Skip to main content

Connecticut Data Privacy Act

The CTDPA is Connecticut's comprehensive privacy law, granting consumer data rights, requiring opt-out signal recognition, and adding protections for minors. It is enforced by the Connecticut Attorney General with no private right of action.

Jurisdiction
Connecticut

The Connecticut Data Privacy Act (CTDPA), formally An Act Concerning Personal Data Privacy and Online Monitoring, is a comprehensive state privacy law signed in May 2022 and effective July 1, 2023. It is closely modeled on the Colorado and Virginia laws, using the controller and processor framework and an opt-out approach to targeted advertising and sale of data. It is widely regarded as one of the more consumer-protective of the second-wave state laws.

The law is enforced by the Connecticut Attorney General. There is no private right of action.

Who It Applies To

The CTDPA applies to entities that conduct business in Connecticut or target Connecticut residents and that, during the prior year, either controlled or processed the personal data of at least 100,000 consumers, or controlled or processed the personal data of at least 25,000 consumers while deriving more than 25 percent of gross revenue from the sale of personal data. It protects residents acting in an individual or household context and excludes employment and commercial contexts. Several sectoral exemptions apply.

Key Requirements

Consumers have the rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, the sale of personal data, and profiling with legal or similarly significant effects. Controllers must respond within 45 days and provide an appeal process. Opt-in consent is required for sensitive data, and the law includes specific protections for minors aged 13 to 17, including a ban on targeted advertising and sale without consent. Controllers must recognize opt-out preference signals such as browser-based controls. They must publish a privacy notice, apply data minimization and purpose limitation, sign data processing agreements, and conduct data protection assessments for high-risk processing.

Penalties for Non-Compliance

Violations are enforced under the Connecticut Unfair Trade Practices Act, which can carry civil penalties of up to USD 5,000 per willful violation, along with injunctive relief and restitution. The Attorney General had a cure period available in the early period after the law took effect, which has since narrowed.

How to Comply

Confirm whether you meet the consumer thresholds. Publish a privacy notice and offer access, correction, deletion, and portability rights within 45 days, with appeals. Recognize opt-out preference signals. Obtain opt-in consent for sensitive data and apply heightened protections for minors. Practice data minimization and purpose limitation. Sign data processing agreements with processors and conduct data protection assessments for high-risk processing.