Can I use customer data for marketing purposes without violating privacy laws in Connecticut? What are the requirements?

To use customer data for marketing purposes in Connecticut, you must comply with the requirements set forth in the Connecticut General Statutes (CGS) sections 42-515 to 42-525, inclusive, which are effective July 1, 2023.

Requirements for using customer data for marketing purposes

According to CGS section 42-520, a controller shall not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer’s personal data without the consumer’s consent, under circumstances where a controller has actual knowledge, and wilfully disregards, that the consumer is at least thirteen years of age but younger than sixteen years of age.

Additionally, a controller shall provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes the categories of personal data processed by the controller, the purpose for processing personal data, how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request, the categories of personal data that the controller shares with third parties, if any, the categories of third parties, if any, with which the controller shares personal data, and an active electronic mail address or other online mechanism that the consumer may use to contact the controller [CGS section 42-520(c)].

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing [CGS section 42-520(d)].

Exemptions

Certain entities and types of data are exempt from the provisions of sections 42-515 to 42-525, inclusive, including nonprofit organizations, institutions of higher education, and certain types of health information [CGS section 42-517].

Data Protection Assessments

Effective July 1, 2023, controllers must conduct and document a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer, including processing personal data for targeted advertising or selling personal data [CGS section 42-522(a)]. The assessment must identify and weigh the benefits and potential risks associated with the processing, as well as any safeguards that can be employed to reduce such risks [CGS section 42-522(b)]. The Attorney General may require that a controller disclose any data protection assessment that is relevant to an investigation conducted by the Attorney General [CGS section 42-522(c)].

Conclusion

In summary, to use customer data for marketing purposes in Connecticut, you must comply with the requirements set forth in CGS sections 42-515 to 42-525, inclusive, which include obtaining the consumer’s consent before selling their personal data or processing it for targeted advertising, providing a clear and meaningful privacy notice, and allowing consumers to opt out of such processing. Certain entities and types of data are exempt from these provisions, and effective July 1, 2023, controllers must conduct and document a data protection assessment for each processing activity that presents a heightened risk of harm to a consumer.

Jurisdiction

Connecticut

• General