Compliance Briefing — July 1, 2023

Executive briefing: The Connecticut Data Privacy Act (Public Act 22-15) entered into force on 1 July 2023. Controllers conducting business in Connecticut or targeting state residents must manage opt-outs for targeted advertising and data sales, honour consumer rights, and obtain consent before processing sensitive data.

Key compliance checkpoints

• Consumer rights. Provide authenticated processes for access, correction, deletion, and portability requests with a 45-day response window and appeals.
• Opt-out controls. Honour opt-out signals for targeted advertising, data sales, and profiling with significant effects by 1 January 2025 when required to recognise universal opt-out mechanisms.
• Assessments. Conduct documented data protection assessments for targeted advertising, sale of personal data, profiling, or processing of sensitive data.

Operational priorities

• Privacy notices. Update disclosures to describe categories of personal data processed, purposes, third-party sharing, and instructions for exercising rights.
• Processor management. Execute contracts that include confidentiality, audit, and deletion requirements aligned with §6(b) of Public Act 22-15.
• Consent management. Secure opt-in consent before processing sensitive data, including precise geolocation, children’s data, or health information.

Enablement moves

• Align Connecticut controls with CPRA, VCDPA, and Colorado CPA to leverage shared tooling and governance.
• Implement preference centres and automated workflows to respect opt-outs and universal opt-out signals.
• Maintain metrics on request fulfilment, opt-out volumes, and assessment reviews for Attorney General oversight.

Sources

• Connecticut Public Act 22-15
• Connecticut Attorney General data privacy guidance

Zeph Tech equips controllers with Connecticut-ready privacy notices, opt-out tooling, and assessment frameworks across digital channels.