DATA PROTECTION IMPACT ASSESSMENT (DPIA)

(State overlay: CT)

1. Project Overview

• Project name/ID: [name]; owner: [business owner]; sponsor: [executive].
• Purpose and objectives: [describe].
• Timeline and launch date: [dates].

2. Scope of Processing

• Data subjects: [customers/employees/vendors/end users].
• Personal data categories: [contact, IDs, financial, location, biometric, health, minors].
• Sensitive data (CTDPA definition per Conn. Gen. Stat. § 35-9b(11)): Check all that apply: (1) Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sex life or sexual orientation, or citizenship or immigration status; (2) Genetic or biometric data processed for purpose of uniquely identifying an individual; (3) Personal data collected from a known child (under 13 years of age); (4) Precise geolocation data (within 1,750 feet). Affirmative opt-in consent required before processing sensitive data.
• Volume and retention: [records/year], [retention schedule and deletion triggers per business purpose].
• Processing activities: [collection, storage, analysis, sharing/sale/sharing status]. CTDPA definitions: "Sale" = exchange of personal data for monetary or other valuable consideration (broader than VA/UT which require only monetary); "Targeted advertising" = displaying to consumer advertisement selected based on personal data obtained from consumer's activities over time and across nonaffiliated websites/applications; "Profiling" = automated processing to evaluate, analyze, or predict personal aspects concerning a consumer.

3. Legal Basis, Notices, and Rights

• Primary state privacy law(s): Connecticut Data Privacy Act (CTDPA), Conn. Gen. Stat. § 35-9a et seq., effective July 1, 2023; 2025 amendments effective July 1, 2026.
• Applicability thresholds: Controller conducting business in Connecticut or producing products/services targeted to Connecticut residents who, during preceding calendar year: (1) Controlled or processed personal data of 100,000+ consumers (excluding data solely for payment transactions); OR (2) Controlled or processed personal data of 25,000+ consumers AND derived over 25% of gross revenue from sale of personal data. No minimum revenue threshold. Note: 25% gross revenue threshold (vs. 50% in VA/UT) makes CT more consumer-protective.
• Entity type exemptions: GLBA-covered financial institutions, HIPAA-covered entities/business associates for protected health information, nonprofit organizations, higher education institutions, national securities associations, certain tribal/state government entities.
• Consumer rights covered: (1) Right to access personal data; (2) Right to correct inaccuracies in personal data; (3) Right to delete personal data; (4) Right to data portability (portable and readily usable format); (5) Right to opt out of sale of personal data, targeted advertising, and profiling in furtherance of solely automated decisions producing legal or similarly significant effects (effective July 1, 2026: expanded to profiling for any automated decision-making producing legal/similar significant effects). Response timeline: 45 days (with one 45-day extension if reasonably necessary and consumer is notified). Authentication: Reasonable efforts to verify consumer identity and request authenticity.
• Consent/opt-out mechanics required for sensitive data, minors, targeted ads, sale/sharing: (1) Affirmative consent (opt-in) required before processing sensitive data (consent must be clear affirmative action, freely given, specific, informed, unambiguous; no dark patterns); (2) Opt-out required for sale, targeted advertising, and profiling for automated decision-making with legal/significant effects; (3) Controllers must process child data (under 13) as sensitive data requiring consent.
• Notice/labeling requirements: Privacy notice must be reasonably accessible, clear, and meaningful, disclosing: categories of personal data processed, purposes, how consumers may exercise rights, categories of personal data shared with third parties, categories of third parties, how to opt out of sale/targeted advertising/profiling. Must provide two or more designated methods for submitting consumer rights requests (effective July 1, 2026).
• Contracts with processors/service providers: Data processing agreement required per Conn. Gen. Stat. § 35-9i. Must include: processing instructions, nature and purpose of processing, type of data, duration, controller and processor obligations, confidentiality, requirement that processor deletes or returns data at controller's direction or at end of provision of services, assistance with consumer rights requests, and subprocessor requirements.

4. Data Flow and Transfers

• Source systems: [list]; storage/hosting locations: [cloud region/data centers].
• Cross-border transfers: [EU/UK/other]; transfer tool: [SCCs/IDTA/CBPR if applicable].
• Recipients/vendors: [processors/subprocessors/controllers]; due diligence status and DPAs in place.
• Access controls: RBAC groups, least privilege, joiner/mover/leaver process.

5. Security and Controls

• Technical controls: encryption in transit/at rest [specify], key management, network segmentation, endpoint protections, logging/monitoring, DLP, backups, vulnerability management.
• Organizational controls: policies, training cadence, vendor due diligence, incident response playbook, change management.
• Authentication/authorization: [MFA/SAML/SSO]; session timeouts; privileged access reviews cadence.

6. Risks and Impact Assessment

• Risks/threats: [unauthorized access, data minimization failure, purpose creep, profiling risk, transfer risk, children/minors risk].
• Likelihood: [low/medium/high]; Impact: [low/medium/high]; Risk rating matrix: [insert].
• POWR/State-specific equal employment or anti-discrimination considerations (if applicable): [insert].

7. Mitigations and Residual Risk

• Planned mitigations: [controls, timelines, owners].
• Testing/validation: [pen test, DPIA/ROPA updates, privacy-by-design checklist].
• Residual risk after mitigations: [rating]; decision: [accept/mitigate further/block].

8. Incident Response and Breach Notification

• Breach notification statute: Conn. Gen. Stat. § 36a-701b (Breach of security re computerized data containing personal information).
• Timeline: Notice to affected Connecticut residents required without unreasonable delay and no later than 60 days from discovery of breach. Notice to Connecticut Attorney General required no later than when residents are notified.
• Notification triggers: Unauthorized acquisition of computerized data that compromises security, confidentiality, or integrity of personal information. Personal information = Connecticut resident's first name or first initial and last name in combination with one or more of: (a) SSN; (b) Driver's license/state ID number; (c) Financial account/credit/debit card number with security code/access code/password/PIN; (d) Medical information; (e) Health insurance information; (f) Biometric information; (g) Email address with password/security question answer permitting account access.
• Harm assessment exception: Notification not required if, after appropriate investigation and consultation with relevant law enforcement, covered entity reasonably determines breach will not likely result in harm to affected residents.
• Encryption safe harbor: No notice required if compromised information was encrypted, redacted, or otherwise rendered unreadable.
• Regulator/AG notice: Notice to Connecticut AG required concurrently with resident notification. Notice to consumer reporting agencies required if breach affects more than 1,000 Connecticut residents.
• Content requirements: Notice must include: (1) General description of breach; (2) Type of personal information subject to breach; (3) Steps taken to investigate; (4) Contact information for consumer inquiries; (5) Any applicable remediation services offered.
• Third-party service providers: If maintaining data on behalf of another entity, must notify data owner immediately following discovery of breach.
• Enforcement: Failure to provide required notice constitutes violation of Connecticut Unfair Trade Practices Act (CUTPA).
• Coordination with other states/GLBA/HIPAA requirements if multi-state: [Coordinate breach notification obligations; GLBA and HIPAA have separate timelines and requirements].

9. State Overlay Checklist (CT)

• Applicability thresholds and exemptions: 100,000+ consumers (excluding payment-only data) OR 25,000+ consumers + >25% revenue from sale. No revenue minimum. Exemptions: GLBA financial institutions, HIPAA covered entities (for PHI), nonprofits, higher education, national securities associations, tribal/state entities.
• Sensitive data definition and consent/opt-out requirements: 4 categories of sensitive data (see Section 2 above): racial/ethnic origin, religious beliefs, health, sex life/sexual orientation, citizenship/immigration, genetic/biometric data, child data (under 13), precise geolocation (1,750 ft). Affirmative opt-in consent required (clear, freely given, specific, informed, unambiguous; no dark patterns).
• Consumer rights and response timelines/appeals: Access, correct, delete, portability, opt-out of sale/targeted ads/profiling. Response: 45 days + one 45-day extension (with notice). Appeals: Consumer may appeal denial within reasonable period; controller must respond to appeal within 45 days; must inform consumer of right to contact AG.
• Opt-out of sale/targeted advertising/profiling requirements: Must provide two or more designated methods for opting out (effective July 1, 2026). Profiling opt-out required for automated decision-making producing legal or similarly significant effects (expanded from "solely automated decisions" effective July 1, 2026).
• Processor/service provider contract requirements (flow-downs, audit rights, deletion/return): Data processing agreement required per Conn. Gen. Stat. § 35-9i. Must include: processing instructions, nature/purpose, data type, duration, controller/processor obligations, confidentiality, deletion/return requirements, consumer rights assistance, subprocessor requirements.
• Data Protection Assessment / Risk Assessment triggers: Required for processing activities presenting heightened risk of harm: (1) Processing sensitive data; (2) Sale of personal data; (3) Targeted advertising. Effective August 1, 2026: Impact Assessments required for profiling for automated decision-making producing legal or similarly significant effects (applies to processing activities created/generated on or after August 1, 2026; not retroactive). Single assessment may address comparable set of processing operations with similar activities. Attorney General may request assessments via civil investigative demand.
• Security measures expectations (reasonable security; specific mandates if any): Controllers must implement reasonable administrative, technical, and physical data security practices. Conn. Gen. Stat. § 36a-701b requires safeguarding of personal information. Assessments should document security controls.
• Breach notice timeline and content requirements: 60 days from discovery to notify residents; concurrent notice to AG. Content: description of breach, PI types involved, investigation steps, contact info, remediation services. Notify credit agencies if 1,000+ residents affected. Violation of breach notice law = CUTPA violation.
• Children/minors rules (e.g., COPPA; state-specific if any): Personal data of known children under 13 must be treated as sensitive data requiring affirmative consent. Controllers must process child data consistent with COPPA requirements.
• Non-discrimination/retaliation prohibitions under state law: Conn. Gen. Stat. § 35-9h. Controller may not process personal data in violation of state/federal anti-discrimination laws. Controller may not discriminate against consumer for exercising CTDPA rights, including denying goods/services, charging different prices, or providing different level/quality. Financial incentives permitted if reasonably related to value provided by consumer's data and with opt-in consent after clear disclosure.
• Recordkeeping: ROPA/DPIA retention and appeal tracking: Maintain data protection assessments and impact assessments (beginning August 1, 2026). Make available to Attorney General upon civil investigative demand. Maintain documentation of consumer request responses and appeal determinations. No cure period for violations effective January 1, 2025 (AG may take immediate enforcement action).

10. Approvals and Accountability

• Privacy lead/DPO review: [name/date].
• Security review: [name/date].
• Legal review (state law overlay): [name/date].
• Business owner certification: [name/date].
• Executive approver: [name/title/date].

11. Attachments

• Data flow diagrams/architecture.
• Records of processing activities entry.
• Vendor list and DPAs/SCCs.
• Legitimate interests assessment or risk assessment (if applicable).
• Testing summaries and pen test reports (if applicable).
• State-specific notices/links and breach templates.