Connecticut Jurisdiction: Revenue-Based Applicability in the Connecticut Data Privacy Act

The Connecticut Data Privacy Act (CDPA) establishes a revenue-based threshold as a factor to determine the applicability of the law to businesses. This factor extends the law’s reach to entities that derive a significant portion of their income from the sale of personal data.

Text of Relevant Provisions

CDPA Sec.2(2):

"The provisions of sections 1 to 11, inclusive, of this act apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and that during the preceding calendar year: (2) controlled or processed the personal data of not less than twenty-five thousand consumers and derived more than twenty-five per cent of their gross revenue from the sale of personal data."

Original (Language):

"The provisions of sections 1 to 11, inclusive, of this act apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and that during the preceding calendar year: (2) controlled or processed the personal data of not less than twenty-five thousand consumers and derived more than twenty-five per cent of their gross revenue from the sale of personal data."

Analysis of Provisions

• CDPA Sec.2(2) introduces a specific revenue threshold, where the law applies to any entity that processes or controls the personal data of at least 25,000 consumers and generates more than 25% of its gross revenue from selling that data. This provision is designed to capture businesses that may not be large in terms of overall revenue but rely heavily on monetizing consumer data.
• The inclusion of this threshold highlights the focus on data-driven business models, ensuring that companies whose business operations depend significantly on the sale of personal data are subject to the law’s requirements. By setting the threshold at 25%, Connecticut lawmakers are targeting entities that are substantially involved in data sales, making them accountable under the CDPA.
• The threshold of 25,000 consumers ensures that the law covers businesses with a significant impact on a considerable number of individuals, preventing smaller-scale operations from escaping regulatory scrutiny due to their size alone.

Implications

• For businesses operating in Connecticut, meeting these thresholds means they must comply with the CDPA’s regulations, including requirements related to consumer rights and data protection practices.
• For instance, a digital marketing company that earns a substantial portion of its revenue from selling personal data and has a customer base exceeding 25,000 in Connecticut would fall under the purview of the CDPA. Such a company would be required to implement robust data protection measures and provide consumers with rights concerning their personal data.
• The revenue-based applicability criterion underscores the importance for businesses to evaluate their revenue streams and data processing activities to determine their obligations under the CDPA. Compliance is crucial to avoid potential penalties and legal challenges.