CTDPA Cookie Consent: A Comprehensive Overview
If your business collects and processes the personal data of Connecticut residents online, it’s important to understand the CTDPA cookie consent.
In this guide, we’ll explain everything you need to know about the cookie consent requirements to help you stay compliant with this relatively new data privacy regulation.
Let’s get started.
- Connecticut Data Privacy Act (CTDPA) was made official on 1st July 2023
- CTDPA cookie consent is required for sensitive data. This includes racial and ethnic origins, mental and physical health, genetic and biometric data, sexual orientation and activities, citizenship, and immigration status, precise geolocation data, and personal data for children under 13.
- “Consent” under CTDPA is: “A clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer.”
What is the Connecticut Data Privacy Act?
The Connecticut Data Privacy Act (CTDPA) is a consumer data privacy law that regulates the protection of personal data of the residents and households of Connecticut (CT), US.
CTDPA applies only to businesses that operate in Connecticut or offer goods and services to the residents of Connecticut and have, in the last calendar year, processed the personal data of
- A minimum of 100,000 individuals or households, or
- 25,000 and above data subjects and had a 25% or more gross revenue from the sale of personal data alone
The Act was signed on 10th May 2022 and became official on 1st July 2023.
Under CTDPA, individuals have the following rights:
- Right to access their personal data that the controller has collected
- Right to correct inaccurate and out-of-date data about them
- Right to delete their personal data collected by the controller, including those collected through third parties
- Right to obtain a copy of their personal data in a portable and ready-to-use format that they can transfer to other data controllers
- Right to opt out of:
- The sale of their personal data
- Processing of personal data for targeted advertising
- Profiling with potential legal or other similar impact
Is Cookie Consent Required Under the Connecticut Data Privacy Act?
Consent, including cookie consent, is required under the CTDPA for processing sensitive data.
“Sensitive data” under CTDPA includes data revealing:
- Racial and ethnic origin of the data subject
- Mental and physical health and diagnoses
- Genetic or biometric data
- Sexual orientation and activities
- Citizenship or immigration status
- Personal data for children under 13 years of age
- “Precise geolocation data”
“A clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer.”
According to the Act, “consent” can be any clear affirmative action performed by the individual. This can be a written statement or checking the “accept cookies” box when it comes to cookie consent.
CTDPA Cookie Consent Requirements
There are some general CTDPA cookie consent requirements that you need to be aware of and follow to ensure you don’t get fined:
When using cookies and other tracking technologies on the site, a business must display a clear and distinct notice or cookie banner on its website, informing the visitor of using such technologies.
Do Not Sell My Personal Information
Similarly to the CPRA, to stay compliant with the CTDPA, you should also include a “Do Not Sell My Personal Information” notice on your website for Connecticut residents to control how their personal data is used or shared while on the site.
Information on Types of Cookies Used
Next, you also need to inform the users about the types of cookies you are using on the website, such as strictly necessary cookies, targeting or advertising cookies, functional cookies, and performance cookies.
Informed Choice About Cookies
Before accepting or rejecting cookies, the consumer must be given an informed choice about what exactly this means. Consent must be unambiguous for it to be valid.
Easy to Opt-Out
Unlike the EU and other parts of the world, where the individual has to first give their consent (opt-in), in the US data privacy regulations, including the CTDPA, this isn’t required.
Provide Options for Users to Control Cookie Consent
It is also important to provide options for users to control cookie consent, meaning which types of cookies they will allow and which not and to manage their cookie preferences. This is called “granular cookie consent”.
Keep Cookie Consent Records
Finally, keep records of user consent, including cookie consent to maintain compliance with the data privacy regulations.
Mistakes to Avoid with CTDPA Cookie Requirements
When presenting cookies for your consumers, it’s necessary to avoid so-called “dark patterns.”
The term “dark patterns” was first coined by Harry Brightnull in 2010 to represent:
“Design features used to deceive, steer, or manipulate users into behavior that is profitable for an online service, but often harmful for users or contrary to their intent.”
In terms of cookies, dark or “deceptive” patterns include bad practices such as:
For instance, in cookie consent, this would be combining several agreements into a single action. This is called “bundled consent” and is the opposite of “granular consent,” where the user can select which cookies they want to give consent to individually.
Nagging is an unethical practice in any scenario, let alone when someone visits your website. When it comes to cookies, “nagging” would be if you keep presenting the visitor with the cookie consent banner over and over even though they refused your cookies the first time they visited your site.
The purpose of a cookie consent banner isn’t to prevent the user from using the website. Yet, this is how the banner is often designed or positioned on the page.
How many times have you, for instance, opened a webpage, only for the cookie consent banner to pop up in front of you, preventing you from taking any other action, such as continuing to read what’s on that page?
Another thing you want to avoid doing when we’re talking about cookies is pre-selecting the choice for the user. Under any data privacy law, including CTDPA, “consent” is a “freely given action” by the user.
Preselection, in this context, would, for example, be pre-ticking the “accept all cookies” box.
Consent must not only be freely given but also clear. This means the wording of the consent banner can not be ambiguous, and instead, it should be relatively easy for the average user to understand what accepting the cookies implies.
Visual interference is so common in cookie banners that it’s become more of a common practice.
Open any website for the first time and look at the cookie consent banner. Notice how the “accept cookies” is always clear, while “reject cookies” is not so much? Maybe one is nice and highlighted and the other a hidden text link. This is something to avoid.
Penalties for Non-Compliant Cookie Consent with the CTDPA
Similarly to other data privacy laws, like the GDPR, non-compliant cookie consent with the CTDPA will lead to fines and penalties for the business.
Non-compliance with the CTDPA can lead to a $5,000 fine for the business or individual per intentional violation, according to the Connecticut Unfair Trade Practices Act (CUPTA).
Additionally, the Connecticut Attorney General may also demand injunctions, restitution, and/or disgorgement, meaning giving up the profits the business has made as a result of wrongful or illegal practices.
Although the Attorney General has allowed a 60-day correction period until 2025, known as the right to cure or cure period, it is still in your best interest to abide by the law to avoid legal action from consumers and a bad reputation.
The Connecticut Data Privacy Act is the last data privacy regulation made official in the United States. As such, it’s not as well-known as the CPRA in California or some others. But, by reading this article, you’re now ahead of 99% of businesses.
Now, you may be wondering, what next steps to take to ensure my compliance with the CTDPA? Well, that’s where Captain Compliance’s compliance solutions come in. We offer consultation services and custom software for your business to help ensure complete compliance.
Get in touch today and we’ll help you with CTDPA cookie consent.
What are the rules for cookie consent?
When presenting a cookie consent banner to the visitor, you should ensure that:
- You let them know what data you will collect through cookies
- Inform them of the purpose of data collection
- Explain how long you will keep their data
- Be transparent about sharing data with third parties.
Is consent for cookies required?
The cookie consent requirement depends on the specific law. For example, the EU’s GDPR and the UK's GDPR both require consent for all cookies if they process personal data, except strictly necessary cookies. Other laws, such as Canada’s PIPEDA do not have a specific cookie consent requirement.
Which countries need cookie banners?
Several countries have data privacy laws that specifically require a cookie banner. These include:
- Members of the European Union (GDPR)
- United Kingdom (UK GDPR)
- Brazil (LGPD)
- Canada (PIPEDA)
- Mexico (FDPL)
- Saudi Arabia (PDPL)
- Singapore (PDPA)
- South Africa (POPIA)
What is the CT data privacy law in 2023?
As of 1st July 2023, the Connecticut Data Privacy Act (CTDPA) is the official data privacy law of the state.
CTDPA applies to businesses operating in Connecticut or offering products and services to its residents t and have, in the last year processed the data of
- At least 100,000 individuals or households, or
- 25,000 and above data subjects and had a 25% or more gross revenue from the sale of personal data
Who does Connecticut Data Privacy Act apply to?
The Connecticut Data Privacy Act or CTDPA applies to any business in this state that provides products or services to residents of Connecticut and has in the last year processed the personal data of:
- 100,000+ consumers or
- 25,000+ consumers and had 25% of gross revenue come from selling personal data.