
US
Connecticut Data Privacy Act (CTDPA)
Overview
The Connecticut Data Privacy Act (CTDPA), enacted May 10, 2022, and effective July 1, 2023, regulates how businesses handle personal data of Connecticut residents. It grants consumer rights, requires transparency, and sets obligations for businesses. In June 2025, Public Act 25-113 amended the CTDPA, broadening definitions, clarifying profiling and sensitive data provisions, and aligning with the January 1, 2025 cure-period sunset.
Regulation Summary
- May 10, 2022: CTDPA signed into law.
- July 1, 2023: Law became enforceable.
- January 1, 2025: Opt-out preference signals became effective; cure-period sunset took effect.
- June 2025: Public Act 25-113 signed, amending sensitive data, profiling, and minors’ protections.
- July 1, 2026: Amendments become effective
- Companies conducting business in Connecticut or targeting Connecticut residents.
- Thresholds:
- Process personal data of 100,000+ consumers annually (excluding payment-only data).
- Public Act 25-113 modifies the second threshold from companies processing the personal data of 25,000+ consumers and deriving 25%+ of revenue from data sales to companies processing the data of 35,000+ consumers annually, any offering for sale in trade/commerce, and any processing of sensitive data, except if processed only for payments.
- Government entities, nonprofit organizations, and higher education institutions.
- Entities regulated by HIPAA, GLBA, COPPA, and other federal laws.
- Personal data used for employment-related or publicly available purposes.
- Transparency: Provide detailed privacy notices.
- Opt-out mechanisms: Allow refusal of targeted ads, data sales, and profiling.
- Sensitive data:Sensitive data includes financial data, sex and orientation, as well as gender and its processing requires consent and must be "reasonably necessary"; profiling opt-out now includes impact assessments for decisions with legal effects.
- Children’s data: For ages 13–16, opt-in is required before targeted advertising or selling data.
- Profiling: Consumers can opt out of any automated decision with legal or similarly significant effects.
- Consent revocation: Must be as easy as giving consent; businesses must stop processing within 15 days.
- Data security: Implement safeguards proportional to risk.
- Provide at least one secure method for rights requests.
- Respond within 45 days, extendable once.
- Maintain appeals process: 60 days, with written reasoning and AG complaint contact.
- Display clear, accessible privacy notices.
- Conduct data protection assessments for high-risk processing (ads, sales, profiling).
- Honor browser/device opt-out signals as of January 1, 2025.
- Loyalty programs: Businesses must honor opt-out signals but may notify consumers of program conflicts.
- Access: Obtain confirmation and copies.
- Correction: Rectify inaccuracies.
- Deletion: Request removal.
- Portability: Receive data in machine-readable format.
- Opt-out: Targeted advertising, sales, profiling.
- Appeals: Consumers can appeal denials; businesses must respond in 60 days with reasoning and AG contact.
- Enforced by the Connecticut Attorney General.
- Cure Period: 60 days to address violations until January 1, 2025.
- Penalties: Violations constitute unfair trade practices under Connecticut law, with fines of up to $5,000 per violation.
- No private right of action.