The Connecticut Data Privacy Act (CDPA) utilizes the "offering goods and services" factor to determine its applicability to businesses operating outside the state. This approach extends the law's reach to entities that target Connecticut residents, even if they don't have a physical presence in the state.

Text of Relevant Provision

CDPA Sec. 2 states:

"The provisions of sections 1 to 11, inclusive, of this act apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and that during the preceding calendar year:"

Analysis of Provision

The CDPA's scope of applicability is defined by two key criteria:

1. Conducting business in Connecticut
2. Producing products or services targeted to Connecticut residents

The second criterion is particularly relevant to our analysis of the "offering goods and services" factor. By including this provision, the CDPA extends its jurisdiction beyond the state's physical borders to encompass businesses that intentionally target Connecticut consumers.

The law uses the phrase "targeted to residents of this state" to describe the act of offering goods or services. This wording suggests that mere accessibility of products or services to Connecticut residents is not sufficient for the law to apply. Instead, there must be a deliberate effort or intention to reach Connecticut consumers.

Additionally, the provision includes a temporal element, specifying that the targeting must have occurred "during the preceding calendar year". This establishes a clear timeframe for assessing a business's activities in relation to Connecticut residents.

Implications

The inclusion of this factor has several important implications for businesses:

1. Extraterritorial reach: Companies without a physical presence in Connecticut may still fall under the CDPA's jurisdiction if they actively target state residents.
2. Intentional targeting: Businesses need to evaluate whether their marketing strategies or product offerings specifically focus on Connecticut consumers.
3. Online businesses: E-commerce companies and online service providers must be particularly mindful of this provision, as their digital presence may easily cross state lines.
4. Annual assessment: The "preceding calendar year" clause suggests that businesses should regularly review their activities to determine if they've begun targeting Connecticut residents.
5. Compliance considerations: Companies targeting Connecticut consumers may need to implement data protection measures compliant with the CDPA, even if they're based elsewhere.

This approach aligns with similar provisions in other data protection laws, such as the EU's GDPR, which also extends its reach based on the targeting of specific individuals. By including this factor, Connecticut aims to protect its residents' data rights regardless of where the business processing their data is located.