Connecticut Data Privacy Act (CTDPA): A Compliance Guide for U.S. Businesses

Connecticut enacted its comprehensive consumer data privacy law in May 2022, and it has been in effect since July 1, 2023. Technically titled the Personal Data Privacy and Online Monitoring Act, the law is widely known as the Connecticut Data Privacy Act, or CTDPA. Connecticut was the fifth U.S. state to pass such legislation, following California, Virginia, Colorado, and Utah.

Since coming into force, the CTDPA has been amended twice, once in 2023 and again in 2025. This makes it one of the most actively updated state privacy laws in the U.S. The 2025 amendments are particularly significant. They lower the applicability thresholds, expand what counts as sensitive personal data, tighten protections for minors, and add new requirements around profiling disclosures and AI-related data uses. 

A further round of amendments signed in June 2025 (SB 1295) takes effect July 1, 2026.

This guide covers what the CTDPA requires, who it applies to, how it has evolved, and what U.S. businesses should be doing now to maintain compliance.

At a Glance

• Effective date: July 1, 2023; 2025 amendments in force; SB 1295 amendments effective July 1, 2026
• Who it covers: As of July 2026, entities that process personal data of 35,000+ Connecticut residents, or that sell personal data or process sensitive data in any volume
• Consumer consent model: Opt-out by default; opt-in required for sensitive data, children's data, and certain profiling
• Key consumer rights: Access, correction, deletion, portability, and opt-out of sale, targeted advertising, and automated profiling
• Enforcement: Connecticut Attorney General has exclusive authority; penalties up to $5,000 per willful violation under CUTPA; no private right of action
• 2025–2026 developments: First CTDPA enforcement settlement ($85,000); lowered thresholds; expanded sensitive data; stricter minors' protections; new AI/LLM disclosure requirement

What Is the Connecticut Data Privacy Act?

The CTDPA has been designed to protect the privacy rights of Connecticut residents by imposing data handling obligations on companies that collect, process, or sell their personal data. Controllers do not have to be headquartered or have a physical presence in Connecticut to have compliance obligations.

The law defines personal data as any information that is linked or reasonably linkable to an identified or identifiable individual. It does not cover de-identified data or publicly available information, although the 2026 amendments narrow the publicly available data exemption to reduce opportunities for data brokers and people-search services to claim it.

The CTDPA uses an opt-out consent model, like all other U.S. state privacy laws to date. This means companies can collect personal data without obtaining prior consent in most cases. However, they must give consumers a clear mechanism to opt out of the sale of their data or its use for targeted advertising. 

This is distinct from the opt-in model used in the EU's General Data Protection Regulation (GDPR), though the CTDPA does require opt-in consent for sensitive personal data and children's data.

Sensitive Personal Data Under the CTDPA

The CTDPA defines a distinct category of sensitive personal data subject to stricter requirements, including opt-in consent before processing. As expanded by the 2025 amendments, sensitive data now includes information that reveals or could be used to cause harm based on a consumer's:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition, diagnosis, disability, or treatment
• Sex life or sexual orientation, or status as nonbinary or transgender
• Citizenship or immigration status
• Genetic data, biometric data, or data derived from either
• Neural data (information generated by measuring central nervous system activity)
• Precise geolocation data
• Personal data collected from a known child (under 13)
• Financial account numbers, credit or debit card numbers with access credentials
• Government-issued identification (Social Security numbers, driver's licenses, passports, state ID cards)

The addition of neural data, disability status, nonbinary or transgender status, and financial and government ID data reflects 2025 legislative updates and aligns Connecticut more closely with the California Consumer Privacy Act (CCPA).

Who Must Comply with the Connecticut Data Privacy Act?

The CTDPA applies to companies conducting business in Connecticut, or that produce products or services directed at Connecticut residents, that meet the applicable thresholds. Unlike California, there is no revenue-based threshold for compliance.

The original compliance thresholds are:

• Controlling or processing the personal data of 100,000 or more Connecticut consumers annually (excluding data processed solely to complete a payment transaction), or
• Controlling or processing the personal data of 25,000 or more consumers and deriving over 25% of gross revenue from the sale of personal data

As of July 1, 2026 when SB 1295 takes effect, coverage is significantly expanded:

• Lowering the general processing threshold to 35,000 Connecticut residents (from 100,000)
• Removing the threshold entirely for businesses engaged in any sale of personal data
• Removing the threshold entirely for businesses processing sensitive data, regardless of volume

This means that after July 2026, a company that processes any sensitive data — even for just a handful of Connecticut users — may be subject to CTDPA requirements. U.S. businesses with even limited Connecticut customer bases should reassess their obligations well before that date.

Organizational and Data Exemptions

The CTDPA includes several categories of entities exempt from its requirements:

• State and local government bodies
• Nonprofit organizations
• Institutions of higher education
• Certain national security-related associations
• Insurers, banks, credit unions, and specified financial institutions under Connecticut and federal law
• HIPAA-covered entities and their business associates

Note: SB 1295 replaces the broad entity-level Gramm-Leach-Bliley Act (GLBA) exemption with a data-level exemption. This change is intended to close a loophole that allowed payday lenders and auto dealers to claim exemption based on their use of GLBA-regulated data, which was not the legislature's intent.

Certain categories of data are also exempt, including:

Consumer Rights Under the Connecticut Data Privacy Act

Connecticut residents have several enforceable rights over their personal data that is held by covered businesses. These rights must be honored within defined response windows, and businesses must provide accessible mechanisms for consumers to exercise them.

The primary rights under the CTDPA are:

Under the 2025 amendments, if a consumer's personal data is used in profiling, the consumer also has the right to question the result, receive an explanation for the decision, and review the data used. In housing-related decisions, they have the right to have the decision reevaluated after correcting their data.

Responding to Consumer Requests

Companies must respond to verified consumer requests within 45 days. An additional 45-day extension is available where reasonably necessary, for example, where the controller receives a high volume of requests or the request is unusually complex. 

Consumers have the right to appeal a denial of their request, and may also designate an authorized agent to exercise their opt-out right on their behalf.

The CTDPA does not provide consumers with a private right of action, so individuals cannot sue companies directly for violations. Enforcement is handled exclusively by the Connecticut Attorney General. 

Business Obligations Under the CTDPA

Covered businesses have a range of affirmative obligations under the Connecticut Data Privacy Act. These fall broadly into consent, transparency, data security, and risk assessment requirements.

Consent Requirements

The CTDPA requires consent to be freely given, specific, informed, and unambiguous. This is a standard familiar from the GDPR. Opt-in consent must be obtained before:

• Processing sensitive personal data
• Collecting or processing personal data from children under 13 (with parental or guardian consent required)
• Processing personal data for any material purpose not originally disclosed to consumers

Minors Aged 13–17: Targeted Advertising and Data Sales

The 2025 amendments prohibit controllers from processing the personal data of consumers aged 13–17 for targeted advertising or sale. This is an outright prohibition, so consent, including parental consent, does not provide a lawful basis. Prior to these amendments, opt-in consent could authorize such processing for this age group.

Dark Patterns and Consent

Consent cannot be obtained through dark patterns. The CTDPA explicitly states that if manipulative design is used to obtain consent, the consent is invalid because it cannot be freely given, specific, informed, or unambiguous. 

The Connecticut Attorney General's 2025 enforcement report named dark patterns in cookie banners a specific enforcement priority, flagging interfaces that make opting out meaningfully harder than opting in as non-compliant.

Revocation of Consent

If a consumer revokes consent, the controller must stop processing their data as soon as practicable and no later than 15 days from receipt of the revocation. The mechanism for revoking consent must be at least as easy to use as the mechanism for giving it.

Privacy Notice Requirements

Controllers must maintain a reasonably clear and accessible privacy notice that includes:

Privacy notices must be kept current. The Connecticut Attorney General's 2025 enforcement report highlighted privacy notice accuracy as a top priority, and the first CTDPA enforcement settlement, which came with a USD 85,000 resolution, arose from a company's failure to update its notice more than a year after receiving a notice to cure.

Data Minimization and Purpose Limitation

Controllers must limit their collection of personal data to what is reasonably necessary and proportionate to the disclosed processing purposes. 

Under SB 1295 (effective July 2026), the standard shifts from "adequate, relevant and reasonably necessary" to "reasonably necessary and proportionate," a refinement that more closely mirrors language in recent state privacy laws. 

Controllers may not process data for purposes that are neither reasonably necessary nor compatible with those disclosed, unless they obtain fresh consent.

Data Security

Controllers must implement reasonable administrative, technical, and physical security practices to protect the confidentiality, integrity, and accessibility of personal data. The required rigor scales with the volume and sensitivity of the data handled. 

Controllers are also responsible for the data processing conducted by third-party processors on their behalf and must have contractual agreements in place that govern those relationships.

Nondiscrimination

Controllers are prohibited from discriminating against consumers who exercise their rights under the CTDPA. One carve-out applies where a consumer's opt-out conflicts with their voluntary participation in a loyalty or rewards program: the controller may notify the consumer of the conflict and ask them to confirm their choice. 

The 2025 amendments also established bias auditing as a potential affirmative defense against discrimination complaints.

Data Protection Assessments

Covered businesses must conduct data protection assessments (DPAs) for processing activities that present a heightened risk of harm to consumers. These assessments weigh the risks and benefits of processing for all affected parties. Required triggers include:

• Processing personal data for targeted advertising
• Selling personal data
• Processing sensitive data
• Processing personal data for profiling where the profiling could result in unfair treatment, financial or reputational harm, intrusion on privacy, or other substantial injury

Producing DPAs has been required since July 1, 2023 and is not retroactive. If a controller already creates substantially similar DPAs to satisfy requirements under another law (such as Virginia's CDPA or Colorado's CPA), those assessments may satisfy CTDPA requirements. DPAs must be provided to the Attorney General upon request during any investigation.

Updates to the law have added a separate "impact assessment" requirement for profiling activities that produce legal or similarly significant effects concerning consumers, and for processing of minors' data for profiling purposes. These impact assessments are required for relevant processing activities created on or after August 1, 2026.

Consumer Opt-Out Mechanism

If a controller sells personal data to third parties or processes it for targeted advertising, it must provide a clear and conspicuous link on its website that enables consumers to opt out. The link text need not follow a specific formula, but should be functionally similar to the CCPA/CPRA's "Do Not Sell or Share My Personal Information."

Since January 1, 2025, controllers must also honor universal opt-out preference signals. The Global Privacy Control (GPC) is the most widely used implementation of this browser-based signal. Connecticut is one of three states to date, along with California and Colorado, that explicitly require respecting the GPC signal, though nine other states require respecting a universal opt-out signal (or Universal Opt-Out Mechanism).

Cookiebot by Usercentrics supports GPC recognition, enabling websites to automatically process opt-out signals without requiring consumers to take additional steps. The Connecticut Attorney General's 2025 enforcement report identified universal opt-out compliance as an active enforcement priority, including joint efforts with regulators in Colorado and California.

CTDPA Penalties and Enforcement

The Connecticut Attorney General holds exclusive enforcement authority under the CTDPA. Violations are treated as unfair trade practices under the Connecticut Unfair Trade Practices Act (CUTPA), which means the CTDPA itself does not specify financial penalties directly. Instead, penalties flow from CUTPA.

Under CUTPA, courts may impose:

• Civil penalties of up to USD 5,000 for willful violations
• Actual and punitive damages, attorney's fees, and court costs
• Restraining orders that could require a business to halt data collection operations
• Additional penalties of up to USD 25,000 for violation of a restraining order

The CTDPA did have a required 60-day cure period until the end of December 2024. As that has now sunsetted, the decision to grant a cure period is entirely at the Attorney General's discretion. 

Factors considered include the number and nature of violations, the size of the business, the risk to the public, and whether the violation was likely caused by human or technical error rather than willful conduct.

CTDPA Enforcement Progression: What Businesses Need to Know

The Connecticut Attorney General's office issued its third annual CTDPA enforcement report in early 2026, covering activity through 2025. Several developments are directly relevant to U.S. businesses managing compliance.

First Enforcement Settlement

The Office of the Attorney General (OAG) announced its first formal CTDPA settlement in July 2025. This was a USD 85,000 resolution with an online ticketing platform over failure to update its privacy notice after receiving a notice to cure. The OAG emphasized that this signals its intent to follow through beyond the notice stage.

Cookie Banners and Dark Patterns

The OAG stated it has been actively reviewing cookie banners that undermine consumers' ability to exercise privacy choices. The enforcement report noted that making it harder to opt out than to opt in violates the CTDPA, even though the law does not require cookie banners per se. Companies whose consent flows are asymmetric — easier to accept than to refuse — are at risk.

Universal Opt-out Signals

The OAG has a dedicated team tracking compliance with the universal opt-out requirement, including the GPC. Cross-state enforcement coordination with California and Colorado regulators is active.

Genetic Data and Bankruptcy

The OAG intervened in a genetic testing company's bankruptcy to ensure Connecticut residents' genetic data was protected and that data rights were honored. They also urged the legislature to adopt a standalone genetic data privacy law.

Minors' Privacy

The OAG launched multiple investigations into platforms it believes may have exploited children's sensitive data, framing minors' privacy as an ongoing primary focus.

Data Broker Exemption Abuse

The OAG flagged that roughly a third of complaints it received involved businesses asserting broad exemptions, particularly the publicly available data exemption used by data brokers and people-search services.

How the CTDPA Compares to Other U.S. State Privacy Laws

The CTDPA is frequently described as more consumer-friendly than average among U.S. state laws. The following comparisons are not exhaustive — there are now over 20 state privacy laws in the U.S. — but they are useful for businesses navigating multi-state compliance.

CTDPA vs. California (CCPA/CPRA)

California remains the strictest jurisdiction, with broader sensitive data categories, higher revenue thresholds, and a dedicated enforcement agency — the California Privacy Protection Agency (CPPA)/CalPrivacy. Connecticut has the more common Attorney General-led model. 

The 2025 CTDPA amendments moved Connecticut's sensitive data definition noticeably closer to the CCPA's, but California's regulatory infrastructure remains in a different class.

California offers a private right of action, though is narrower than it may appear: it currently applies to data breaches rather than general privacy violations, meaning consumers cannot independently sue over most CCPA infractions. 

Unlike California, Connecticut does not cover data "sharing" as a distinct form of sale, though that distinction narrows with each amendment cycle. 

CTDPA vs. Virginia (CDPA) and Colorado (CPA)

Connecticut's law closely mirrors Virginia's and Colorado's in structure, including the use of data protection assessments, the opt-out model, and similar consumer rights. Colorado and Connecticut both now require businesses to honor universal opt-out signals; Virginia does not yet mandate this.

While Connecticut's 2025 CTDPA updates expanded consumer rights and tightened business obligations, they stopped short of addressing AI-specific governance directly. Colorado has gone further: SB 24-205, the Colorado Artificial Intelligence Act, signed in 2024, introduces obligations specifically for developers and deployers of "high-risk" AI systems, including transparency requirements, risk management protocols, and protections against algorithmic discrimination.

For businesses operating across both states, this creates an asymmetry worth noting. Connecticut relies on its existing privacy framework — including data protection assessments — to indirectly govern automated decision-making. Colorado, by contrast, has established a parallel AI-specific regime that sits alongside the CPA rather than within it.

CTDPA vs. Utah (UCPA)

Utah's law is the most business-friendly in the U.S. It lacks universal opt-out signal requirements, has fewer sensitive data categories, and provides no right to correct inaccuracies. Connecticut's law is substantially stronger on consumer protections.

Utah's lighter regulatory footprint is evident in several specifics: its applicability thresholds are higher than Connecticut's, meaning fewer businesses fall under the law to begin with; it does not require data protection assessments; and its cure period for violations is unlimited, with no sunset provision. Connecticut's cure period, by contrast, transitions to a discretionary model — reflecting a deliberate move toward stronger enforcement over time.

No revenue threshold

Unlike California (USD 25 million gross revenue, adjusted every two years for inflation) and Utah (USD 25 million), Connecticut has no revenue threshold. This is in line with several of the more recent privacy laws passed in other states.

The only question is whether a company meets the data volume or data type thresholds, making the law potentially applicable to mid-market businesses that California's law would not reach.

CTDPA Compliance: Cookies, Trackers, and Consent Management

Many of the CTDPA's practical requirements intersect directly with how websites deploy cookies and tracking technologies. The opt-out model means cookies used for targeted advertising and data sales can be activated by default, but only if consumers are given a clear and accessible way to opt out. 

The universal opt-out signal requirement adds a technical layer: websites must be able to detect and honor GPC signals automatically.

Cookiebot by Usercentrics automatically scans websites to identify all cookies and tracking technologies in use, categorizes them, and populates the consent banner and privacy notice accordingly. The platform supports GPC signal recognition and maintains auditable consent records — both of which are directly relevant to the CTDPA's opt-out and transparency requirements. 

As U.S. privacy laws continue to evolve, Cookiebot by Usercentrics updates automatically to reflect new requirements, reducing the compliance overhead for businesses operating across multiple states.

For businesses managing compliance across several U.S. state privacy laws simultaneously, a consent management platform (CMP) provides a scalable framework: one integration that adapts to different legal requirements by jurisdiction, without requiring separate implementations for each state.