ARE YOU PREPARED FOR THE NEW DATA PRIVACY LAWS BEING ENFORCED IN 2023?

Beginning in July of 2023, the state of Connecticut will begin to enforce the comprehensive data privacy law that was passed in June of 2022. This law applies to certain businesses based in Connecticut and certain businesses that serve or produce products for Connecticut residents.

ARE YOU PREPARED FOR THE NEW DATA PRIVACY LAWS BEING ENFORCED IN 2023?

Beginning in July of 2023, the state of Connecticut will begin to enforce the comprehensive data privacy law that was passed in June of 2022. This law applies to certain businesses based in Connecticut and certain businesses that serve or produce products for Connecticut residents.

LAW REQUIREMENTS

WHO IS AFFECTED:

-Businesses based in Connecticut and/or businesses that serve or produce products for Connecticut residents.

-Businesses that process the data of at least 100,000 consumers annually (minus transactions that are limited to just a payment of some sort) or make at least 25% of their revenue from the sale of personal information and process data for at least 25,000 consumers annually.

 

Business Owner Obligations

  • Limit the collection of data to what is “adequate, relevant and reasonably necessary in relation to the purpose” for which data is processed (as disclosed to customers)
  • Establish, implement, and maintain reasonable data security controls, among other requirements
  • Provide for consent and consent-revocation when processing “sensitive personal data” (including information about race or ethnicity, religion, health conditions, sex life or orientation, citizenship or immigration status, genetic or biometric data, children’s data, and precise geolocation data).
  • The law additionally restricts the ability to target advertising for children between the ages of 13 – 16.

Consumer Rights

  • Connecticut consumers have the right to access, correct, delete, and port their data. In addition, businesses must provide consumers an opt-out for targeted advertising, the sale of their data, and automated decision-making profiling. Owners are required to respond to consumer requests no later than 45 days after receipt of the request.

Privacy Notice

  • The CTDPA requires business owners to post a “reasonably accessible, clear, and meaningful” privacy notice. Privacy notices must include the type of data being processed and which are shared with third parties and how consumers can exercise their rights. There must also be an email address or other mechanism visible so consumers can contact the business.

Risk Assessment & Documentation

  • Businesses are required to have data protection assessments completed and documented. Proof of these assessments may be specially requested by the state Attorney General at their discretion.

LAW REQUIREMENTS

WHO IS AFFECTED:

-Businesses based in Connecticut and/or businesses that serve or produce products for Connecticut residents.

-Businesses that process the data of at least 100,000 consumers annually (minus transactions that are limited to just a payment of some sort) or make at least 25% of their revenue from the sale of personal information and process data for at least 25,000 consumers annually.

 

Business Owner Obligations

  • Limit the collection of data to what is “adequate, relevant and reasonably necessary in relation to the purpose” for which data is processed (as disclosed to customers)
  • Establish, implement, and maintain reasonable data security controls, among other requirements
  • Provide for consent and consent-revocation when processing “sensitive personal data” (including information about race or ethnicity, religion, health conditions, sex life or orientation, citizenship or immigration status, genetic or biometric data, children’s data, and precise geolocation data).
  • The law additionally restricts the ability to target advertising for children between the ages of 13 – 16.

Consumer Rights

  • Connecticut consumers have the right to access, correct, delete, and port their data. In addition, businesses must provide consumers an opt-out for targeted advertising, the sale of their data, and automated decision-making profiling. Owners are required to respond to consumer requests no later than 45 days after receipt of the request.

Privacy Notice

  • The CTDPA requires business owners to post a “reasonably accessible, clear, and meaningful” privacy notice. Privacy notices must include the type of data being processed and which are shared with third parties and how consumers can exercise their rights. There must also be an email address or other mechanism visible so consumers can contact the business.

Risk Assessment & Documentation

  • Businesses are required to have data protection assessments completed and documented. Proof of these assessments may be specially requested by the state Attorney General at their discretion.

SOUND LIKE A LOT?— IT IS.

SOUND LIKE A LOT? IT IS.

Hire a team of experts to do it for you.

The repercussions of noncompliance are too great to risk not getting this done right.

Penalties

At the conclusion of the grace period, penalties and fine amounts will be determined at the discretion of the state’s Attorney General.

If any breach of data happens or is suspected, companies must inform authorities and data subjects within 72 hours of the breach’s discovery.

DATES TO REMEMBER

  • July 1, 2023 – The CTPDA becomes effective. The recommended target date for full compliance.
  • December 31, 2024 – The last date of the enforcement grace period.
  • January 1, 2025 – Businesses are required to have controls in place to collect consent and respond to consumer opt-out requests.

Recommended Steps for Compliance

  • Create a data map of personal information
  • Evaluate data processing activities
  • Evaluate data retention policies and schedules
  • Create and update privacy policies and terms and conditions and make them visible to consumers
  • Develop policies and procedures to facilitate consumer privacy rights
  • Review and amend third-party contracts
  • Ensure you have a sound cybersecurity framework in place to keep data protected

HOW IMPACT BUSINESS TECHNOLOGY CAN HELP YOU

 Businesses and organizations should take heed of this notice as authorities are not just looking into big corporations. Take proactive action and ensure your business is compliant with these standards before they are enforced. Impact Business Technology can help you classify consumer data, assess your business’s data security, and provide the needed documentation of your standing.

 

Let us tackle this for you. Use the form below to get started.

Let us tackle this for you. Use the form below to get started.

UNSURE OF YOUR BUSINESS NEEDS? GIVE US A CALL.

We will examine your current IT infrastructure and recommend a solution that fits.

UNSURE OF YOUR BUSINESS NEEDS? GIVE US A CALL.

We will examine your current IT infrastructure and recommend a solution that fits.

Our Blog

The Downside of Large Language Models

The Downside of Large Language Models

What Do We Really Know About How these AI Systems Work?It seems like all our favorite apps and software programs are racing to integrate AI into...

Our Blog

The Downside of Large Language Models

The Downside of Large Language Models

What Do We Really Know About How these AI Systems Work?It seems like all our favorite apps and software programs are racing to integrate AI into their systems. Everywhere we turn, the platforms we know and trust are hastily offering new AI features. But as with any...

read more
Top 4 Risks of Not Developing an AI Strategy

Top 4 Risks of Not Developing an AI Strategy

When it comes to getting work done, we all seek new ways to boost efficiency and complete tasks faster. While this sentiment might be encouraging to business leaders, hidden dangers are lurking in the background. With the rise of remote work and the constant influx of...

read more