Connecticut General Statutes
Chapter 743jj - Consumer Data Privacy and Online Monitoring
Section 42-520. - (Note: This section is effective July 1, 2023.) Controllers' duties. Sale of personal data to third parties. Notice and disclosure to consumers. Consumer opt-out.

(a) A controller shall: (1) Limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer; (2) except as otherwise provided in sections 42-515 to 42-525, inclusive, not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent; (3) establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue; (4) not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA; (5) not process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against consumers; (6) provide an effective mechanism for a consumer to revoke the consumer's consent under this section that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than fifteen days after the receipt of such request; and (7) not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer's personal data without the consumer's consent, under circumstances where a controller has actual knowledge, and wilfully disregards, that the consumer is at least thirteen years of age but younger than sixteen years of age. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in sections 42-515 to 42-525, inclusive, including denying goods or services, charging different prices or rates for goods or services or providing a different level of quality of goods or services to the consumer.

(b) Nothing in subsection (a) of this section shall be construed to require a controller to provide a product or service that requires the personal data of a consumer which the controller does not collect or maintain, or prohibit a controller from offering a different price, rate, level, quality or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts or club card program.
(c) A controller shall provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes: (1) The categories of personal data processed by the controller; (2) the purpose for processing personal data; (3) how consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision with regard to the consumer's request; (4) the categories of personal data that the controller shares with third parties, if any; (5) the categories of third parties, if any, with which the controller shares personal data; and (6) an active electronic mail address or other online mechanism that the consumer may use to contact the controller.
(d) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing.
(e) (1) A controller shall establish, and shall describe in a privacy notice, one or more secure and reliable means for consumers to submit a request to exercise their consumer rights pursuant to sections 42-515 to 42-525, inclusive. Such means shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests and the ability of the controller to verify the identity of the consumer making the request. A controller shall not require a consumer to create a new account in order to exercise consumer rights, but may require a consumer to use an existing account. Any such means shall include:
(A) (i) Providing a clear and conspicuous link on the controller's Internet web site to an Internet web page that enables a consumer, or an agent of the consumer, to opt out of the targeted advertising or sale of the consumer's personal data; and
(ii) Not later than January 1, 2025, allowing a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer's consent, by a platform, technology or mechanism to the controller indicating such consumer's intent to opt out of any such processing or sale. Such platform, technology or mechanism shall:
(I) Not unfairly disadvantage another controller;
(II) Not make use of a default setting, but, rather, require the consumer to make an affirmative, freely given and unambiguous choice to opt out of any processing of such consumer's personal data pursuant to sections 42-515 to 42-525, inclusive;
(III) Be consumer-friendly and easy to use by the average consumer;
(IV) Be as consistent as possible with any other similar platform, technology or mechanism required by any federal or state law or regulation; and
(V) Enable the controller to accurately determine whether the consumer is a resident of this state and whether the consumer has made a legitimate request to opt out of any sale of such consumer's personal data or targeted advertising.
(B) If a consumer's decision to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent in accordance with the provisions of subparagraph (A) of this subdivision conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts or club card program, the controller shall comply with such consumer's opt-out preference signal but may notify such consumer of such conflict and provide to such consumer the choice to confirm such controller-specific privacy setting or participation in such program.
(2) If a controller responds to consumer optā€out requests received pursuant to subparagraph (A) of subdivision (1) of this subsection by informing the consumer of a charge for the use of any product or service, the controller shall present the terms of any financial incentive offered pursuant to subsection (b) of this section for the retention, use, sale or sharing of the consumer's personal data.
(P.A. 22-15, S. 6.)
History: P.A. 22-15 effective July 1, 2023.

Structure Connecticut General Statutes

Connecticut General Statutes

Title 42 - Business, Selling, Trading and Collection Practices

Chapter 743jj - Consumer Data Privacy and Online Monitoring

Section 42-515. - (Note: This section is effective July 1, 2023.) Definitions.

Section 42-516. - (Note: This section is effective July 1, 2023.) Applicability.

Section 42-517. - (Note: This section is effective July 1, 2023.) Exemptions.

Section 42-518. - (Note: This section is effective July 1, 2023.) Consumers' rights. Compliance by Controllers. Appeals.

Section 42-519. - (Note: This section is effective July 1, 2023.) Authorized agents and consumer opt-out.

Section 42-520. - (Note: This section is effective July 1, 2023.) Controllers' duties. Sale of personal data to third parties. Notice and disclosure to consumers. Consumer opt-out.

Section 42-521. - (Note: This section is effective July 1, 2023.) Processors' duties. Contracts between controllers and processors.

Section 42-522. - (Note: This section is effective July 1, 2023.) Controllers' data protection assessments. Disclosure to Attorney General.

Section 42-523. - (Note: This section is effective July 1, 2023.) De-identified and pseudonymous data. Controllers' duties. Exceptions. Applicability of consumers' rights. Disclosure and oversight.

Section 42-524. - (Note: This section is effective July 1, 2023.) Construction of controllers' and processors' duties.

Section 42-525. - (Note: This section is effective July 1, 2023.) Enforcement by Attorney General. Notice of violation. Cure period. Report. Penalty.