Similar to the VCDPA and to the CCPA (other than in the context of data breaches), the CPA does not create a private right of action. Enforcement is exclusively with the Attorney General and District Attorneys. A violation of the CPA is considered a deceptive trade practice under the Colorado Consumer Protection Act. Until January 1, 2025, prior to any enforcement of the CPA, controllers must be given a 60 day cure period (where a cure is deemed possible by the Attorney General or District Attorney). The CCPA and the VCDPA also provide for cure periods, though those are not set to sunset as is provided under the CPA. Connecticut The law applies to entities that either control and/or process personal data of 100,000 consumers or more per year, or control and/or process personal data of 25,000 consumers or more per year if that entity derives more than 25% of its gross revenue from selling personal data. The Connecticut law gives consumers the right to know whether a business collects data about them, as well as to request corrections to or deletion of their personal data controlled by the business. The law also gives consumers the right to opt out of data collection and processing for the purposes of targeted advertising, sale, or automated decision-making based on data profiling—all opt-outs that are similar to provisions in other states’ comprehensive data privacy laws. The law creates affirmative obligations for covered businesses to limit data processing to what is “reasonably necessary” for their purposes, provide a way for consumers to revoke their consent to data processing, and protect consumers’ data with adequate cybersecurity practices. There is no private right of action. The law is enforced by the Connecticut Attorney General. The Connecticut statute became effective July 1, 2023.
121
Made with FlippingBook - Online Brochure Maker