

• State and local governments

• Nonprofits

• Higher education institutions

• National securities associations registered under the Securities Exchange Act of 1934

• Financial institutions subject to Gramm-Leach-Bliley Act

• Covered entities as defined by HIPAA

What is Covered

The Connecticut law provides citizens with five main rights that are largely the same as those enumerated in Virginia’s and Colorado’s privacy laws.

• Right to access

• Right to correct

• Right to delete

• Right to portability

• Right to opt out

Potential Penalties

Notably, the Connecticut law does not provide consumers with a private right of action, as is the case in Colorado, Utah, and Virginia. Like Virginia, enforcement is solely at the discretion of the state’s Attorney General. Prior to any enforcement action, the AG must notify an organization of its violation; the law gives them 60 days to cure the violation. However, this provision sunsets on January 1, 2025. After that point, the AG’s office has discretion as to whether or not to allow an opportunity to cure violations before an enforcement action. Organizations may be penalized up to $5,000 per willful violation under the Connecticut Unfair Trade Practices Act.

Expert Analysis
Matt Dumiak,
Matt Dumiak,
CIPP/E, CIPP/US, Director of Privacy Services - Compliance Poin

Operational challenges abound with the Connecticut data privacy law. From data protection impact assessments to an appeals process when rights requests are declined, businesses must understand their obligations under this law and how it impacts their existing privacy program. Further, and something we are starting to see in other laws, businesses are required to gain consent prior to collecting sensitive data and must allow the consumer to opt-out of the processing of sensitive data in a manner that is at least as easy as it was to provide consent. The vendor environment will also need to be accounted for with specific contractual obligations. These exercises can take time, and it is recommended that businesses get in front of these obligations before the July 1, 2023, effective date.

return to data privacy alert library
State Laws
Privacy Law Tip

Link your data management engine with multiple privacy, legal and business regulatory obligations to substantiate your decisions based on rich, contextual data insights.
Ask us how!

Download Alert PDF

Download the PDF version of this Data Privacy Alert here.