Connecticut Data Privacy Laws: CTDPA Consumer Rights Guide (2026)

Connecticut has established itself as a national leader in consumer data privacy protection. The Connecticut Data Privacy Act (CTDPA), signed into law on May 10, 2022, as Public Act 22-15, makes Connecticut one of the first five states to enact comprehensive data privacy legislation. The law took effect on July 1, 2023, and has been significantly amended twice since then.

This guide covers everything Connecticut residents and businesses need to know about the state's data privacy laws, including the CTDPA, data breach notification requirements, enforcement actions, and the major 2025 amendments that expand the law's scope.

What Is the Connecticut Data Privacy Act (CTDPA)?

The Connecticut Data Privacy Act is codified at Conn. Gen. Stat. 42-515 through 42-525. Originally modeled on the Colorado Privacy Act, the CTDPA establishes comprehensive privacy rights for Connecticut residents and imposes specific obligations on businesses that collect and process personal data.

The law protects Connecticut residents acting in an individual or household context, such as browsing the internet or making a purchase. It does not protect individuals acting in an employment context, such as applying for a job or performing work duties.

Connecticut's approach to data privacy is notable for several reasons. Unlike California's CCPA, the CTDPA has no annual revenue threshold. Unlike Utah's law, businesses do not need to exceed a revenue requirement to fall within scope. This makes the CTDPA one of the more consumer-friendly state privacy laws in the country.

Who Must Comply With the CTDPA?

The CTDPA applies to businesses that conduct business in Connecticut or produce products or services targeted to Connecticut residents and meet one of the following thresholds:

• Consumer volume threshold: Control or process personal data of at least 100,000 Connecticut consumers during the preceding calendar year (this drops to 35,000 consumers effective July 1, 2026, per Public Act 25-113)
• Data sales threshold: Control or process personal data of at least 25,000 consumers while deriving more than 25% of gross revenue from the sale of personal data
• Sensitive data processing: Control or process sensitive data of any number of consumers (effective July 1, 2026, no volume threshold required)
• Data sale activity: Offer consumers' personal data for sale in trade or commerce (effective July 1, 2026, no volume threshold required)
• Consumer Health Data: All Consumer Health Data Controllers are covered regardless of size or scale

There is no annual revenue threshold for the CTDPA to apply, which distinguishes it from several other state privacy laws.

Exempt Entities

The following entities are exempt from the CTDPA:

• State and local government agencies
• Nonprofit organizations (except for Consumer Health Data provisions)
• Higher education institutions
• National securities associations registered under the Securities Exchange Act of 1934
• Entities subject to HIPAA (Health Insurance Portability and Accountability Act)

Importantly, the 2025 amendments (Public Act 25-113) replaced the blanket entity-level GLBA (Gramm-Leach-Bliley Act) exemption with a more targeted data-level exemption. Financial institutions like insurers, banks, and credit unions receive specific exemptions rather than a blanket exemption. A new exemption for political organizations was also added.

Exempt Data Types

Certain types of data are exempt from the CTDPA when maintained in compliance with other federal laws:

• Data regulated under the Gramm-Leach-Bliley Act (data-level exemption)
• Protected health information under HIPAA
• Data covered by the Fair Credit Reporting Act
• Data protected by the Family Educational Rights and Privacy Act (FERPA)
• Data processed for specified regulatory compliance purposes

Consumer Rights Under the CTDPA

The CTDPA grants Connecticut residents five core privacy rights over their personal data:

Right to Access

Consumers can request confirmation of whether a controller is processing their personal data and obtain a copy of that data. The 2025 amendments expanded this right to include the right to know what inferences have been derived from their personal data. Controllers must respond within 45 days, with one possible 45-day extension.

Right to Correct

Consumers can request that a controller correct inaccuracies in their personal data, taking into account the nature of the data and the purposes of processing.

Right to Delete

Consumers can request deletion of their personal data, including data that the controller collected through third-party sources. This is a broad deletion right that extends beyond data directly provided by the consumer.

Right to Data Portability

Consumers can obtain a copy of their personal data in a portable and readily usable format that allows transfer to another controller without hindrance.

Right to Opt Out

Consumers can opt out of three types of processing:

• The sale of their personal data
• Targeted advertising based on their data
• Profiling that produces legal or similarly significant effects (the 2025 amendments expanded this from "solely automated" decisions to "any automated" decisions, including those with some human involvement)

Right to Appeal

If a controller denies a consumer rights request, the consumer has the right to appeal. The controller must respond to the appeal within 60 days, explaining any actions taken and reasons for the decision. If the appeal is denied, the controller must provide information on how to file a complaint with the Connecticut Attorney General.

Universal Opt-Out Preference Signals

As of January 1, 2025, all controllers subject to the CTDPA must honor universal opt-out preference signals, such as Global Privacy Control, sent through privacy-protective browsers or browser extensions. The signal must come from a platform or mechanism that enables the controller to accurately determine whether the consumer is a Connecticut resident. Controllers may notify consumers of conflicts with prior consent choices but cannot override the opt-out signal.

Sensitive Data Protections

The CTDPA requires controllers to obtain explicit, affirmative consent before processing sensitive data. Under the law, sensitive data includes:

• Data revealing racial or ethnic origin
• Religious beliefs
• Mental or physical health conditions, diagnoses, disability, or treatment
• Sexual orientation or sexual activity
• Citizenship or immigration status
• Genetic data
• Biometric data used to identify a specific individual
• Personal data from a known child under age 13
• Precise geolocation data
• Consumer health data

The 2025 amendments (Public Act 25-113) expanded the definition of sensitive data to also include:

• Transgender or nonbinary status
• Neural data (defined as information generated by measuring activity of an individual's central nervous system)
• Financial account numbers with access credentials
• Government-issued identification numbers

Additionally, the amended law requires separate, explicit consumer consent before a controller may sell sensitive data. The definition of "publicly available information" was updated to exclude biometric data collected without consumer consent, aligning with California's approach under the CCPA.

Children's and Minors' Data Protections

Connecticut provides some of the strongest protections for children's and minors' data of any state privacy law:

Children Under 13

Personal data collected from a child the controller has actual knowledge is under 13 is classified as sensitive data. Processing requires parental consent consistent with COPPA (Children's Online Privacy Protection Act) standards.

Minors Ages 13 to 17

Since October 1, 2024, consumers under 16 must provide opt-in consent before their data can be sold or used for targeted advertising. The 2025 amendments went further:

• Controllers are categorically prohibited from processing minors' personal data for targeted advertising or sale, regardless of whether consent is obtained
• Controllers cannot use system design features that significantly increase, sustain, or extend a minor's use of an online service (anti-addictive design provisions)
• Impact assessments are required when profiling minors
• Restrictions apply to the collection of minors' geolocation data and direct messaging capabilities

The February 2026 enforcement report from Attorney General William Tong disclosed multiple active investigations related to the safety of children and teens online, spanning messaging platforms, gaming, and AI chatbots.

Business Obligations Under the CTDPA

Controllers subject to the CTDPA must comply with the following obligations:

Privacy Notice Requirements

Controllers must provide a clear, accessible privacy notice that describes:

• Categories of personal data processed
• Purposes of processing
• How consumers can exercise their rights
• Categories of personal data shared with third parties
• Categories of third parties with whom data is shared
• An easily accessible link for opting out of targeted advertising or data sales

Data Minimization

Collection of personal data must be limited to what is "reasonably necessary and proportionate" in relation to the disclosed purposes. Processing for materially new purposes requires additional consent unless compatible with the original disclosed purposes.

Data Protection Assessments

Controllers must conduct and document data protection assessments for high-risk processing activities, including:

• Targeted advertising
• Sale of personal data
• Processing sensitive data
• Profiling that presents a risk of unfair treatment, financial injury, or intrusion on solitude

The 2025 amendments created additional "impact assessment" requirements, separate from data protection assessments, specifically for profiling that produces legal or similarly significant effects on consumers.

Processor Requirements

Processors must assist controllers in meeting their obligations. Controller-processor contracts must include provisions on data processing instructions, confidentiality, deletion or return of data upon contract termination, and cooperation with assessments.

Security Safeguards

Controllers must implement and maintain reasonable administrative, technical, and physical security practices to protect the confidentiality, integrity, and accessibility of personal data.

LLM Training Disclosure

Effective July 1, 2026, controllers must disclose whether they collect personal data for the purpose of training large language models, a provision that reflects growing concerns about AI and data use.

Connecticut Data Breach Notification Law

Separate from the CTDPA, Connecticut's data breach notification statute (Conn. Gen. Stat. 36a-701b) imposes specific requirements on businesses that experience a security breach involving personal information.

Who Must Report

Any person who owns, licenses, or maintains computerized data that includes personal information must report a breach. This includes businesses of all sizes operating in Connecticut.

Definition of Personal Information

Under the breach notification law, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following:

• Social Security number
• Driver's license number or state identification card number
• Account number, credit card number, or debit card number combined with any required security code, access code, or password that would permit access to the account
• Taxpayer identification number
• Passport number
• Medical information or health insurance information
• Biometric information

Notification Timeline

Notice to affected Connecticut residents must be provided without unreasonable delay and no later than 60 days from discovery of the breach. Notice to the Office of the Attorney General must be provided no later than when residents are notified.

Credit Monitoring Requirement

If a resident's Social Security number or taxpayer identification number is compromised, the business must offer 24 months of free credit monitoring services to affected individuals. This is among the longer credit monitoring periods required by any state.

Penalties for Non-Compliance

Failure to comply with breach notification requirements constitutes a violation of the Connecticut Unfair Trade Practices Act (CUTPA), which can result in civil penalties and enforcement action by the Attorney General.

CTDPA Penalties and Enforcement

The Connecticut Attorney General has exclusive enforcement authority over the CTDPA. There is no private right of action, meaning consumers cannot sue businesses directly for violations.

Civil Penalties

Violation Type	Maximum Penalty
CTDPA violation (per violation)	$5,000
Data breach notification failure (CUTPA)	$5,000 per violation
Pattern of violations	Injunctive relief, restitution, disgorgement

Violations are enforced under the Connecticut Unfair Trade Practices Act. In addition to monetary penalties, the Attorney General can seek injunctive relief to stop ongoing violations, restitution for affected consumers, and disgorgement of profits gained from illegal data practices.

Cure Period Changes

When the CTDPA first took effect, controllers received a 60-day right to cure violations after receiving notice from the Attorney General. This mandatory cure period expired on December 31, 2024. Since January 1, 2025, the Attorney General may proceed directly to enforcement without offering a cure period, though the AG retains discretion to provide one.

When deciding whether to offer a cure opportunity, the Attorney General may consider:

• The number of violations
• The size and complexity of the controller or processor
• The nature and extent of processing activities
• The substantial likelihood of injury to the public
• Safety of persons or property
• Whether the violation was caused by human or technical error

First Enforcement Action: TicketNetwork Settlement

In July 2025, Attorney General Tong announced the first monetary settlement under the CTDPA. TicketNetwork LLC agreed to pay $85,000 to resolve allegations that:

• Its privacy notice was largely unreadable and missing key information about consumer rights
• Consumer rights request mechanisms were misconfigured or inoperable
• The company repeatedly represented it had fixed deficiencies when it had not
• The company failed to respond timely to follow-up correspondence from the Attorney General

The Attorney General had first sent a cure notice to TicketNetwork on November 9, 2023, just four months after the CTDPA took effect. The company was given 60 days to fix the issues but failed to act. It was the only company that did not comply with an initial cure notice during the cure period.

2026 Enforcement Report

Attorney General Tong released the third annual CTDPA enforcement report on February 5, 2026. Key findings include:

• Dozens of violation notices and warning letters were issued throughout 2025
• Multiple data breach settlements were finalized
• Multiple active investigations focus on children's safety online, including messaging platforms, gaming, and AI chatbots
• Investigation priorities included connected vehicles and geolocation tracking, social media targeting youth, data brokers, and AI products posing risks to minors

The report recommended legislative action to narrow "publicly available information" definitions, establish standalone genetic privacy laws, enact chatbot safeguards, and enhance consumer opt-out provisions.

2025 Amendments (SB 1295 / Public Act 25-113)

Connecticut has been one of the most active states in strengthening its privacy law. The 2025 amendments, enacted June 24, 2025, as Public Act 25-113, take effect July 1, 2026 (with impact assessment requirements applying to processing activities created on or after August 1, 2026). Key changes include:

Lowered Applicability Threshold

The consumer processing threshold drops from 100,000 to 35,000 Connecticut consumers. At approximately 0.95% of Connecticut's 3.675 million population, this significantly expands the number of businesses subject to the law.

Expanded Sensitive Data Categories

New categories added: disability or treatment status, transgender or nonbinary status, neural data, financial account numbers with access credentials, and government-issued identification numbers.

Stronger Minor Protections

Categorical prohibition on processing minors' data for targeted advertising or sale, regardless of consent. Anti-addictive design requirements for online services used by minors.

GLBA Exemption Restructured

Entity-level GLBA exemption replaced with targeted data-level and entity-specific exemptions.

Enhanced Consumer Rights

Right to access now includes inferences. Right to receive lists of third parties who purchased their data. Profiling opt-out expanded beyond "solely automated" decisions.

AI and LLM Transparency

Controllers must disclose whether personal data is collected for training large language models.

Impact Assessment Requirements

New impact assessments required (separate from existing data protection assessments) for profiling that produces legal or similarly significant effects.

How Connecticut Compares to Other State Privacy Laws

Connecticut's CTDPA stands out among state privacy laws for several reasons:

• No revenue threshold: Unlike California (CCPA) and Utah (UCPA), there is no revenue requirement for the law to apply
• Universal opt-out signals: Connecticut was among the first states to mandate that businesses honor Global Privacy Control and similar mechanisms
• Strong minor protections: The categorical ban on processing minors' data for advertising or sale, regardless of consent, goes further than most state laws
• Proactive enforcement: The Attorney General's office has been one of the most active in the country, issuing dozens of notices and completing the first monetary settlement within two years of the law's effective date
• Frequent amendments: Connecticut has amended the CTDPA twice in three years, consistently strengthening protections and expanding scope
• Neural data protections: Connecticut is among a small number of states to include neural data in its sensitive data definition
• Anti-dark pattern provisions: The CTDPA explicitly prohibits the use of dark patterns to obtain consumer consent

More Connecticut Laws

Explore additional Connecticut legal topics and data privacy resources:

• Data Privacy Laws by State - Compare Connecticut's laws with all 50 states
• California Data Privacy Laws - See how the CCPA compares
• Colorado Data Privacy Laws - Compare with the law that inspired CTDPA
• Delaware Data Privacy Laws - Another Northeast state privacy law

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently. Consult a licensed attorney in Connecticut for advice on your specific situation. Last reviewed: March 2026.