Discover everything you need to know about the Connecticut Data Protection Act (CTDPA) and its cookie consent requirements. Learn how to comply with CTDPA, obtain consumer consent, and protect personal data while ensuring privacy and regulatory compliance. Find out if your business is affected and explore the benefits of using a cookie management platform (CMP) for seamless compliance.
The Connecticut Data Protection Act has been passed to equip Connecticut consumers with tools to protect their online privacy.
Online tracking and profiling have long served businesses that wanted to provide personalized experiences and better functionality to users, but the data has occasionally been abused, requiring regulatory intervention in the use of cookies.
Explore more privacy compliance insights and best practices
The new laws on data privacy that we have seen passed in recent years in the United States do not generally limit the use of personal information, but they have changed how consumers can take agency over their online privacy and exercise consumer rights.
The Connecticut Data Privacy Act (CTDPA) applies to individuals and organizations that conduct business in Connecticut or those that offer products or services aimed at its residents and have met the following criteria over the preceding calendar year:
Nonprofits and government agencies are excluded from the applicability criteria.
If you meet these criteria, the CTDPA cookie consent requirements apply to your business.
CTDPA applies to the personal data of identifiable individuals. Any piece of information that could directly or indirectly identify a person is considered personal data.
There are a few exemptions, however, including publicly available information or information protected by industry-specific laws such as the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and others.
You don't need to obtain consumers' cookie consent for the processing of personal information according to the Connecticut Data Privacy Act unless your processing falls under the exceptions set in the law.
Although the CTDPA implements the opt-out principle, meaning that you can process personal data as long as the consumer does not oppose it, you need an explicit opt-in in some cases.
These cases include:
CTDPA consent is defined as "a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer."
Freely given means that the consumer has the freedom to exercise their choice to consent.
Specific means that the consent is specific to the processing it has been given for. For example, consent given for the processing of sensitive data for a specific purpose does not grant permission for the data to be processed for any other purpose.
Informed consent means that the consumer is fully aware of what they are giving consent to. This emphasizes the importance of a privacy policy and privacy notice, typically presented through a cookie banner.
Unambiguous means that the user must take an affirmative action to provide consent. Mere browsing of the website or remaining silent on the consent request does not imply consent.
Additionally, CTDPA specifies that consent does not include:
Furthermore, consumers must be provided with a mechanism to revoke consent, and this withdrawal process should be as easy as giving consent. For example, if a user consented to the processing by clicking an "ACCEPT COOKIES" button on a cookie banner, they should be able to withdraw their consent by clicking a "WITHDRAW CONSENT" button.
Now that you understand what giving CTDPA consent means, we will delve into each requirement and how to obtain consumer consent for the collection and processing of such data.
CTDPA explicitly prohibits the processing of sensitive data of Connecticut residents without prior consent.
Sensitive data includes:
If you need to use cookies to collect precise geolocation data, for example, you need to ask consumers if they agree to the use of cookies. The use of cookies must not occur before obtaining their consent.
The processing of personal data of a known child under 13 years of age is only legal with parental consent.
The same limitation applies to the processing of personal data of a known child between 13 and 16 years of age when the data is processed for targeted advertising purposes or sold to third parties.
The CTDPA follows the consent methods described in the Children's Online Privacy Protection Act (COPPA), which means that consent can be obtained through various means, including:
Suppose you have collected a user's website behavior data for analytics purposes through Google Analytics, and now you want to process the same categories of personal data for remarketing and advertising purposes. In that case, you need to obtain consent from consumers.
CTDPA explicitly states that data controllers must not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.
CTDPA requires you to provide consumers with a meaningful privacy notice during data collection, where you must disclose the purposes of data processing activities and the categories of consumers' personal data that you process. From that point forward, you can process the disclosed categories of personal information for the disclosed processing purposes.
For example, if you have informed your consumers that you process their website browsing data for statistical purposes, you cannot use it for remarketing without obtaining their consent. Doing so would be a violation of the CTDPA.
Failure to obtain CTDPA cookie consent when required to do so can result in penalties.
The Connecticut Attorney General is responsible for enforcing the law, and unlike in California, Connecticut consumers do not have a private right of action.
Between July 1, 2023, and December 31, 2024, before initiating any legal proceedings for a breach, the Attorney General will issue a notice of violation to the data controller if they believe a remedy for the violation exists. This notice allows the controller to rectify the violation. If the controller fails to remedy the violation within 60 days of receiving this notice, the Attorney General is authorized to take legal action.
From January 1, 2025, onward, the Attorney General has the option to offer a cure period or impose a penalty immediately. The decision depends on factors such as:
The Connecticut Attorney General can also seek injunctive relief and impose civil penalties under Connecticut's Deceptive Trade Practices Act. The Attorney General's enforcement authority is exclusive, with any violations being treated as unfair trade practices under the Connecticut Unfair Trade Practices Act (CUTPA).
Opting for processing activities that require obtaining consent entails several additional obligations, including:
Connecticut is the fifth U.S. state to enact consumer privacy legislation, following the principles set out in other state privacy laws such as the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Utah Consumer Privacy Act (UCPA), and Colorado Privacy Act (CPA).
These privacy regulations generally adhere to the opt-out principle, except in specific circumstances where consent is required.
These requirements differ from those outlined in the GDPR of the European Union, where businesses are generally required to obtain consent for most data processing activities.
If you want to easily obtain CTDPA cookie consent, using a cookie management platform (CMP) is a smart idea. CMPs are helpful for businesses of all sizes.
These platforms streamline the process of obtaining consumer consent in accordance with data protection rules, as they have legal requirements embedded in their software. Here's why using a CMP is beneficial:
