Skip to content
Privacy Regulations

Connecticut Data Privacy Act (CTDPA)

The Connecticut Data Privacy Act (CTDPA) is Connecticut’s first comprehensive consumer privacy law, effective July 1, 2023. As of mid-2025, the law has received significant updates and enforcement guidance, making it crucial for businesses processing Connecticut residents’ data to stay current.

What Is the CTDPA?

The CTDPA grants Connecticut consumers new rights over their personal data (access, correction, deletion, portability, opt‑out) and mandates obligations for businesses (“controllers”) handling such data. It applies to entities that:

  • Process data of ≥ 35,000 Connecticut residents,
  • Process any amount of sensitive data, or
  • Sell personal data in trade or commerce.

Exemptions include HIPAA-covered health data, certain financial data under GLBA (now only data-level exemption), publicly available data, and de-identified data.

 Official text

Consumer Rights Under CTDPA

Connecticut residents now have the right to:

  • Access, correct, delete, and port their data
  • Opt out of targeted advertising, sale of personal data, and profiling for legal or similarly significant decisions
  • View inferences drawn by controllers and obtain a list of entities to whom their data has been sold

Controllers cannot deliberately withhold certain sensitive identifiers (SSN, biometric, passwords); instead, they must notify consumers of their collection  .

Compliance Obligations for Businesses

Controllers under the CTDPA must:

  • Publish clear privacy notices and disclosure statements, including profiling impact
  • Implement systems for consumer requests (access, delete, etc.)
  • Honor universal opt-out signals (e.g., Global Privacy Control) by January 1, 2025
  • Obtain affirmative consent before collecting or selling sensitive data
  • Conduct impact assessments for profiling and high-risk projects
  • Maintain processor contracts and data security controls

Recent Updates & 2025 Amendments

Connecticut continues refining its privacy posture via SB 1295, signed June 25, 2025, with updates effective July 1, 2026, unless stated otherwise  :

  1. Expanded Scope: Thresholds lowered to 35,000 consumers, or any processing of sensitive data, or data selling  .
  2. Sensitive Data Definitions Expanded: Now includes pregnancy status, mental health, disability, nonbinary/transgender status, neural data, financial account credentials, identifiers (SSN, passport), biometric and location data  .
  3. Profiling & Automated Decisions:
    • Consumers can access and contest profiling outputs that have legal or similarly significant impacts
    • Impact assessments for such processes are now more detailed  .
  4. Sale Consent: Selling sensitive data now requires opt-in consent; controllers may also need to explain third-party data buyers  .
  5. Protections for Minors: Parental opt-in required for under-16 data, and targeted advertising to minors is banned; platforms must integrate online safety centers/cyberbullying policies by January 1, 2026  .
  6. Enforcement Scaling: AG office issued numerous cure notices in 2024; universal opt-out comes into effect, and enforcement has increased CT AG expanded budgets and investigations into cookie banners and dark patterns  .

CT AG Enforcement & Reporting

The Connecticut Attorney General publishes regular enforcement reports under the CTDPA. In 2024, the AG issued dozens of cure notices and emphasized compliance with transparency, sensitive data restrictions, and cookie usage fairness  . The AG also addressed dark pattern abuse and cookie banner standards, with recommendations released in an updated enforcement report in early 2025.

Why CTDPA Matters in 2025

Connecticut continues to lead state-level data protection efforts. Its expanding scope, focus on automated profiling, minor protections, and strong enforcement make compliance non-negotiable for any organization interacting with Connecticut residents. It aligns with national trends in privacy, including California, Virginia, and Colorado, while pushing boundaries with sophisticated profiling and minors’ safeguards  .

Final Takeaway

The Connecticut Data Privacy Act is evolving rapidly. With stricter thresholds, broader definitions, profiling oversight, minor protections, and mandatory universal opt-out, businesses must audit their compliance posture now. Implementation deadlines (2025, 2026) are looming; non-compliance could lead to investigations and potential penalties. Stay proactive: review data flows, update policies, enhance consent tools, and ensure readiness for AG scrutiny.

Resources & Links

Disclaimer: This content is provided for informational purposes only and does not constitute legal advice. We are not a law firm, and no attorney-client relationship is formed by using this website. Use of this content is at your own risk. For advice tailored to your situation, please consult a licensed attorney.

NEW GEN AI

Get answers to even the most complex questions about your data and explore the complexities of your data landscape using Generative AI chat.