On May 10, 2022, Connecticut adopted the Data Privacy and Online Monitoring Act (the Act) to regulate the collection, storage and usage of personal information and create new consumer privacy rights. The Act becomes effective July 1, 2023.
Personal Information Protection in Connecticut (CT)
Connecticut regulates the protection of personal information as follows:
General Protections for Personal Information
Personal information is generally defined as an individual’s first name or first initial and last name, in combination with any one (or more) of the following data:
- Social Security number;
- Driver’s license number or state identification card number; or
- Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
Note: Personal information generally does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.
Requirements for Employers
- Any person who conducts business in Connecticut, and who (in the ordinary course of business) owns, licenses, or maintains computerized data that includes personal information, must provide notice of any breach of security following the discovery of the breach to any Connecticut resident whose personal information was breached (or is reasonably believed to have been breached).
- Such notice must generally be made without unreasonable delay, but not later than 90 days after the discovery of such breach—unless a shorter time is required under federal law—subject to the requests of law enforcement and the completion of an investigation by the business to determine the nature and scope of the incident, to identify the individuals affected, or to restore the reasonable integrity of the data system.
- The person who conducts business in Connecticut, and who (in the ordinary course of business) owns, licenses, or maintains computerized data that includes personal information, must—not later than the time when notice is provided to the resident—also provide notice of the breach of security to the state attorney general.
- Note: Such individuals also must offer to each resident who has had certain personal information breached (or reasonably believed to have been breached) appropriate identity theft prevention services and (if applicable) identity theft mitigation services.
- Such service(s) must be provided at no cost to such resident for a period of at least 12 months.
- Such person must also provide all information necessary to enroll in the service(s) and must include information on how affected residents can place a credit freeze on their credit files.
- Note: Such individuals also must offer to each resident who has had certain personal information breached (or reasonably believed to have been breached) appropriate identity theft prevention services and (if applicable) identity theft mitigation services.
- Any person that maintains computerized data that includes personal information that the person does not own must notify the owner or licensee of the information of any breach of the security of the data immediately following its discovery, if the personal information of a Connecticut resident was breached (or is reasonably believed to have been breached).
- Notice required under the law may be provided by certain methods (§ e).
- Entities that maintain certain policies are deemed to be in compliance with the law. Click here for more information (§ f).
Data Privacy and Online Monitoring Act
On May 10, 2022, Connecticut adopted the Data Privacy and Online Monitoring Act (the Act) to regulate the collection, storage and usage of personal information and create new consumer privacy rights. The Act becomes effective July 1, 2023. Specifically, the Act:
- Establishes a framework for controlling and processing personal data;
- Defines responsibilities and privacy protection standards for data controllers and processors; and
- Grants consumers the right to access, correct, delete and obtain a copy of personal data and opt out of the processing of personal data in certain circumstances.
The Act applies to persons or entities that conduct business in Connecticut, or produce products or services that are targeted to Connecticut residents, if they did either of the following during the prior calendar year:
- Controlled or processed the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- Controlled or processed the personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.
More Information
Please Note: The state laws summaries featured on this site are for general informational purposes only. In addition to state law, certain municipalities may enact legislation that imposes different requirements. State and local laws change frequently and, as such, we cannot guarantee the accuracy or completeness of the information featured in the State Laws section. For more detailed information regarding state or local laws, please contact your state labor department or the appropriate local government agency.