The Office of the Attorney General William Tong
FAQs
-
Relevant State Laws
Answer:
- The Connecticut Data Privacy Act (“CTDPA”), Public Act No. 22-15
- The Connecticut Data Breach Notification Act, Conn. Gen. Stat. § 36a-701b
- The Connecticut Unfair Trade Practices Act (“CUTPA”), Conn. Gen. Stat. §§ 42-110a et seq.
- The “Social Security Number” Law, Conn. Gen. Stat. § 42-470
- The “Safeguards” Law, Conn. Gen. Stat. § 42-471
- The “Safe Harbor” Law, Conn. Gen. Stat. § 42-901
-
Reporting a Data Breach
-
Who must provide notice and to whom is it provided?
Answer: Pursuant to Conn. Gen. Stat. § 36a-701b, any person who owns, licenses or maintains computerized data that includes personal information is required to disclose a security breach to the Office of the Attorney General and to state residents whose personal information is believed to have been compromised. Note that “any person” includes companies.
-
When does notice have to be provided?
Answer: Notice to consumers must be made without unreasonable delay and no later than sixty (60) days from discovery of the breach. Additionally, notice to the Office of the Attorney General must be provided no later than when residents are notified. Pursuant to Conn. Gen. Stat. § 36a-701b(g), failure to provide such notice shall constitute a violation of the Connecticut Unfair Trade Practices Act (CUTPA).
-
Is anything required in addition to notice?
Answer: Yes—if a Connecticut resident’s Social Security number or Taxpayer Identification Number is believed to have been compromised in the data breach, Connecticut law requires that the resident be offered 24 months of credit monitoring services. See Conn. Gen. Stat. § 36a-701(b)(2)(B).
-
How should notice be provided to the Office of the Attorney General?
Answer:
The Office of the Attorney General now has a simple, fillable online form to submit a breach notification, located here. Completing and submitting this online form is the Office’s preferred method for receiving notice about a data breach. It is designed to address the most common questions we have and reduces our need to contact you for additional information. Before filling out this form, here’s what you need to know:
- The system cannot save your form, so please complete it in one sitting. To prepare, you can preview the form here.
- If you need to return to a previous page, click the green “BACK” button at the bottom of each page. Do not hit the “back” arrow on your browser or your submission will be cleared.
- If you experienced more than one breach, please submit a separate data breach notice for each.
-
What happens after I submit my completed Data Breach Notice form?
Answer: You will receive a confirmation email that your notice was successfully submitted along with a summation of your filing. You will receive a subsequent e-mail providing a case number for reference in any future communications regarding the breach, including if you need to update, amend, or supplement your submission. All case numbers begin with PR followed by seven digits (e.g. PR1234567).
-
Previously submitted a data breach notification form and wish to update?
Answer: Please send an email to ag.breach@ct.gov to provide your update and include the reporting entity’s name and your case number in the subject line. If there are any follow-up questions or concerns, a staff member with the Office of the Attorney General’s Privacy and Data Security Section will contact you.
-
Who should I contact with questions or feedback about this form?
Answer: If you have any questions or comments about this form or if you have any questions about providing notice to our office, please send an email to ag.breach@ct.gov. Please include a relevant subject line (e.g. comments on data breach notice form, data breach question, etc.) in your email.
-
Who must provide notice and to whom is it provided?
- Data Security Resources
-
The Connecticut Data Privacy Act
Answer:
On May 10, 2022, Governor Ned Lamont signed Senate Bill 6: An Act Concerning Personal Data Privacy and Online Monitoring (also known as The Connecticut Data Privacy Act or “CTDPA”), making Connecticut one of the first states to pass a comprehensive consumer privacy law.
The following are answers to Frequently Asked Questions regarding consumers’ rights and businesses’ obligations under the CTDPA. Please note that this does not constitute legal advice or an opinion from the Attorney General. -
The Connecticut Data Privacy Act - General Information
-
When Does the Act Take Effect?
Answer: The CTDPA takes effect on July 1, 2023.
-
What Does the Act Do?
Answer: The CTDPA gives Connecticut residents certain rights over their personal data and establishes responsibilities and privacy protection standards for data controllers that process personal data. It protects a Connecticut resident acting in an individual or household context, such as browsing the Internet or making a purchase at a store. It does not protect an individual acting in an employment context, such as applying for a job.
-
Who Does the Act Apply to?
Answer:
The CTDPA applies to people who conduct business in Connecticut or who produce products or services targeted to Connecticut residents and that, during the prior calendar year, controlled or processed the personal data of:
- at least 100,000 consumers; or
- 25,000 or more consumers and derived over 25% of gross revenue from the sale of personal data.
It also applies to service providers (called “processors”) that maintain or provide services involving personal data on behalf of covered businesses.
-
What is a Controller?
Answer: A controller is defined as an individual or legal entity that, independently or jointly with others, collects and processes personal data and is responsible for responding to consumer requests about the collection and processing of personal data.
-
What is the Difference Between a Controller and a Processor?
Answer: The key distinction between a controller and a processor is their decision-making authority over personal data. Under the CTDPA, a processor may only process data at the request and under the direction of a controller. The processor is contractually bound by the controller’s instructions as to what the processor must and may do with personal data.
If a processor were to begin exercising decision-making authority with respect to the purposes and means of personal data processing, it would become a controller with respect to that processing and subject to the obligations imposed on controllers under the CTDPA.[Insert your Answer here] -
What is Personal Data?
Answer: Personal data is any information that can be linked to an identifiable individual, excluding publicly available information. Some examples of personal data include: a home address, a driver’s license or state identification number, passport information, a financial account number, login credentials, and payment card information. [Insert your Answer here]
-
What is the Difference Between Personal Data and Sensitive Data?
Answer: Sensitive data is a subset of personal data that includes:
• Any data revealing racial or ethnic origins, religious beliefs, mental or physical health conditions or diagnoses, sexual activity or orientation, citizenship, or immigration status;
• Genetic or biometric data used to uniquely identify an individual;
• Personal data of a child under the age of 13; and
• Information that identifies an individual’s specific location with a defined degree of precision and accuracy (called “precise geolocation data”).
Under the CTDPA, a controller needs a consumer’s consent to process sensitive data.[Insert your Answer here] -
What Does it Mean to "Process" Data?
Answer: Processing refers to any action a business may take with respect to personal data, including collecting, using, storing, selling, sharing, analyzing, or modifying the data.
-
Who is Exempt from Complying with the Act?
Answer:
The following entities are exempt from the CTDPA:
• State and local governments
• Nonprofit organizations
• Financial institutions subject to the Gramm-Leach-Bliley Act (“GLBA”)
• National securities associations registered under the Securities Exchange Act of 1934
• Entities subject to the Health Insurance Portability and Accountability Act (“HIPAA”)
• Higher education institutionsThe CTDPA also does not apply to certain types of personal data maintained in compliance with other laws, such as the GLBA, HIPAA, the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act, as well as personal data processed for certain specified purposes. For a complete list, see Section 3(b) of the CTDPA.
[Insert your Answer here]
-
When Does the Act Take Effect?
-
The Connecticut Data Privacy Act - Resources For Consumers
-
What Rights can Connecticut Residents Exercise under the CTDPA?
Answer:
The CTDPA provides Connecticut residents the following enumerated rights:
• The right to access personal data that a controller has collected about them.
• The right to correct inaccuracies in their personal data.
• The right to delete their personal data, including personal data that a controller collected through third parties.
• The right to obtain a copy of their personal data in a portable and readily usable format that allows them to transfer the data to another controller with ease.
• The right to opt-out of:o the sale of their personal data;
o the processing of personal data for the purposes of targeted advertising; and
o profiling that may have a legal or other significant impact.
-
How Does a Consumer Know Whether a Controller Processes the Consumer's Data?
Answer: A consumer may directly contact the controller—through the channel(s) described in the controller’s required privacy notice—and request that it confirm whether it processes the consumer’s personal data.
-
How Does a Consumer Exercise Rights Under the CTDPA?
Answer: A controller’s privacy notice must clearly describe how consumers may exercise their rights under the CTDPA. Among other methods, a controller must provide an easily accessible link on its website through which consumers can opt-out of targeted advertising or the sale of their personal data. Soon, consumers will also be able to opt-out through universal opt-out mechanisms.
-
What are Universal Opt-Out Mechanisms?
Answer: Universal opt-out mechanisms are designed to afford consumers the ability to communicate a request to opt-out of the processing of their personal data across multiple websites at once, rather than having to make individual opt-out requests through each controller’s website. Under the CTDPA, universal opt-out mechanisms must be recognized by controllers as valid consumer requests beginning January 1, 2025.
-
Can a Consumer Opt-Out of the Sale of Personal Data to Third Parties
Answer: Yes, a consumer can opt-out of the sale of personal data to third parties. A consumer can also designate a third party to opt-out on his or her behalf.
-
Does the CTDPA Protect the Personal Data of Children and Teens?
Answer: Yes. If a child’s personal data is being processed by a controller, the child’s parent or legal guardian may exercise rights on the child’s behalf. Controllers must follow all regulations concerning children’s online privacy established pursuant to the Children’s Online Privacy Protection Act (“COPPA”), including parental consent requirements. In addition, the CTDPA prohibits controllers from selling a consumer’s personal data or processing personal data for the purposes of targeted advertising when the consumer is under 16 years old.
-
Can a Controller Deny a Consumer Rights Request?
Answer: Yes, for certain specified reasons under the CTDPA. For example, a controller may deny a consumer’s request if fulfilling the request would restrict the controller’s ability to:
• Provide a product or service specifically requested by the consumer.
• Perform certain internal operations that reasonably align with consumer expectations.
• Issue a product recall or repair technical errors.
• Respond to and prevent security incidents, identity theft, and fraud.
• Comply with federal, state, or local law.
For more exceptions, see Section 10 of the CTDPA. -
Does a Consumer have a Right to Appeal a Denial?
Answer: Yes. The CTDPA grants consumers the right to appeal a controller’s decision denying a consumer rights request. A controller has 60 days after receipt of an appeal to write back to the consumer, explaining any actions it has taken and reasons for refusing a consumer request. If the appeal is denied, the controller must give the consumer information to contact the Attorney General should the consumer wish to file a complaint.
-
How Often Can a Consumer Request Information About their Personal Data from a Controller? Is there a Cost?
Answer: A consumer can request information from a controller free once every 12 months. Under certain circumstances beyond the annual request, the controller may charge an administrative fee.
-
What Rights can Connecticut Residents Exercise under the CTDPA?
-
The Connecticut Data Privacy Act - Business Impact
-
What Must Controllers do to Comply with the CTDPA?
Answer:
Among other obligations, controllers must:
· Provide notice regarding the types of personal data the controller processes, the purpose(s) for processing, whether and why the controller shares personal data with third parties, and information about how consumers can exercise their various rights (e.g. access, deletion) over their personal data.
· Limit collection of personal data to what is adequate, relevant, and reasonably necessary for the specific purpose(s) for which the data is processed (also known as “data minimization”).
· Obtain consent before processing a consumer’s sensitive data.
· Respond to requests to exercise consumer rights granted under the CTDPA.
· Conduct assessments before processing personal data in a manner that presents a heightened risk of harm to consumers (called “Data Protection Assessments”). This includes processing personal data for the purposes of targeted advertising, sale, or profiling, and processing sensitive data.
· Use reasonable safeguards to secure personal data.
· Not discriminate against consumers who exercise their rights under CTDPA or process personal data in a manner that would otherwise result in unlawful discrimination.
-
How Long does a Controller have to Respond to a Consumers Request?
Answer: A controller must respond to a consumer’s requests no later than 45 days after receipt of the request. Under certain conditions, the controller may extend the response period by 45 days.
-
What Must Controllers do to Comply with the CTDPA?
-
The Connecticut Data Privacy Act - Enforcement
-
What is the Attorney General's role in enforcing the CTDPA?
Answer: The Attorney General has exclusive authority to enforce violations of the Act.
-
Is there a Private Right of Action for Individuals?
Answer: No, the CTDPA does not include a private cause of action.
-
Is There a Cure Period?
Answer: Yes. If the Attorney General determines that a controller could remedy a violation of the CTDPA, the Attorney General must give the controller notice of the violation before initiating a lawsuit. The controller then has 60 days to remedy the violation (called “the right to cure”). If, however, the Attorney General determines that it would not be possible for the controller to remedy the violation, no such notice or remedial opportunity is required. The right to cure sunsets on December 31, 2024.
-
What are the Penalties for Failing to Comply with the CTDPA?
Answer:
Entities or individuals that violate the CTDPA may face civil penalties up to $5,000 per violation, pursuant to the Connecticut Unfair Trade Practices Act. In addition to civil penalties, the Attorney General can also seek injunctive relief, restitution, and/or disgorgement.
-
What is the Attorney General's role in enforcing the CTDPA?
-
Contact Information
Answer:
Privacy and Data Security Section
165 Capitol Avenue
Hartford, CT 06106
Phone: 860.808.5440
Email: ag.breach@ct.gov