What Is CTDPA?

Map of Connecticut, Polygonal mesh line map, flag map

It’s a big ‘ol data privacy party at this point. We’ve seen privacy legislation go into effect in Virginia, Colorado, California, Vermont, Utah, and now Connecticut will join the fete with the introduction of CTDPA.

Last week the Connecticut House of Representatives and Connecticut Senate joined forces to pass the Connecticut Data Privacy Act (CTDPA). The legislation, also known as Senate Bill 6 (SB6), awaits Governor Ned Lamont’s signature to make everything 100% official. The bill is expected to take effect on July 1, 2023. 

The CTDPA mirrors recently instilled state privacy laws, allowing consumers to opt-out of data sales, targeted ads, and profiling decisions that “produce legal or similarly significant effects concerning the consumer.” This new provision will also include protection for minors and biometric data.

I know your next question is, what types of pubs would this apply to?

  • Pubs that do business in CT or produce products or services targeted at residents
  • Pubs that control or process consumer data of at least 100,000 people a year or gain over 25% of gross revenue from the “sale” of personal data and control or process the data of at least 25,000 people a year.

The consumer side of me says, “Way to go!” Yet, the ad tech side is thinking, “Darn.” Each new state privacy law only adds more and more hoops for pubs to jump through.

Get in the Know About CTDPA

If you are wondering what aspect of “consumer data” will be guarded by CTDPA, it is the information connected to an identified person. This does not include any information about someone that is public or considered de-identified data.

This is the second stab at a privacy law by the “Constitution State,” remember, Connecticut tried it last year and failed. This go-round, the bill is coming on strong and will even include the “right to cure” clause giving pubs some time to do some damage control before getting hit with a lawsuit. If you are caught violating the rules? Forget about it. There will be no time at that point to fix the infraction, and you may even get accused of “soliciting user consent.”

Pubs have a 60-day fix-it period to figure out reported violations until December 21, 2024. Starting January 1, 2025, the CTDPA will only grant a cure period if the Connecticut Attorney General sees fit, so be careful.

With the CTDPA opt-in consent for sensitive data is a must. Racial origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, sexual history, immigration status, genetic or biometric data, children’s data, and geolocation data are all included.

Speaking of children, pubs will have to get opt-in consent from consumers under the age of 16 before using their data to target ads or monetize. You have to keep the kids first because when it comes to the Children’s Online Privacy Protection Act, you don’t want any problems.

Like privacy laws in Colorado and Virginia, CT consumers will have the authority to appeal a denial of a consumer request.

How Will CTDPA Affect the Advertising Ecosystem?

At the rate things are going, pubs will continue to be stuck in a cycle of scrambling to find new ways to identify consumers. While these state privacy laws are seemingly a step in the right direction for consumers, they sometimes create extra work for pubs and outsourcing vendors.

Many publishers feel they may go bald before Federal privacy legislation sees the light of day, but President Biden has been making baby steps in that direction after discovering a recent “national experiment” by big tech that utilized children’s data.

Potus said, “It’s time to strengthen privacy protections, ban targeted advertising to children, demand tech companies stop collecting personal data on our children.”

Whether it is a child or your great-great-grandma, pubs will continue to have to dip and dive through many loopholes when it comes to targeted ads and addressability because those violation consequences ain’t pretty.