CTDPA Consumer Rights: Exercise Your Connecticut Privacy Rights

Under Conn. Gen. Stat. § 42-518, Connecticut residents hold five enforceable privacy rights against companies that collect their data. This page explains each right, the exact steps to exercise it, how to use Global Privacy Control, and how to escalate if a company ignores or denies your request.

Connecticut's Data Privacy Act applies to any covered controller that processes your personal data. If you want a broader overview of how the law works and who it covers, start with what the CTDPA is and who it covers. For the main Connecticut Data Privacy Act (CTDPA) hub, see the parent page.

Your Five CTDPA Privacy Rights at a Glance

Connecticut's Data Privacy Act grants residents five enumerated rights under Conn. Gen. Stat. § 42-518(a). Every covered controller must honor these rights on request.

1. Right to access and confirm processing. You can ask any covered company to confirm whether it holds personal data about you and, if so, to provide you a copy. This covers both the confirmation (does the company have your data?) and the access right (show me what you have).

2. Right to correction. You can require a company to correct inaccuracies in personal data it holds about you, taking into account the nature of the data and the purposes of processing. This matters most for financial profiles, health-related records, and contact information used for decisions.

3. Right to deletion. You can demand removal of personal data the company collected from you or obtained about you from third parties. This is the broadest erasure right the CTDPA provides. Deletion is not absolute; companies may retain data to complete a transaction, comply with a legal obligation, or carry out certain security or research functions, and they must tell you which exemption applies if they refuse.

4. Right to data portability. You can receive a copy of your personal data in a portable, readily usable format that allows you to transmit it to another service where technically feasible.

5. Right to opt out. You can opt out of three distinct uses of your data: (a) the sale of your personal data to third parties; (b) processing for targeted advertising, meaning ads selected for you based on your activity across unrelated websites, apps, or services; and (c) profiling in furtherance of decisions that produce legal or similarly significant effects on you, such as decisions affecting credit, insurance, employment, housing, or access to essential services.

These rights apply only against controllers that meet the CTDPA's size thresholds under Conn. Gen. Stat. § 42-516. A company must either process the personal data of at least 100,000 Connecticut consumers per year, or process the personal data of at least 25,000 consumers while deriving more than 25 percent of gross revenue from selling personal data. Smaller businesses below both thresholds are not subject to the CTDPA's consumer-rights requirements.

How to Submit a CTDPA Rights Request

Every covered controller is required by Conn. Gen. Stat. § 42-520(b) to maintain a privacy notice that clearly describes how consumers may exercise their rights and to provide at least one secure, reliable submission channel. In practice, most companies offer an online privacy portal, a dedicated email address, or a toll-free number.

Step-by-step process:

1. Find the company's privacy policy or look for a link in its website footer labeled "Privacy Rights," "Consumer Request," "Do Not Sell My Data," or "Your Privacy Choices."
2. Select the right you want to exercise: access, correction, deletion, portability, or opt-out.
3. Provide enough identifying information for the company to authenticate you. This typically means your name, the email address on file with your account, and possibly answers to security questions.
4. Submit your request and save confirmation, whether a screenshot or a confirmation email, so you have a record of the submission date.
5. The 45-day response window starts from the date the company receives your authenticated request.

Under Conn. Gen. Stat. § 42-518(b), companies must respond without undue delay and in all cases within 45 days of receipt. If the company needs more time, it may extend the deadline once by an additional 45 days, giving a maximum response window of 90 days. When a company extends, it must notify you within the initial 45-day window and explain the reason for the extension.

Your first request in any 12-month period must be fulfilled free of charge. If your requests become manifestly unfounded, excessive, or repetitive, the company may charge a reasonable administrative fee or decline to act on them under § 42-518(b).

If the company cannot authenticate your identity using commercially reasonable efforts, it is not required to comply, but it may request additional information from you necessary to authenticate the request rather than simply refusing outright. You are not required to provide information beyond what is reasonably necessary for authentication.

Using Global Privacy Control (GPC) to Opt Out Automatically

Since January 1, 2025, every CTDPA-covered controller must honor opt-out preference signals sent by Connecticut consumers under Conn. Gen. Stat. § 42-519. The Global Privacy Control is the leading implementation of this requirement.

GPC is a browser-level signal that automatically tells every website you visit that you do not consent to the sale of your personal data or its use for targeted advertising. Instead of clicking through an opt-out form on each company's website, you activate GPC once in your browser and it broadcasts your preference to every covered site you visit going forward.

How to activate GPC:

• Use a privacy-focused browser that has GPC built in, such as Brave or DuckDuckGo Browser.
• Install a GPC-compatible browser extension in Chrome, Firefox, or another browser.
• A list of compatible browsers and extensions is available at globalprivacycontrol.org, referenced directly by Connecticut Attorney General Tong in his December 30, 2024 consumer advisory.

Once activated, covered controllers must treat a valid GPC signal as a request to opt out of both the sale of your personal data and processing for targeted advertising. Critically, companies must honor a GPC signal even if it conflicts with a prior opt-in preference you gave or with participation in a loyalty program. If you previously opted in to data sharing as part of a rewards program, a GPC signal overrides that prior consent.

As of late 2024, more than 40 million users globally were already using GPC. As AG Tong noted in his advisory: "We're all familiar now with the 'ask site not to track' pop-ups. Starting January 1, you can install a simple browser extension to answer that question once and for all, and sites you visit will be responsible for knowing and following your preference."

Under Conn. Gen. Stat. § 42-519, you may also designate an authorized agent to submit opt-out requests on your behalf. The authorization can be made through a browser setting, browser extension, global device setting, or other technology. The controller must comply if it can verify your identity and the agent's authority using commercially reasonable effort.

Appealing a Denial and Filing a Complaint with the Connecticut AG

If a controller refuses to act on your rights request, Connecticut law gives you two escalation steps.

Step 1: Internal appeal. Under Conn. Gen. Stat. § 42-518(c), every covered controller must establish a conspicuous process for consumers to appeal refusals. Submit your appeal through whatever channel the company designates, typically the same privacy portal used for your initial request or a dedicated appeal email. There is no required form; clearly state that you are appealing the denial, identify your original request by type and date, and explain why you believe the refusal was improper.

The company has 60 days after receipt of your appeal to respond to you in writing, stating the action it took or the reasons it declined to act. Note the different timelines: 45 days for initial requests, 60 days for appeals.

Step 2: Connecticut Attorney General complaint. If the company denies your appeal, the law requires it to give you information describing how to contact the Connecticut Attorney General to file a complaint. File your CTDPA complaint at portal.ct.gov/ag/common/complaint-form-landing-page. Select "Consumer Data Privacy" from the subject dropdown on the AG's e-complaint form.

When filing, include the company's name, the date you submitted your original request, the date you received the denial, the date you submitted your appeal, the date you received the appeal denial, and copies of any written correspondence. The more documentation you provide, the stronger your complaint file.

The Connecticut AG has exclusive enforcement authority over the CTDPA under Conn. Gen. Stat. § 42-524. There is no private right of action, meaning you cannot sue a company directly for a CTDPA violation. The original CTDPA included a 60-day right-to-cure period that allowed the AG to give controllers an opportunity to fix violations before filing suit, but that cure period sunsetted on December 31, 2024. For violations occurring after that date, the AG may bring a civil action without first offering a cure window.

The AG's enforcement posture is serious. In the first CTDPA enforcement action, announced July 8, 2025, TicketNetwork, Inc. paid $85,000 and entered a consent decree after the AG found that its privacy notice was "largely unreadable, missing key data rights, and contained rights mechanisms that were misconfigured or inoperable." The AG had issued a 60-day cure notice in November 2023; TicketNetwork failed to cure within the window.

Sensitive Data Opt-In Consent and Protections for Minors

For certain categories of data and certain consumers, the CTDPA's default flips from opt-out to opt-in. The company must obtain your affirmative consent before processing can begin at all.

Sensitive data categories requiring opt-in consent. Under Conn. Gen. Stat. § 42-520(a)(4), a controller may not process sensitive data without first obtaining the consumer's consent. Sensitive data categories under the CTDPA include:

• Data revealing racial or ethnic origin
• Religious beliefs
• Mental or physical health conditions or diagnoses
• Sexual orientation or sexual activity
• Citizenship or immigration status
• Consumer health data as defined by Connecticut law
• Genetic data
• Biometric data processed to uniquely identify an individual (for more on this category, see biometric data protections in Connecticut)
• Precise geolocation data
• Personal data of a known child under 13

For personal data of a known child under 13, the controller must comply with the Children's Online Privacy Protection Act (COPPA) verifiable parental consent requirement rather than the CTDPA's standard consumer-consent mechanism. Parents may submit rights requests on behalf of their minor children.

Current protections for teens aged 13 to 15. Under Conn. Gen. Stat. § 42-520(a)(5) as amended by Public Act 23-56 (effective October 1, 2024), where a controller has actual knowledge, or willfully disregards, that a consumer is between 13 and 15 years of age, the controller may not process that consumer's personal data for targeted advertising or sell it without first obtaining the consumer's opt-in consent. This is an opt-in requirement, not an opt-out: the company must get affirmative agreement before processing, not merely stop if asked.

Upcoming expansion effective July 1, 2026. Public Act 25-113 (SB 1295, 2025 Regular Session) significantly expands protections for young people and takes effect July 1, 2026. Once in force, it will categorically prohibit processing the personal data of any consumer under 18 for targeted advertising or the sale of personal data, with no consent exception. Unlike the current 13-to-15 rule (which can be overridden by opt-in consent), the blanket under-18 prohibition will be absolute. The same act will also prohibit design features intended to significantly increase, sustain, or extend a minor's use of an online service without consent and will require controllers to apply default-privacy settings for minors. This provision is not yet in effect as of June 2026.

Non-Discrimination: Exercising Rights Without Penalty

Under Conn. Gen. Stat. § 42-520(a)(7), a controller must not discriminate against you for exercising any right under the CTDPA. The prohibition covers three specific forms of retaliation:

• Denying goods or services because you submitted a privacy request or opted out
• Charging different prices or rates solely because you exercised a right
• Providing a different level or quality of goods or services because you asked for your data, requested deletion, or opted out of data sales

In practical terms: a company cannot refuse to sell you a product, raise your price, or downgrade your subscription because you sent a deletion request or activated Global Privacy Control. The CTDPA's non-discrimination protection mirrors the approach taken in CCPA opt-out rights in California and Virginia's VCDPA consumer rights.

The prohibition does not prevent controllers from offering voluntary loyalty programs or financial incentives tied to data sharing. A retailer may offer discounts in exchange for agreeing to certain data uses, but participation in such programs must be genuinely voluntary, the differential treatment must be proportionate, and it must be clearly disclosed upfront. You cannot be penalized for declining to participate.

If you believe a company has penalized you for exercising a CTDPA right, document the conduct (screenshots of pricing changes, denial of access, downgraded service tier) and include it in your AG complaint.

Related guides

• What Is the CTDPA? Connecticut Data Privacy Act Explained
• CTDPA Compliance Checklist for Businesses (2026)
• Connecticut Data Privacy Laws: CTDPA Consumer Rights Guide (2026)
• Connecticut Biometric Privacy Laws: Collection, Consent & Penalties (2026)
• US State Privacy Laws Comparison Chart (2026)

Sources