Applicability of Data Protection Law in Connecticut, USA: Number of Data Subjects

The factor of "Number of Data Subjects" is used in determining the applicability of the Connecticut Data Privacy Act (CDPA) in the state of Connecticut, USA. Specifically, the law applies to persons that conduct business in the state or produce products or services targeted to residents of the state, and that during the preceding calendar year, controlled or processed the personal data of a specified minimum number of consumers.

Text of Relevant Provisions

CDPA Sec.2(1):

"The provisions of sections 1 to 11, inclusive, of this act apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and that during the preceding calendar year: (1) Controlled or processed the personal data of not less than one hundred thousand consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or"

CDPA Sec.2(2):

"The provisions of sections 1 to 11, inclusive, of this act apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and that during the preceding calendar year: (2) controlled or processed the personal data of not less than twenty-five thousand consumers and derived more than twenty-five per cent of their gross revenue from the sale of personal data."

Analysis of Provisions

The CDPA applies to persons that conduct business in Connecticut or produce products or services targeted to residents of the state, and that meet certain thresholds regarding the number of consumers whose personal data they control or process. Specifically, the law applies to those that control or process the personal data of at least 100,000 consumers, excluding data processed solely for payment transactions (Sec.2(1)). Alternatively, the law applies to those that control or process the personal data of at least 25,000 consumers and derive more than 25% of their gross revenue from the sale of personal data (Sec.2(2)).

The use of the "Number of Data Subjects" factor in determining the applicability of the CDPA is likely intended to ensure that the law applies to entities that have a significant impact on the privacy of Connecticut residents. By setting a threshold of 100,000 consumers, the law targets larger entities that have a substantial presence in the state or a significant impact on the state's residents. The alternative threshold of 25,000 consumers and 25% of gross revenue from the sale of personal data is likely intended to capture smaller entities that may still have a significant impact on the privacy of Connecticut residents due to their business model.

Implications

The "Number of Data Subjects" factor has significant implications for businesses operating in Connecticut or targeting Connecticut residents. Entities that meet the thresholds established in Sec.2(1) or Sec.2(2) must comply with the provisions of the CDPA, which includes requirements for data protection, transparency, and accountability.

Examples of cases where the law applies due to this factor include:

• A company that conducts business in Connecticut and controls or processes the personal data of 150,000 consumers.
• A company that produces products or services targeted to Connecticut residents and controls or processes the personal data of 30,000 consumers, deriving 30% of its gross revenue from the sale of personal data.

Conversely, examples of cases where the law does not apply due to this factor include:

• A small business that conducts business in Connecticut but controls or processes the personal data of only 10,000 consumers.
• A company that produces products or services targeted to Connecticut residents but controls or processes the personal data of only 20,000 consumers and derives less than 25% of its gross revenue from the sale of personal data.