Overview
The Connecticut Data Privacy Act (CTDPA) is a comprehensive data privacy law that grants Connecticut residents new rights over their personal data while imposing data protection obligations on businesses. Signed into law in May 2022, the CTDPA took effect on July 1, 2023, making Connecticut the fifth U.S. state to enact a broad consumer privacy law after California, Virginia, Colorado, and Utah.
CTDPA is closely modeled after GDPR, CPRA, and CPA, providing strong consumer rights, clear business compliance rules, and enhanced privacy protections.
Who Must Comply?
The CTDPA applies to companies that conduct business in Connecticut or target Connecticut residents and meet one of the following criteria:
β Process personal data of at least 100,000 Connecticut consumers annually
β Process personal data of at least 25,000 consumers and derive 25%+ of revenue from selling personal data
Exemptions:
The law does not apply to:
π« Government agencies
π« Nonprofits
π« Financial institutions subject to GLBA
π« HIPAA-covered entities (healthcare providers)
π« Higher education institutions
Key Consumer Rights Under CTDPA
β Right to Access β Consumers can request a copy of their personal data.
β Right to Correct β Consumers can request corrections to inaccurate personal data.
β Right to Delete β Consumers can request the deletion of personal data.
β Right to Data Portability β Consumers can receive their data in a portable format.
β Right to Opt-Out β Consumers can opt out of:
- Targeted advertising
- Sale of personal data
- Automated profiling that affects legal or financial decisions
Business Compliance Requirements
β Universal Opt-Out Mechanism (Starting January 1, 2025) β Businesses must honor global privacy opt-out signals (e.g., Global Privacy Control (GPC)).
β Obtain Consent for Sensitive Data Processing β Companies must get explicit opt-in consent before processing:
π Racial/ethnic origin
π Religious beliefs
π Health conditions
π Biometric data
π Childrenβs data
β Data Protection Assessments (DPA) β Businesses must evaluate high-risk data processing activities, including:
π Targeted advertising
π Data sales
π Automated decision-making
β Privacy Notices & Data Minimization β Businesses must publish clear privacy policies and limit data collection to what is necessary.
β Data Security Measures β Companies must apply reasonable security measures to protect personal data from breaches.
Real-World Enforcement Cases
The Connecticut Attorney General is responsible for enforcing CTDPA. Violations can result in civil penalties of up to $5,000 per violation.
While there have been no major enforcement cases yet, similar laws in California (CPRA) and Colorado (CPA) suggest data brokers, ad tech firms, and companies handling large amounts of consumer data will be early targets for enforcement.
π Comparison with Other State Privacy Laws
The Connecticut CTDPA shares similarities with Virginia (CDPA) and Colorado (CPA) but has some distinct features:
β
Stronger Enforcement β The Connecticut AG can take direct action without a cure period (after 2024).
β
Universal Opt-Out Required (2025) β Businesses must respect global privacy controls.
β
Lower Revenue Threshold (25%) β More businesses fall under CTDPA than under Virginia CDPA (50%).
Future of CTDPA Regulation
π Expanded enforcement against ad networks, data brokers, and AI-driven profiling.
π Potential stricter AI & automated decision-making rules in future amendments.
π Closer alignment with federal privacy laws if the U.S. enacts nationwide privacy legislation.
Connecticutβs CTDPA is emerging as one of the most enforceable state privacy laws and is expected to shape future data privacy regulations across the U.S.
