CTDPA Compliance Checklist for Businesses (2026)

If your business operates in Connecticut or targets Connecticut residents, the Connecticut Data Privacy Act (CTDPA), Conn. Gen. Stat. sections 42-515 through 42-525, may require immediate compliance action. The mandatory 60-day cure period expired December 31, 2024, which means the Attorney General can now proceed directly to a civil enforcement action carrying up to $5,000 per willful violation. This checklist walks through every step: the applicability self-test, entity and data exemptions, privacy notice requirements, sensitive data consent, the universal opt-out obligation in effect since January 1, 2025, data protection assessments, processor contracts, and the enforcement lessons from Connecticut's first CTDPA settlement.

For a plain-language overview of what the CTDPA requires, see the companion explainer. For the full breakdown of each consumer right and the 45-day response timeline, see consumer rights under the CTDPA.

Step 1: Run the Applicability Self-Test

Your business is a covered controller under the CTDPA if it conducts business in Connecticut or produces products or services targeted to Connecticut residents, AND during the preceding calendar year it cleared either of two numerical thresholds.

Through June 30, 2026, the two triggers are: (1) processing personal data of at least 100,000 Connecticut consumers, excluding personal data processed solely to complete a payment transaction; or (2) processing personal data of at least 25,000 consumers while deriving more than 25 percent of gross revenue from selling personal data. Conn. Gen. Stat. section 42-516(a)(1)-(2). Connecticut's 25 percent revenue threshold is notably stricter than Virginia's 50 percent equivalent and will catch data brokers and ad-tech companies that might slip past other state laws.

Starting July 1, 2026, Public Act 25-113 substantially lowers and restructures these triggers. Three independent thresholds replace the original two: processing data of at least 35,000 Connecticut consumers; OR processing any sensitive data regardless of consumer volume; OR offering any personal data for sale at all, regardless of volume. Conn. Gen. Stat. section 42-516 as amended. The revenue-percentage trigger disappears entirely.

There is a fourth coverage pathway that has no volume threshold at all: Consumer Health Data Controllers that conduct business in Connecticut are covered by the CTDPA's health-data provisions regardless of how many consumers they serve. Conn. Gen. Stat. sections 42-516 and 42-526.

Key questions to ask

• How many unique Connecticut residents appear across all your products, services, and website sessions during the calendar year?
• Do you sell personal data to third parties? If so, what percentage of gross revenue does that represent?
• Do you process any sensitive data categories (health conditions, biometrics, geolocation, children's data)?
• Do you handle consumer health data in any form?

If the honest answers put you at or above either current threshold, proceed through all remaining steps. If you fall below the current thresholds today, recheck after July 1, 2026, because the 35,000-consumer bar and the any-sensitive-data trigger will sweep in substantially more businesses.

Step 2: Confirm Whether an Entity or Data Exemption Applies

Even if your business clears the numerical threshold, six entity classes are entirely exempt from the CTDPA under Conn. Gen. Stat. section 42-517(a): (1) state and local government bodies; (2) nonprofit organizations, with an important health-data carveout discussed below; (3) institutions of higher education; (4) national securities associations registered under the Securities Exchange Act; (5) financial institutions or data subject to Title V of the Gramm-Leach-Bliley Act; and (6) HIPAA-covered entities and their business associates as defined in 45 C.F.R. section 160.103.

The nonprofit exemption contains a meaningful limit. A nonprofit that qualifies as a Consumer Health Data Controller under section 42-526 does not get the entity-level pass for its health data operations. Nonprofits operating wellness programs, health screenings, or similar services need to check whether that carveout applies to them.

Separate from entity exemptions, section 42-517(b) carves out specific categories of data regardless of who holds them: HIPAA protected health information; patient-identifying substance-use records under 42 U.S.C. section 290dd-2; consumer credit information regulated by the Fair Credit Reporting Act; personal data subject to FERPA; and personal data processed in the employment context between a business and its own employees or job applicants.

How to apply the dual check

The entity exemption and the data exemption are independent tracks. A HIPAA-covered hospital is entity-exempt across the board. A technology company that is not HIPAA-covered may still hold some HIPAA-regulated data if it acts as a business associate, and that data stream is data-exempt even though the company is not entity-exempt.

For each data stream you process, ask (a) does an entity exemption cover the whole organization for all operations? and (b) even if the organization is covered, does a data-category exemption remove this specific data type from the CTDPA's reach? Only after clearing both questions should you treat a processing activity as subject to CTDPA obligations.

Step 3: Audit Your Privacy Notice

The CTDPA requires controllers to provide consumers with a reasonably accessible, clear, and meaningful privacy notice. Conn. Gen. Stat. section 42-520(b). Six elements are mandatory in every covered privacy notice:

1. The categories of personal data the controller processes.
2. The purposes of processing for each category.
3. How consumers may exercise their five rights and, importantly, how to appeal a denial of those rights.
4. The categories of personal data the controller shares with third parties.
5. The categories of third parties with whom data is shared.
6. An active email address or other online contact mechanism the consumer can use to reach the controller.

Starting July 1, 2026, a seventh mandatory element takes effect: a clear and conspicuous statement disclosing whether the controller collects, uses, or sells personal data for the purpose of training large language models, whether that training occurs internally or through a third-party vendor. Conn. Gen. Stat. section 42-520 as amended by Public Act 25-113. This LLM disclosure obligation is unique among state privacy laws currently in force and will require an update to any privacy notice used for AI or machine learning operations.

Privacy notice audit checklist

Required element	Current law (through June 30, 2026)	Required as of July 1, 2026
Categories of personal data processed	Yes	Yes
Purposes of processing	Yes	Yes
How consumers exercise rights + how to appeal	Yes	Yes
Categories of data shared with third parties	Yes	Yes
Categories of third parties	Yes	Yes
Active contact mechanism	Yes	Yes
LLM training disclosure	No	Yes

Review each row against your current privacy notice. The TicketNetwork enforcement action arose directly from a privacy notice the AG described as "largely unreadable, missing key data rights, and containing rights mechanisms that were misconfigured or inoperable." Functional mechanics matter as much as notice text: if the email link bounces or the opt-out button does nothing, the notice fails even if the language is technically complete.

Step 4: Implement Data Minimization and Security Safeguards

Two foundational controller duties apply across all covered processing. First, controllers must limit personal data collection to what is adequate, relevant, and reasonably necessary in relation to the purposes for which data is processed, as those purposes were disclosed to the consumer. Conn. Gen. Stat. section 42-520(a)(1). You cannot collect more than your disclosed use requires, and you cannot repurpose data for incompatible uses without obtaining new consent.

Second, controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data processed. Conn. Gen. Stat. section 42-520(a)(3). The standard is calibrated to scale: a business processing 5 million sensitive records faces a higher burden than one processing 110,000 basic contact records. A fourth duty is often overlooked: controllers may not process personal data in violation of state or federal laws prohibiting unlawful discrimination against consumers. Conn. Gen. Stat. section 42-520(a)(4).

Practical steps

• Map all personal data flows: what you collect, where it is stored, who can access it, and how long you retain it.
• Compare collection scope against the disclosed purposes in your current privacy notice and close any gap.
• Review your security program against the volume and sensitivity of data you hold and document the review.
• Confirm that no automated profiling or scoring system produces outputs that could constitute unlawful disparate impact based on protected characteristics.
• Establish a data retention schedule and enforce deletion once data is no longer necessary for the disclosed purpose.

Step 5: Map Sensitive Data and Obtain Opt-In Consent

The CTDPA's most critical departure from an opt-out framework is the requirement for affirmative opt-IN consent before processing sensitive data. This consent must be obtained before processing begins. Conn. Gen. Stat. section 42-520(a)(5).

Through June 30, 2026, the statutory sensitive data categories are: data revealing racial or ethnic origin; religious beliefs; mental or physical health conditions; sexual orientation; citizenship or immigration status; genetic data or biometric data processed for the purpose of uniquely identifying an individual; personal data collected from a known child; and precise geolocation data defined as a radius of 1,750 feet or less. Conn. Gen. Stat. section 42-515.

Effective July 1, 2026, Public Act 25-113 expands the sensitive data definition to add: data revealing mental or physical disability or treatment (distinct from the existing "mental or physical health conditions" category, which was already in the original statute); transgender or nonbinary status; information derived from genetic or biometric data; neural data (information generated by measuring activity of an individual's central nervous system); financial account information including account numbers, card numbers, and log-in credentials that would enable access to a financial account; and government-issued identification numbers including Social Security numbers, driver's licenses, and passports. Conn. Gen. Stat. section 42-515 as amended. The addition of government ID numbers and financial account information is a significant practical expansion: any system that stores SSNs, financial account numbers, or account credentials for any non-exempt purpose becomes a sensitive data operation requiring opt-in consent after July 1, 2026.

Steps for sensitive data compliance

Go through each sensitive category and ask whether any of your products, analytics tools, advertising platforms, health questionnaires, or user profiles touch that category. A wellness app logging mental health symptoms, a retail loyalty program collecting precise GPS coordinates, and any system storing SSNs or financial account numbers all involve sensitive data.

For each sensitive data stream you identify, you need a granular, informed opt-in mechanism that: (1) clearly describes what sensitive data is being collected; (2) explains the purpose; and (3) provides a genuine choice to decline without losing the core service where possible. Pre-checked boxes, bundled consent, and retroactive opt-in screens do not meet the affirmative consent standard.

Step 6: Honor the Universal Opt-Out Preference Signal

Since January 1, 2025, every controller subject to the CTDPA must recognize opt-out preference signals (OOPS) sent through privacy-protective browsers or extensions, treating those signals as consumer requests to opt out of the sale of personal data and targeted advertising. Conn. Gen. Stat. section 42-520(c). The Global Privacy Control (GPC) is the primary standardized signal in current use.

The OOPS obligation adds a meaningful technical layer on top of the manual opt-out mechanisms most businesses already maintain. Unlike a form submission, the GPC fires silently and automatically as a consumer browses. Businesses must build or configure server-side or client-side logic that detects the signal and suppresses sale and targeted advertising data flows for that session. The signal must originate from a platform that enables you to verify the consumer is a Connecticut resident.

If a consumer's opt-out preference signal conflicts with a privacy choice they previously expressed, or with their voluntary participation in a loyalty rewards or discount program, you must still honor the signal. You may, however, notify the consumer of the conflict and ask them to confirm their choice with the understanding that the confirmation could affect their prior preference or program participation. Conn. Gen. Stat. section 42-520(c); Connecticut AG guidance, December 19, 2024.

Implementation steps

• Confirm your consent management platform or tag management system can detect GPC header signals.
• Map which data flows and ad tech integrations constitute "sales" or "targeted advertising" under the CTDPA's definitions.
• Suppress those flows when a valid GPC signal is received from a session that can be attributed to a Connecticut resident.
• Document the technical implementation so you can demonstrate it to the AG upon request.
• Review the Connecticut AG's December 2024 opt-out guidance for the current list of approved signal formats.

Step 7: Conduct and Document Data Protection Assessments

Written data protection assessments (DPAs) are mandatory under Conn. Gen. Stat. section 42-522(a) for each processing activity presenting a heightened risk of consumer harm. Four processing categories trigger mandatory assessments:

1. Processing personal data for targeted advertising.
2. Selling personal data.
3. Processing personal data for profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, unlawful disparate impact, financial or physical injury, or intrusions on the privacy of consumers.
4. Processing sensitive data.

Each assessment must document the benefits of the processing activity, the potential risks to consumer rights and interests, and the safeguards deployed to mitigate those risks. The analysis requires a genuine weighing of benefits against residual consumer harm, not a box-checking exercise.

Starting August 1, 2026, a separate mandatory profiling impact assessment requirement takes effect under Public Act 25-113 for controllers that conduct profiling for the purpose of making decisions producing any legal or similarly significant effect on consumers. Conn. Gen. Stat. section 42-522 as amended. This assessment must document: the purposes and intended uses of the profiling; the categories of data involved; expected benefits; risk mitigation measures; the transparency approach taken; and post-deployment safeguards. The profiling impact assessment is distinct from and in addition to the general DPA.

The Attorney General may request completed data protection assessments via civil investigative demand as part of any CTDPA investigation. Conn. Gen. Stat. section 42-522(c). Importantly, assessments disclosed to the AG are confidential and not subject to public disclosure under Connecticut's Freedom of Information Act. Treat draft and final assessments as attorney-sensitive work product from the outset.

Scope and timing

One assessment may cover a comparable set of processing operations rather than requiring a separate document for every individual campaign. Assessments apply prospectively to new or materially modified processing activities. Keep completed assessments in a documented, retrievable system because a civil investigative demand may arrive with a short production deadline.

Step 8: Execute Written Processor Contracts

Every vendor or service provider that processes personal data on your behalf must be governed by a binding written contract before processing begins. Conn. Gen. Stat. section 42-521. The contract must specify: the instructions for processing, the nature and purpose of processing, the type of personal data involved, and the duration of processing. These four elements define the scope of the processor's authorized activity.

Beyond scope, the contract must obligate the processor to fulfill six categories of duties:

1. Maintain confidentiality: All personnel who handle personal data must be bound by confidentiality obligations.
2. Delete or return data: At the controller's request or on contract termination, the processor must delete or return all personal data unless retention is required by law.
3. Make compliance information available: The processor must provide information reasonably necessary for the controller to demonstrate CTDPA compliance.
4. Cooperate with audits: The processor must submit to and cooperate with reasonable audits or independent assessments at the controller's direction.
5. Flow down to sub-processors: Any sub-processor engaged by the processor must be covered by a written contract meeting equivalent obligations.
6. Notify of instructions violations: If the processor determines that a controller's processing instruction violates the CTDPA, it must inform the controller.

Vendor inventory steps

Before drafting or updating contracts, build a complete vendor inventory. List every third party that touches personal data you control: cloud infrastructure providers, analytics vendors, marketing platforms, payment processors, customer relationship management tools, and any software-as-a-service platform that ingests data from your systems. Each relationship is either a processor (acting under your instructions) or a third-party controller (with its own data-use purposes). The distinction determines whether a data processing agreement or a data-sharing agreement is the correct instrument.

Step 9: Implement Consumer Rights Request Workflows

Connecticut consumers have five enforceable rights under Conn. Gen. Stat. section 42-519: (1) access: confirm whether their personal data is processed and obtain a copy; (2) correction: correct inaccuracies in their data; (3) deletion: request deletion of their personal data, including data obtained through third parties; (4) portability: receive data in a portable, readily usable format; (5) opt-out: of targeted advertising, personal data sales, and certain profiling that produces legal or similarly significant effects.

Controllers must respond to authenticated requests within 45 days of receipt. A single extension of up to 45 additional days is permitted when reasonably necessary, provided the controller notifies the consumer of the extension within the initial 45-day window.

If you deny a request, you must inform the consumer of the reason and provide an appeal mechanism. Controllers then have 60 days to respond to appeals. If the appeal is denied, you must provide the consumer with information about how to submit a complaint to the Attorney General. This two-tier appeal chain must be described in your privacy notice under the "how to exercise rights" section.

For a detailed walkthrough of each right, request authentication requirements, and response templates, see consumer rights under the CTDPA.

Step 10: Apply Heightened Protections for Minors' Data

Under current law through June 30, 2026, controllers may not process the personal data of a consumer they have actual knowledge is between 13 and 15 years old for targeted advertising or data sales without that consumer's affirmative opt-in consent. Parental consent under COPPA applies separately for children under 13.

Effective July 1, 2026, Public Act 25-113 eliminates the consent option for the 13-to-17 age bracket entirely. Targeted advertising and personal data sales targeting consumers the controller knows, or willfully disregards are under 18, become an outright prohibition regardless of consent. Conn. Gen. Stat. section 42-520 as amended. No parental or user consent can authorize the practice after that date.

This change requires a compliance review of any product, website, or service that has a youth audience or that a reasonable observer would expect to attract users under 18. The "willful disregard" standard means a controller cannot avoid the rule simply by declining to verify ages. Businesses operating platforms that are generally marketed to adults but that in practice attract teenage users should assess their targeted advertising and data sale practices now.

Step 11: Understand Enforcement: No Cure Period, $5,000 Per Violation, No Private Suit

The CTDPA is enforced exclusively by the Connecticut Attorney General under the Connecticut Unfair Trade Practices Act (CUTPA), Conn. Gen. Stat. section 42-110b et seq. There is no private right of action. Individual consumers and class action plaintiffs cannot sue your company for CTDPA violations. Conn. Gen. Stat. section 42-524.

Penalties for willful violations can reach $5,000 per violation, plus injunctive relief, restitution, and disgorgement. The per-violation structure is significant: a single marketing campaign that processes sensitive data without opt-in consent for 50,000 Connecticut consumers does not produce one violation. Build compliance before you receive notice, not after.

The cure period is gone

The CTDPA originally provided a mandatory 60-day cure period: when the AG identified a curable violation, the controller had 60 days to remedy it before an enforcement action could proceed. That cure period expired by statute on December 31, 2024. Conn. Gen. Stat. section 42-524. Connecticut was the first state to sunset a comprehensive privacy law cure period. As of January 1, 2025, the AG has full discretion to proceed directly to litigation with no required waiting window.

The AG retains informal discretion to allow remediation time in appropriate cases, but businesses are no longer entitled to that opportunity. The AG's updated enforcement report indicates that covered entities receiving notice of a violation should assume the AG is prepared to file suit if remediation is not completed promptly.

Lessons from the first enforcement action

On July 8, 2025, the Connecticut AG announced a settlement with TicketNetwork, Inc. for $85,000, the first publicly resolved CTDPA enforcement action. The AG's findings are instructive. TicketNetwork's privacy notice was described as "largely unreadable, missing key data rights, and containing rights mechanisms that were misconfigured or inoperable." TicketNetwork had received a cure notice on November 9, 2023, failed to comply within the then-applicable cure period, and then repeatedly misrepresented its remediation progress to the AG's office.

The enforcement narrative identifies four practical priorities: the privacy notice must be readable by ordinary consumers; every right mechanism listed in the notice must actually function; when the AG contacts you, respond accurately; and do not treat a cure notice as an invitation to delay indefinitely. The cure period is now gone. The first enforcement action shows the AG is using it.

Compliance program elements

• Designate an internal owner for CTDPA compliance with documented authority and budget.
• Maintain a compliance calendar: annual applicability threshold review (especially after July 1, 2026), privacy notice review including the new LLM and minors elements, DPA review for new processing activities, and vendor contract audit.
• Train staff who handle personal data on the sensitive data consent rules, the opt-out preference signal obligation, the consumer request workflows, and escalation procedures.
• Keep all DPAs, processor contracts, and consent records in a documented, retrievable system. If the AG sends a civil investigative demand, you will need to produce these on short notice.
• Test every consumer rights mechanism listed in your privacy notice at least quarterly. A broken opt-out link or unmonitored request inbox is independently enforceable.

For the full Connecticut data privacy law overview and how the CTDPA compares to other state privacy laws, see the parent page.

Related guides

• What Is the CTDPA? Connecticut Data Privacy Act Explained
• CTDPA Consumer Rights: Exercise Your Connecticut Privacy Rights
• Connecticut Data Privacy Laws: CTDPA Consumer Rights Guide (2026)
• Connecticut Biometric Privacy Laws: Collection, Consent & Penalties (2026)
• US State Privacy Laws Comparison Chart (2026)

Sources

• Conn. Gen. Stat. sections 42-515 through 42-525 (CTDPA, Chapter 743jj). https://www.cga.ct.gov/current/pub/chap_743jj.htm
• Public Act 22-15 (Original CTDPA, enacted May 10, 2022, effective July 1, 2023). https://www.cga.ct.gov/2022/act/pa/pdf/2022PA-00015-R00SB-00006-PA.pdf
• Public Act 23-56 (2023 CTDPA Amendments, consumer health data and child safety). https://www.cga.ct.gov/2023/act/Pa/pdf/2023PA-00056-R00SB-00003-PA.PDF
• Public Act 25-113 (SB 1295, signed June 25, 2025; expanded thresholds, LLM disclosure, minors' prohibition, sensitive data expansion, profiling assessments; most provisions effective July 1, 2026). https://www.cga.ct.gov/2025/ACT/PA/PDF/2025PA-00113-R00SB-01295-PA.PDF
• Connecticut Attorney General, The Connecticut Data Privacy Act (official guidance). https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act
• Connecticut AG, "Tong Advises Connecticut Consumers and Businesses of Opt Out Rights and Requirements" (Dec. 19, 2024). https://portal.ct.gov/ag/press-releases/2024-press-releases/tong-advises-connecticut-consumers-and-businesses-of-opt-out-rights-and-requirements
• Connecticut AG, "Attorney General Tong Announces Settlement with TicketNetwork" (July 8, 2025). https://portal.ct.gov/ag/press-releases/2025-press-releases/attorney-general-tong-announces-settlement-with-ticketnetwork
• Connecticut AG, "Attorney General Tong Releases Updated Report on Connecticut Data Privacy Act" (2026). https://portal.ct.gov/ag/press-releases/2026-press-releases/attorney-general-tong-releases-updated-report-on-connecticut-data-privacy-act