How to configure a notice for CTDPA compliance?

Didomi now enables you to build consent notices compliant with Connecticut Data Privacy Act (CTDPA). The CTDPA features particular requirements that must be included in your notice. 

  • Vendors  processing Sensitive Personal information (SPI) must be displayed
  • Purposes have to be grouped into pre-defined categories
  • Global Privacy Control (GPC) must be taken into consideration.

The following steps show you how to properly configure CTDPA on your notice. 

⚠️ The IAB TCF framework does not apply to CTDPA regulation. It is only valid for GDPR.

⚠️ For now, only the English language is supported for CTDPA. 

✅ Add SPI to your vendors

Sensitive Personal Information (SPI) is defined as personal information that is not publicly available, and which reveals information related to:

  • Racial or Ethnic Origin,
  • Religious Beliefs,
  • Mental or Physical Health Diagnosis,
  • Sexual life or Orientation,
  • Citizenship or Citizenship status,
And which uses or discloses information related to:
  • Genetic data that may be processed for the purpose of uniquely identifying an individual,
  • Biometric data that may be processed for the purpose of uniquely identifying an individual,
  • Information of Known Child.

The list of possible SPI is specified in CTDPA regulations and cannot be customized. 

Vendors collecting SPI need to be declared in the Didomi console so this can be reflected in your notice:

  1. Go to the Vendors tab in the Data Manager.Capture d’écran 2023-03-09 à 17.28.09
  2. Choose Edit Vendor.
  3. Scroll down to the Sensitive Personal Information.
  4. Select the SPI relevant to your vendor.
  5. Hit the Save button.

If your vendor does not process SPI, you can leave the above section empty. 

SPI information will not be disclosed in your notices for other regulations if you use the same vendor for CTDPA and other regulations. Except if they use the same SPI. 

It is not possible to add SPI to IAB vendors, since IAB vendor information is populated directly from the IAB, and they do not yet support CTDPA. 

In this case, you need to create a custom vendor instead of using the IAB option. 

✅ Configure your CTDPA notice

To create your CTDPA notice, follow these steps:

  1. Go to Consent notices and choose Edit Notice
  2. In the Regulations tab of step 1. Regulations, select CTDPA from the list of regulations (additional several regulations can be selected, since Didomi supports multiple regulations).
  3. Click on Edit Vendors & Purposes.
  4. Select the vendors to be added to your CTDPA notice. To create custom vendors, click on Add a new vendor.
  5. Scroll down to the Sensitive Personal Information section.
    1. If any of the vendors you selected process SPI, these will be listed. If you click on the Preview button next to an SPI, you can access the list of vendors processing this SPI and update it accordingly.       Capture d’écran 2023-03-09 à 18.00.09
    2. If none of the selected vendors process SPI, this section remains empty. Capture d’écran 2023-03-09 à 17.50.25
  6. Scroll down to the Purposes section. The purposes associated with the selected vendors appear below the three default CPRA categories. You can choose to keep these default categories, edit or delete them.
  7. Click on Add category to create your custom category.
  8. Define the name of your category, the button labels for the Agree and Disagree action on your category.
  9. Drag and drop your purposes into your categories.
  10. Save.
  11. You can now proceed to configure further notice parameters in step 2. Customization, before publishing in step 3. Publish.

  • Don't forget to fill in specific CTDPA parameters for each step (Look & feel, Content editor, and Integrations, especially).
  • You can see live previews of your CTDPA notice, including all CTDPA-specific parameters. 

For now, only the English language is supported for CTDPA notices. 

✅ This is how your CTDPA notice will look:

  • 1st layer  -   When SPIs are not defined
  • 1st layer  -   When SPIs are present
  • Personal information layer
  • Sensitive Personal Information (SPI) layer
  • Partners layerCapture d’écran 2023-03-09 à 18.49.21

✅ GPC signal

Global Privacy Control (GCP) is a privacy signal supported by several browsers for users to specify at the browser level that they do not want their data to be processed (more details about GPC and supported browsers available in GPC specifications). 

Didomi CTDPA notices support GPC automatically. 

As soon as the signal is detected, your CTDPA notice is adjusted to respect the user choice via GPC:

  • A "GPC signal detected" icon is displayed in the notice. 
  • All personal information will be set to Do not sell / Do not share.
  • All SPI will be set to Disagree
  • Instead of Agree and Close there will be a Close button. 

Capture d’écran 2023-03-09 à 18.44.08

There is no option yet to enable or disable GPC from the console. It is automatically supported.