Can I use third-party payment processors on my website in Connecticut? What are the requirements?

Using Third-Party Payment Processors on Websites in Connecticut

Connecticut does not have any specific laws or regulations that prohibit the use of third-party payment processors on websites. However, any payment processor used must comply with federal, state, and municipal ordinances and regulations. Additionally, if the website is collecting and processing personal information from consumers, it must comply with Connecticut’s data privacy laws [EXISTING RESPONSE].

Starting July 1, 2023, processors’ duties and contracts between controllers and processors will be governed by Section 42 CTGS 521. A contract between a controller and a processor shall govern the processor’s data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor:

• Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
• At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
• Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in sections 42-515 to 42-525, inclusive;
• After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and
• Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor, or the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of the obligations under sections 42-515 to 42-525, inclusive, using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request ^[3.1].

In summary, while there are no specific requirements for using third-party payment processors on websites in Connecticut, website owners must ensure compliance with all applicable laws and regulations, including data privacy laws. It is recommended to consult with legal counsel and/or a qualified payment processor before implementing any payment processing system on a website. Starting July 1, 2023, processors’ duties and contracts between controllers and processors will be governed by Section 42 CTGS 521 [EXISTING RESPONSE]^[3.1].

Source(s):

• [3.1] (Note: This section is effective July 1, 2023.) Processors’ duties. Contracts between controllers and processors.

Jurisdiction

Connecticut

• Privacy