Connecticut's Privacy Law: Does It Apply to Your Business?
As 2023 approaches and a new round of data privacy laws are slated to take effect, business leaders are scrambling to determine which laws apply to their companies and how to juggle multi-state compliance. The Connecticut Data Privacy Act (CDPA) is one of those laws, going into effect on July 1, 2023.
To anyone familiar with Virginia’s Consumer Data Protection Act, the criteria for determining whether the CDPA applies should look familiar as they are more or less identical. Here’s a quick rundown on how to figure out if the Connecticut Data Privacy Act applies to your business.
The CDPA’s Criteria
As with the Virginia privacy law, most of the CDPA’s rules apply to “controllers”—i.e., for-profit businesses that “determine the purpose and means of processing personal data.”
Basically, if it’s your website (or store), you are the controller of any data that is processed in connection with that site.
Any controller that has a physical presence in Connecticut, or sells its products or services online to state residents, must comply with the CDPA if at least one of the following applies:
- Control the personal data of at least 100,000 state residents in a calendar year, OR
- Control the personal data of at least 25,000 state residents in a calendar year AND derive more than 25% of gross annual revenue from the sale of personal data
For most businesses, it will be the 100,000-consumer threshold that applies to them. If your business has a website, it is controlling the personal data (e.g., IP addresses, cookies, etc.) of each one of its visitors. If you are getting just 8,400 unique visitors from Connecticut per month, that puts you over the 100,000 mark.
Exemptions
The CTDPA also contains a number of exemptions at the entity level, and for specific types of personal data. These exemptions include:
- Nonprofit organizations
- Government agencies
- Financial institutions
- Institutions of higher education
- Data regulated by the Health Insurance Portability and Accountability Act (HIPAA)
- Data regulated by the Fair Credit Reporting Act (FCRA)
Multi-State Compliance Made Simple
Navigating the complexities of multiple privacy laws at once can be difficult for any business, but it’s even harder for businesses that don’t have in-house privacy experts or legal departments. TrueVault US simplifies multi-state privacy compliance, allowing businesses of any size to handle it on their own.
Designed by attorneys, TrueVault US is an all-in-one privacy software that helps you get your business fully compliant with laws like the CDPA and California’s CCPA even if you’re starting from scratch. From onboarding vendors to processing privacy requests, TrueVault provides guidance at every step.
Contact our team to learn more and view a demo.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
- ON THIS PAGE
- Criteria for Businesses
- Exemptions
- Multi-State Compliance
Get compliant today
Our attorney-designed software will step-by-step guide you through the compliance process from start to finish.
Request a Demo