Can I ignore consumer requests for information or deletion in Connecticut? What are the requirements?

Consumer Requests for Information or Deletion in Connecticut

No, consumer requests for information or deletion cannot be ignored in Connecticut. The Department of Consumer Protection, Consumer Education Division, State Office Building, 165 Capitol Avenue, Hartford, Connecticut 06106, is responsible for addressing requests for information ^[1.1].

Under the Connecticut General Statutes, Sections 42-515 to 42-525, inclusive, controllers are required to comply with authenticated consumer rights requests ^[3.4]. A controller must establish one or more secure and reliable means for consumers to submit a request to exercise their consumer rights. Such means shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to verify the identity of the consumer making the request ^[3.2].

If a consumer designates another person to serve as the consumer’s authorized agent, the controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent’s authority to act on such consumer’s behalf ^[3.3].

Upon written request, a record shall be maintained of each person, individual, agency, or organization who has obtained access to or to whom disclosure has been made of personal data, pursuant to Chapter fifty-five of the Connecticut General Statutes, together with a reason for each disclosure or access. This record shall be made available to the individual who is the subject of the personal data disclosure ^[1.3].

Requirements for Compliance

Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer. Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue. Controllers must not process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against consumers ^[3.2].

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt-out of such processing ^[3.2].

A controller shall not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer’s personal data without the consumer’s consent, under circumstances where a controller has actual knowledge, and wilfully disregards, that the consumer is at least thirteen years of age but younger than sixteen years of age ^[3.2].

A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the categories of personal data processed by the controller, the purpose for processing personal data, how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request, the categories of personal data that the controller shares with third parties, if any, the categories of third parties, if any, with which the controller shares personal data, and an active electronic mail address or other online mechanism that the consumer may use to contact the controller ^[3.2].

Conclusion

In conclusion, consumer requests for information or deletion cannot be ignored in Connecticut. Controllers must establish secure and reliable means for consumers to submit requests to exercise their consumer rights, and must comply with authenticated consumer rights requests. Controllers must also limit the collection of personal data, establish reasonable data security practices, and provide consumers with a clear and meaningful privacy notice.

Source(s):

• [1.1] Consumer complaints and requests for information
• [3.2] (Note: This section is effective July 1, 2023.) Controllers’ duties. Sale of personal data to third parties. Notice and disclosure to consumers. Consumer opt-out.
• [3.3] (Note: This section is effective July 1, 2023.) Authorized agents and consumer opt-out.
• [1.3] Procedures regarding the maintenance of personal data
• [3.4] (Note: This section is effective July 1, 2023.) De-identified and pseudonymous data. Controllers’ duties. Exceptions. Applicability of consumers’ rights. Disclosure and oversight.

Jurisdiction

Connecticut

• Privacy