Can I ensure that my company is compliant with expanding privacy protections in Connecticut? What are the requirements?

Connecticut Privacy Protections Compliance Requirements

Connecticut has enacted privacy protection laws that companies must comply with to ensure the protection of personal data. The following are the requirements for companies to comply with expanding privacy protections in Connecticut:

1. Limitation of Personal Data Collection: Companies must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer ^[5.1](a)(1)].
2. Processing of Personal Data: Companies must not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the company obtains the consumer’s consent ^[5.1](a)(2)].
3. Data Security Practices: Companies must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue ^[5.1](a)(3)].
4. Sensitive Data Processing: Companies must not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA ^[5.1](a)(4)].
5. Compliance with Laws: Companies must not process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against consumers ^[5.1](a)(5)].
6. Revocation of Consent: Companies must provide an effective mechanism for a consumer to revoke the consumer’s consent under this section that is at least as easy as the mechanism by which the consumer provided the consumer’s consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than fifteen days after the receipt of such request ^[5.1](a)(6)].
7. Targeted Advertising and Sale of Personal Data: Companies must not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer’s personal data without the consumer’s consent, under circumstances where a company has actual knowledge, and wilfully disregards, that the consumer is at least thirteen years of age but younger than sixteen years of age ^[5.1](a)(7)].
8. Privacy Notice: Companies must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the categories of personal data processed by the company, the purpose for processing personal data, and how consumers may exercise their consumer rights, including how a consumer may appeal a company’s decision with regard to the consumer’s request ^[5.1](c)].
9. Non-Discrimination: Companies must not discriminate against a consumer for exercising any of the consumer rights contained in sections 42-515 to 42-525, inclusive, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer ^[5.1](a)].

Companies must comply with these requirements to ensure that they are compliant with expanding privacy protections in Connecticut.

Source(s):

• [5.1] (Note: This section is effective July 1, 2023.) Controllers’ duties. Sale of personal data to third parties. Notice and disclosure to consumers. Consumer opt-out.

Jurisdiction

Connecticut

• Privacy