Connecticut Data Privacy Laws: CTDPA Consumer Rights Guide (2026)

Connecticut gives residents six enforceable privacy rights under the Connecticut Data Privacy Act, codified at Conn. Gen. Stat. 42-515 through 42-525 and effective July 1, 2023. Those rights cover access, correction, deletion, portability, opt-out from data sales and targeted advertising, and appeal, with civil penalties up to $5,000 per violation enforced by the Attorney General.

Connecticut has built one of the most active comprehensive data privacy regimes in the United States. The Connecticut Data Privacy Act (CTDPA), signed on May 10, 2022, as Public Act 22-15 and effective July 1, 2023, made Connecticut one of the first five states with a comprehensive consumer privacy law. The law has since been amended three times, most recently by Public Act 26-64 (Substitute SB 4), signed May 27, 2026 and effective October 1, 2026.

This guide covers the CTDPA's scope, consumer rights, business obligations, and enforcement record, the state's data breach notification statute, the Insurance Data Security Law, and the federal overlay that applies to Connecticut residents regardless of the CTDPA's scope.

What Is the Connecticut Data Privacy Act (CTDPA)?

The Connecticut Data Privacy Act is codified at Conn. Gen. Stat. 42-515 through 42-525. Originally modeled on the Colorado Privacy Act, the CTDPA establishes comprehensive privacy rights for Connecticut residents and imposes specific obligations on businesses that collect and process personal data.

The law protects Connecticut residents acting in an individual or household context, such as browsing the internet or making a purchase. It does not protect individuals acting in an employment context, such as applying for a job or performing work duties.

Connecticut's approach to data privacy is notable for several reasons. Unlike California's CCPA, the CTDPA has no annual revenue threshold. Unlike Utah's UCPA, businesses do not need to exceed a revenue requirement to fall within scope. This makes the CTDPA one of the more consumer-friendly state privacy laws in the country.

Who Must Comply With the CTDPA?

The CTDPA applies to businesses that conduct business in Connecticut or produce products or services targeted to Connecticut residents and meet one of the following thresholds:

• Current consumer volume threshold (through June 30, 2026): Control or process personal data of at least 100,000 Connecticut consumers during the preceding calendar year
• Reduced consumer volume threshold (effective July 1, 2026, per Public Act 25-113): Control or process personal data of at least 35,000 Connecticut consumers
• Data sales threshold: Control or process personal data of at least 25,000 consumers while deriving more than 25% of gross revenue from the sale of personal data
• Sensitive data processing (effective July 1, 2026): Control or process sensitive data of any number of consumers, with no volume threshold
• Data sale activity (effective July 1, 2026): Offer consumers' personal data for sale in trade or commerce, regardless of volume
• Consumer Health Data: All Consumer Health Data Controllers are covered regardless of size or scale

There is no annual revenue threshold, which distinguishes the CTDPA from several other state privacy laws including California's CCPA and Utah's UCPA.

Exempt Entities

The following entities are exempt from the CTDPA:

• State and local government agencies
• Nonprofit organizations (except for Consumer Health Data provisions)
• Higher education institutions
• National securities associations registered under the Securities Exchange Act of 1934
• Entities subject to HIPAA
• Political organizations (added by the 2025 amendments)

The 2025 amendments (Public Act 25-113) replaced the blanket entity-level GLBA exemption with targeted data-level and entity-specific exemptions. Financial institutions such as insurers, banks, and credit unions receive specific exemptions rather than a blanket exemption.

Exempt Data Types

Certain types of data are exempt from the CTDPA when maintained in compliance with other federal laws:

• Data regulated under the Gramm-Leach-Bliley Act (data-level exemption)
• Protected health information under HIPAA
• Data covered by the Fair Credit Reporting Act
• Data protected by the Family Educational Rights and Privacy Act (FERPA)
• Data processed for specified regulatory compliance purposes

Consumer Rights Under the CTDPA

The CTDPA grants Connecticut residents six core privacy rights over their personal data.

Right to Access

Consumers can request confirmation of whether a controller is processing their personal data and obtain a copy of that data. The 2025 amendments expanded this right to include the right to know what inferences have been derived from their personal data. Controllers must respond within 45 days, with one possible 45-day extension.

Right to Correct

Consumers can request that a controller correct inaccuracies in their personal data, taking into account the nature of the data and the purposes of processing.

Right to Delete

Consumers can request deletion of their personal data, including data that the controller collected through third-party sources. This broad deletion right extends beyond data directly provided by the consumer.

Right to Data Portability

Consumers can obtain a copy of their personal data in a portable and readily usable format that allows transfer to another controller without hindrance.

Right to Opt Out

Consumers can opt out of three types of processing:

• The sale of their personal data
• Targeted advertising based on their data
• Profiling that produces legal or similarly significant effects (the 2025 amendments expanded this from "solely automated" decisions to "any automated" decisions, including those with some human involvement)

Right to Appeal

If a controller denies a consumer rights request, the consumer has the right to appeal. The controller must respond within 60 days, explaining any actions taken and reasons for the decision. If the appeal is denied, the controller must provide information on how to file a complaint with the Connecticut Attorney General.

Universal Opt-Out Preference Signals

As of January 1, 2025, all controllers subject to the CTDPA must honor universal opt-out preference signals, including Global Privacy Control, sent through privacy-protective browsers or extensions. The signal must come from a platform or mechanism that accurately determines whether the consumer is a Connecticut resident. Controllers cannot override the opt-out signal, though they may notify consumers of conflicts with prior consent choices.

In January 2025, Connecticut Attorney General William Tong joined the attorneys general of California and Colorado and the California Privacy Protection Agency in a joint investigative sweep targeting businesses not processing GPC signals. The coalition sent letters to businesses that were not processing opt-out requests submitted via GPC and requested immediate compliance. Over 40 million consumers use GPC as of 2025.

Sensitive Data Protections

The CTDPA requires controllers to obtain explicit, affirmative consent before processing sensitive data. Under the law, sensitive data includes:

• Data revealing racial or ethnic origin
• Religious beliefs
• Mental or physical health conditions, diagnoses, disability, or treatment
• Sexual orientation or sexual activity
• Citizenship or immigration status
• Genetic data
• Biometric data used to identify a specific individual
• Personal data from a known child under age 13
• Precise geolocation data
• Consumer health data

The 2025 amendments (Public Act 25-113) expanded the definition of sensitive data to also include:

• Transgender or nonbinary status
• Neural data (information generated by measuring activity of an individual's central nervous system)
• Financial account numbers with access credentials
• Government-issued identification numbers

Additionally, the amended law requires separate, explicit consumer consent before a controller may sell sensitive data. The definition of "publicly available information" was updated to exclude biometric data collected without consumer consent.

Children's and Minors' Data Protections

Connecticut provides some of the strongest protections for children's and minors' data of any state privacy law.

Children Under 13

Personal data collected from a child the controller has actual knowledge is under 13 is classified as sensitive data. Processing requires parental consent consistent with COPPA standards.

Minors Ages 13 to 17

Since October 1, 2024, consumers under 16 must provide opt-in consent before their data can be sold or used for targeted advertising. The 2025 amendments (effective July 1, 2026) went further:

• Controllers are categorically prohibited from processing minors' personal data for targeted advertising or sale, regardless of whether consent is obtained
• Controllers cannot use system design features that significantly increase, sustain, or extend a minor's use of an online service (anti-addictive design provisions)
• Impact assessments are required when profiling minors
• Restrictions apply to the collection of minors' geolocation data and direct messaging capabilities

The February 2026 enforcement report from Attorney General Tong disclosed multiple active investigations into the safety of children and teens online, spanning messaging platforms, gaming, and AI chatbots.

Connecticut's 2026 amendments, enacted as Public Act 26-64 (signed May 27, 2026, effective October 1, 2026), did not add new minor-specific provisions; the minor protections above come from Public Act 25-113. Public Act 26-64 instead targets data brokers, precise geolocation sales, facial recognition technology, and algorithmic pricing, addressed below.

Business Obligations Under the CTDPA

Controllers subject to the CTDPA must comply with the following obligations.

Privacy Notice Requirements

Controllers must provide a clear, accessible privacy notice that describes:

• Categories of personal data processed
• Purposes of processing
• How consumers can exercise their rights
• Categories of personal data shared with third parties
• Categories of third parties with whom data is shared
• An easily accessible link for opting out of targeted advertising or data sales

Data Minimization

Collection of personal data must be limited to what is "reasonably necessary and proportionate" in relation to the disclosed purposes. Processing for materially new purposes requires additional consent unless compatible with the original disclosed purposes.

Data Protection Assessments

Controllers must conduct and document data protection assessments for high-risk processing activities, including:

• Targeted advertising
• Sale of personal data
• Processing sensitive data
• Profiling that presents a risk of unfair treatment, financial injury, or intrusion on solitude

The 2025 amendments created separate "impact assessment" requirements for profiling that produces legal or similarly significant effects on consumers, distinct from the existing data protection assessments.

Processor Requirements

Processors must assist controllers in meeting their obligations. Controller-processor contracts must include provisions on data processing instructions, confidentiality, deletion or return of data upon contract termination, and cooperation with assessments.

Security Safeguards

Controllers must implement and maintain reasonable administrative, technical, and physical security practices to protect the confidentiality, integrity, and accessibility of personal data.

LLM Training Disclosure

Effective July 1, 2026, controllers must disclose whether they collect personal data for the purpose of training large language models. This provision reflects growing concern about AI systems trained on consumer data without consent.

Connecticut Data Breach Notification Law

Separate from the CTDPA, Connecticut's data breach notification statute (Conn. Gen. Stat. 36a-701b) imposes specific requirements on businesses that experience a security breach involving personal information.

Who Must Report

Any person who owns, licenses, or maintains computerized data that includes personal information must report a breach. This includes businesses of all sizes operating in Connecticut.

Definition of Personal Information

Under the breach notification law, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following:

• Social Security number
• Driver's license number or state identification card number
• Account number, credit card number, or debit card number combined with any required security code, access code, or password that permits account access
• Taxpayer identification number
• Passport number
• Medical information or health insurance information
• Biometric information

Notification Timeline

Notice to affected Connecticut residents must be provided without unreasonable delay and no later than 60 days from discovery of the breach. Notice to the Office of the Attorney General must be provided no later than when residents are notified.

Credit Monitoring Requirement

If a resident's Social Security number or taxpayer identification number is compromised, the business must offer 24 months of free credit monitoring services to affected individuals. This is among the longer credit monitoring periods required by any state.

Penalties for Non-Compliance

Failure to comply with breach notification requirements constitutes a violation of the Connecticut Unfair Trade Practices Act (CUTPA), which can result in civil penalties and enforcement action by the Attorney General.

Connecticut Insurance Data Security Law

In addition to the CTDPA and the breach notification statute, Connecticut's Insurance Data Security Law (Conn. Gen. Stat. 38a-38 et seq., effective October 1, 2020) imposes cybersecurity obligations on entities licensed by the Connecticut Insurance Department. This includes insurers, agents, brokers, and other insurance industry licensees.

Core Requirements

Licensees must develop and maintain a written information security program. The program must be based on the licensee's risk assessment, be appropriate to the size and complexity of the licensee's operations, and address administrative, technical, and physical safeguards.

Cybersecurity Event Requirements

Licensees must investigate any suspected cybersecurity event, assess its nature and scope, identify any private information potentially compromised, and restore system security. Records relating to cybersecurity events must be retained for at least five years.

Notification to the Commissioner

Licensees must notify the Insurance Commissioner as soon as possible, but within three business days, after determining that a cybersecurity event occurred. The notification must include the date of the event, how the licensee discovered it, a general description of the information involved, and any remediation steps taken. Consumer notification follows the existing state breach notification law (Conn. Gen. Stat. 36a-701b).

Exemptions

Small licensees with fewer than 25 employees, less than $5 million in gross annual revenue from all insurance operations, or less than $10 million in year-end total assets may qualify for a partial exemption from the full written information security program requirement, subject to certification with the Insurance Department.

CTDPA Penalties and Enforcement

The Connecticut Attorney General has exclusive enforcement authority over the CTDPA. There is no private right of action, meaning consumers cannot sue businesses directly for violations.

Civil Penalties

Violations are enforced under the Connecticut Unfair Trade Practices Act. In addition to monetary penalties, the Attorney General can seek injunctive relief to stop ongoing violations, restitution for affected consumers, and disgorgement of profits.

Cure Period Changes

When the CTDPA first took effect, controllers received a 60-day right to cure violations after receiving notice from the Attorney General. This mandatory cure period expired on December 31, 2024. Since January 1, 2025, the Attorney General may proceed directly to enforcement without offering a cure period, though the AG retains discretion to offer one.

When deciding whether to offer a cure opportunity, the Attorney General may consider:

• The number of violations
• The size and complexity of the controller or processor
• The nature and extent of processing activities
• The substantial likelihood of injury to the public
• Safety of persons or property
• Whether the violation was caused by human or technical error

First Enforcement Action: TicketNetwork Settlement

In July 2025, Attorney General Tong announced the first monetary settlement under the CTDPA. TicketNetwork LLC agreed to pay $85,000 to resolve allegations that:

• Its privacy notice was largely unreadable and missing key information about consumer rights
• Consumer rights request mechanisms were misconfigured or inoperable
• The company repeatedly represented it had fixed deficiencies when it had not
• The company failed to respond timely to follow-up correspondence from the Attorney General

The Attorney General had first sent a cure notice to TicketNetwork on November 9, 2023, four months after the CTDPA took effect. TicketNetwork was the only company that failed to comply with an initial cure notice during the cure period.

Joint GPC Enforcement Sweep (2025)

In January 2025, the Connecticut, California, and Colorado attorneys general, along with the California Privacy Protection Agency, announced a coordinated investigative sweep targeting businesses that were not processing opt-out requests submitted via Global Privacy Control. The coalition sent warning letters to companies identified as failing to honor GPC signals as required by law.

2026 Annual Enforcement Report

Attorney General Tong released the third annual CTDPA enforcement report on February 5, 2026. Key findings include:

• Dozens of notices of violation and warning letters issued throughout 2025
• Multiple data breach settlements finalized
• Multiple active investigations into children's and teens' safety online, including messaging platforms, gaming, and AI chatbots
• Investigation priorities: connected vehicles and geolocation tracking, social media targeting youth, data brokers, and AI products posing risks to minors

The report recommended legislative action to narrow "publicly available information" definitions, establish standalone genetic privacy protections, enact chatbot safeguards, and enhance consumer opt-out provisions.

2025 Amendments: Public Act 25-113 (SB 1295)

Connecticut enacted the 2025 amendments on June 24, 2025, as Public Act 25-113. Most provisions take effect July 1, 2026, with impact assessment requirements applying to processing activities created on or after August 1, 2026. Key changes include:

Lowered Applicability Threshold

The consumer processing threshold drops from 100,000 to 35,000 Connecticut consumers, significantly expanding the number of businesses subject to the law.

Expanded Sensitive Data Categories

New categories: disability or treatment status, transgender or nonbinary status, neural data, financial account numbers with access credentials, and government-issued identification numbers.

Stronger Minor Protections

Categorical prohibition on processing minors' data for targeted advertising or sale, regardless of consent. Anti-addictive design requirements for online services used by minors.

GLBA Exemption Restructured

Entity-level GLBA exemption replaced with targeted data-level and entity-specific exemptions.

Enhanced Consumer Rights

Right to access now includes derived inferences. Right to receive lists of third parties who purchased consumer data. Profiling opt-out expanded to cover any automated decision-making, not only fully automated decisions.

AI and LLM Transparency

Controllers must disclose whether personal data is collected for training large language models.

Impact Assessment Requirements

New impact assessments required for profiling that produces legal or similarly significant effects, separate from the existing data protection assessments.

2026 Amendments: Public Act 26-64 (SB 4)

Connecticut enacted its third round of CTDPA changes when Governor Lamont signed Substitute Senate Bill 4 as Public Act 26-64 on May 27, 2026. Every section of the act takes effect October 1, 2026. Public Act 26-64 does not change the CTDPA's applicability thresholds (Conn. Gen. Stat. 42-516 is unchanged); it adds new substantive protections plus a separate data broker program. Key provisions include:

Data Broker Registry

Businesses that sell or license brokered personal data about consumers with whom they have no direct relationship must register with the Department of Consumer Protection to do so in Connecticut on or after January 1, 2027, paying a $2,500 initial fee and a $2,500 annual renewal. The registry is publicly accessible.

Single-Deletion Mechanism

The act directs the Department of Consumer Protection to establish, by July 1, 2028, an accessible mechanism that lets a consumer submit one verified request to delete their personal data held by all registered data brokers at once, rather than contacting each broker separately.

Geolocation Sale Restrictions

The act prohibits any controller or third party from selling a consumer's precise geolocation data, defined as data that pinpoints an individual's location within a radius of 1,750 feet (Conn. Gen. Stat. 42-520(a)(3) and 42-521(a)(2)). The ban applies to selling that data outright and does not reach the content of communications or data generated by advanced utility metering infrastructure.

Facial Recognition Technology

The act defines facial recognition technology (Conn. Gen. Stat. 42-515(17)) as technology that analyzes facial features in still images or video to uniquely identify a specific individual. A controller that uses facial recognition on its premises for fraud prevention, security, or loss prevention must use it only to match against a database it exclusively maintains, and must post clearly legible signage at each entrance that alerts consumers and links to a facial recognition policy containing the Attorney General's contact information.

Algorithmic Pricing Disclosure

The act requires businesses to disclose when they use personalized algorithmic pricing based on a consumer's personal data and restricts certain surveillance pricing, with carve-outs such as loyalty and rewards programs. These provisions are enforced by the Attorney General as a Connecticut Unfair Trade Practices Act violation, with no private right of action.

Broadened Definition of Publicly Available Information

The act narrows what counts as publicly available information (Conn. Gen. Stat. 42-515(35)), excluding biometric data collected without the consumer's knowledge, genetic data the consumer has not made public, nonconsensual intimate or synthetic intimate images, and personal data created by combining other data with publicly available information. Data outside that category receives the CTDPA's full protections.

Expanded Deletion Right

Consumers gain the right to delete publicly available information that has been collated into a consumer profile made available to others, along with any inference generated from it (Conn. Gen. Stat. 42-518(a)(3)).

Direct-to-Consumer Genetic Testing

Separately from the CTDPA, the act gives consumers a property right and exclusive control over biological samples and DNA test results held by direct-to-consumer genetic testing companies, and bars disclosure of results except with the consumer's express consent or under a court order, warrant, or subpoena.

Federal Overlay: Laws That Apply in Connecticut Regardless of the CTDPA

Several federal laws protect Connecticut residents' data independently of the CTDPA.

TAKE IT DOWN Act (Pub. L. 119-12, May 19, 2025)

The TAKE IT DOWN Act, signed by President Trump on May 19, 2025, makes it a federal crime to knowingly publish or threaten to publish nonconsensual intimate images, including AI-generated images. Platform removal obligations (48-hour takedown requirement) took effect on May 19, 2026, with FTC enforcement authority and potential civil penalties of $53,088 per violation.

HIPAA

The Health Insurance Portability and Accountability Act governs protected health information held by covered entities (hospitals, doctors, insurers) and their business associates. HIPAA-regulated entities are exempt from the CTDPA, but their HIPAA obligations remain in force.

GLBA

The Gramm-Leach-Bliley Act imposes privacy and security obligations on financial institutions. The CTDPA excludes GLBA-regulated data (at the data level under the 2025 amendments), but the GLBA itself continues to apply.

FCRA

The Fair Credit Reporting Act governs consumer reporting agencies and the use of consumer credit information. FCRA-regulated data is excluded from the CTDPA.

COPPA

The Children's Online Privacy Protection Act governs online collection of personal data from children under 13. COPPA consent requirements apply in addition to the CTDPA's sensitive data protections for children.

FTC Act Section 5

The Federal Trade Commission has broad authority to pursue unfair or deceptive data practices under Section 5 of the FTC Act regardless of whether a state privacy law applies. Failure to honor stated privacy policies, misleading data security claims, and deceptive consent practices can all trigger FTC enforcement.

APRA Status

The American Privacy Rights Act (APRA), a federal comprehensive privacy bill, passed committee in 2024 but did not become law. APRA 2.0 was introduced in 2025. As of May 2026, no federal comprehensive privacy law has been enacted. Connecticut residents remain covered by the CTDPA and federal sectoral laws.

How Connecticut Residents Exercise Their Rights

To submit a privacy rights request to a covered business under the CTDPA, Connecticut residents should:

1. Locate the business's privacy notice, which must be clearly accessible and describe how to submit a rights request.
2. Submit a request through the mechanism the business provides, typically an online form, email address, or toll-free phone number.
3. Expect a response within 45 days. The business may extend by another 45 days with notice.
4. If the request is denied, submit an appeal within the time frame stated in the business's denial notice. The business must respond to the appeal within 60 days.
5. If the appeal is denied, the business must provide information on how to file a complaint with the Connecticut Attorney General's Privacy and Data Security Department.

To opt out of data sales and targeted advertising using Global Privacy Control, consumers can enable GPC in a compatible browser or browser extension such as Privacy Badger, Brave, or DuckDuckGo Privacy Browser. As of January 1, 2025, businesses covered by the CTDPA must treat that signal as a valid opt-out request.

To report a data breach that affected your personal information, contact the Connecticut Attorney General's Office or use the online breach report form.

How Connecticut Compares to Other State Privacy Laws

Connecticut's CTDPA stands out among state privacy laws for several reasons:

• No revenue threshold: Unlike California (CCPA) and Utah (UCPA), there is no revenue requirement for the law to apply
• Universal opt-out signals: Connecticut was among the first states to mandate that businesses honor Global Privacy Control and similar mechanisms
• Strong minor protections: The categorical ban on processing minors' data for advertising or sale, regardless of consent, goes further than most state laws
• Proactive enforcement: The AG's office issued dozens of notices and completed the first monetary settlement within two years of the law's effective date, and participated in multi-state GPC enforcement
• Frequent amendments: Connecticut has amended the CTDPA three times in four years, most recently by Public Act 26-64 (SB 4), effective October 1, 2026
• Neural data protections: Connecticut is among a small number of states to include neural data in its sensitive data definition
• Anti-dark pattern provisions: The CTDPA explicitly prohibits the use of dark patterns to obtain consumer consent

Compliance Steps for Businesses

Businesses subject to the CTDPA should take the following steps:

1. Determine applicability: Check whether your business meets the current 100,000-consumer threshold or the 25,000-consumer plus 25%-revenue threshold. Prepare for the 35,000-consumer threshold effective July 1, 2026.
2. Update privacy notices: Ensure your privacy notice describes all required categories, discloses purposes of processing, and includes opt-out mechanisms.
3. Honor GPC signals: Implement technical infrastructure to detect and process Global Privacy Control signals as opt-out requests for Connecticut residents.
4. Build rights-request workflows: Establish processes to receive, verify, and respond to access, correction, deletion, portability, opt-out, and appeal requests within 45 days.
5. Conduct data protection assessments: Document assessments for targeted advertising, data sales, sensitive data processing, and profiling activities.
6. Prepare for July 1, 2026: If you process sensitive data or sell personal data in any volume, you will become covered regardless of consumer count. Update contracts with processors, extend impact assessment programs to profiling activities, and add LLM training disclosures.
7. Comply with Insurance Data Security Law: If your business holds a Connecticut insurance license, maintain a written information security program and comply with the three-business-day notification requirement for cybersecurity events.

More Connecticut Laws

Explore additional Connecticut legal topics and data privacy resources:

• Connecticut AI Meeting Recording Laws
• Connecticut Alimony Laws
• Connecticut At-Will Employment Laws
• Connecticut Car Accident Laws
• Connecticut Car Seat Laws
• Connecticut Child Custody Laws
• Connecticut Child Support Laws
• Connecticut Common Law Marriage Laws
• Connecticut Deepfake Laws
• Connecticut Divorce Laws
• Connecticut Dog Bite Laws
• Connecticut Emancipation Laws
• Connecticut Expungement Laws
• Connecticut Hit and Run Laws
• Connecticut Landlord-Tenant Laws
• Connecticut Lemon Laws

In-depth guides

• What Is the CTDPA? Connecticut Data Privacy Act Explained
• CTDPA Consumer Rights: Exercise Your Connecticut Privacy Rights
• CTDPA Compliance Checklist for Businesses (2026)

Related news

• Connecticut requires facial-recognition signs (Public Act 26-64)