What Is the CTDPA? Connecticut Data Privacy Act Explained

The Connecticut Data Privacy Act (CTDPA), codified at Conn. Gen. Stat. §§ 42-515 through 42-525, took effect July 1, 2023, making Connecticut the fifth state to enact a comprehensive consumer data privacy law. Governor Ned Lamont signed Public Act 22-15 on May 10, 2022, and the law has since been expanded twice to become one of the most protective state privacy frameworks in the country.

As of 2026, the Connecticut Attorney General actively enforces the CTDPA and has resolved its first enforcement action under the law, issuing dozens of notices of violation and warning letters to covered businesses.

What the CTDPA is: statute, enactment, and background

The CTDPA is Connecticut's comprehensive consumer data privacy statute, codified at Conn. Gen. Stat. §§ 42-515 through 42-525 (Chapter 743jj). Governor Ned Lamont signed Senate Bill 6 as Public Act 22-15 on May 10, 2022, with a delayed effective date of July 1, 2023, giving businesses just over a year to prepare. The law's official title is "An Act Concerning Personal Data Privacy and Online Monitoring."

Connecticut was the fifth state to enact a law of this scope, joining California, Virginia, Colorado, and Utah. But the CTDPA moved quickly to distinguish itself from its predecessors. Its secondary applicability threshold uses a 25 percent gross revenue trigger rather than the 50 percent bar set by Virginia. It expressly covers Consumer Health Data Controllers regardless of size. And in 2025 it became one of the first states in the country to mandate that businesses honor Global Privacy Control signals sent from consumers' browsers.

The CTDPA uses a controller-processor framework borrowed from the EU's General Data Protection Regulation. Entities that determine the purpose and means of processing personal data are "controllers"; entities that process data on a controller's behalf are "processors." Controllers bear the primary compliance obligations, including privacy notice requirements, data minimization, data protection assessments for high-risk activities, and processor contracts that limit how data can be used downstream.

For the full compliance framework covering controller obligations, processor contracts, and enforcement history, see the Connecticut data privacy laws parent page.

Who the CTDPA covers: applicability thresholds and exemptions

The CTDPA reaches for-profit entities that conduct business in Connecticut or produce products or services targeted to Connecticut residents and meet either of two volume thresholds during the preceding calendar year.

Under Conn. Gen. Stat. § 42-516(a), a business is covered if it: (1) controlled or processed the personal data of at least 100,000 consumers (excluding data processed solely to complete a payment transaction and not retained for any other purpose), OR (2) controlled or processed the personal data of at least 25,000 consumers and derived more than 25 percent of gross revenue from the sale of personal data.

The 25 percent revenue threshold is one of the CTDPA's most important structural features. Virginia's VCDPA requires more than 50 percent of gross revenue from data sales before the lower consumer-count threshold kicks in. Connecticut's 25 percent bar means a business that derives even a quarter of its revenue from selling data is covered once it touches 25,000 Connecticut consumers, catching a wider range of data brokers, lead-generation firms, and ad-tech companies that might escape Virginia's narrower trigger.

One category of business is covered with no volume threshold at all. Consumer Health Data Controllers (those that alone or jointly with others determine the purpose and means of processing Consumer Health Data) are subject to the CTDPA regardless of how many consumers they serve. Consumer Health Data under the CTDPA includes data that controllers use to identify a consumer's physical or mental health condition or diagnosis, including gender-affirming care information and reproductive and sexual health information. A small health-tech startup that processes this type of data for even a handful of Connecticut residents is a covered controller.

The definition of "consumer" is also worth understanding carefully. The CTDPA defines "consumer" as a Connecticut resident acting only in an individual or household capacity. Employees, owners, directors, officers, and contractors are not "consumers" when their interactions with a controller occur solely within the context of their employment or business relationship. This employment exclusion applies to both sides of the relationship: a company's internal HR data about its own staff is not subject to CTDPA consumer rights.

The exemptions in Conn. Gen. Stat. § 42-516(b) are substantial, though one carries a significant carve-out:

• Nonprofit organizations (but this exemption does NOT apply if the nonprofit qualifies as a Consumer Health Data Controller)
• Institutions of higher education
• Financial institutions subject to the Gramm-Leach-Bliley Act
• HIPAA-covered entities and their business associates
• Government bodies
• Data already regulated by FERPA, the Fair Credit Reporting Act, and other specified federal statutes

The nonprofit carve-out from the exemption deserves emphasis. A nonprofit health organization that processes Consumer Health Data cannot claim the general nonprofit exemption and walk away from CTDPA compliance. The Consumer Health Data Controller classification overrides it.

The five consumer rights under the CTDPA

Connecticut residents can exercise five enumerated rights against covered controllers under Conn. Gen. Stat. § 42-516(c):

1. Right to access. A consumer may confirm whether a controller is processing their personal data and request a copy of that data in a format the consumer can use.
2. Right to correct. A consumer may require a controller to correct inaccurate personal data, taking into account the nature and purpose of the processing.
3. Right to delete. A consumer may request deletion of personal data, including data the controller collected from third-party sources about that consumer, not only data the consumer provided directly.
4. Right to portability. A consumer may obtain a copy of their personal data in a portable, readily usable format that allows transfer to another controller or service.
5. Right to opt out. A consumer may opt out of processing for three specific purposes: targeted advertising, the sale of personal data, and profiling that produces a legal or similarly significant effect on the consumer.

Controllers must respond to a rights request within 45 days of receipt. They may extend that period by one additional 45-day window when reasonably necessary, but only if they notify the consumer within the initial 45-day period. The outer limit on response time with a valid extension is therefore 90 days.

Controllers that deny a request must inform the consumer of the denial and provide a way to appeal. After receiving an appeal, the controller has 60 days to respond in writing, explaining what actions it took or declined to take and the reasons. If the appeal is denied, the controller must also provide the consumer with information or a mechanism to contact the Attorney General to file a complaint.

For a detailed breakdown of how Connecticut residents can submit access, correction, deletion, and opt-out requests, see the Connecticut data privacy laws parent page.

Sensitive data and the opt-in consent requirement

One of the CTDPA's most protective features is its affirmative opt-in consent requirement for sensitive personal data. Before a controller may process any category of sensitive data, it must first obtain the consumer's affirmative consent. This is a prior, active agreement, not a default-on setting with an opt-out link that consumers must find and click.

Sensitive data categories under Conn. Gen. Stat. § 42-515 include:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions or diagnoses, sexual orientation, citizenship or immigration status
• Genetic or biometric data processed to uniquely identify an individual
• Precise geolocation data
• Consumer Health Data, including gender-affirming and reproductive health information
• Personal data collected from a known child

The opt-in standard for sensitive data puts the CTDPA roughly on par with Virginia's VCDPA and meaningfully stricter than California's CCPA and CPRA. California requires businesses to provide a "Limit the Use of My Sensitive Personal Information" link and honor opt-out requests, a model that defaults to processing unless the consumer acts. Connecticut's model defaults to no processing until the consumer actively consents.

For children's data, the CTDPA layers in an additional requirement beyond the general sensitive-data opt-in. Consumers under 16 require affirmative opt-in consent before their personal data can be sold or processed for targeted advertising, regardless of whether the data in question falls into a sensitive category. This heightened standard for the under-16 population was part of the original PA 22-15 and predates the additional minors-protection amendments discussed in the next section.

Universal opt-out signals: required since January 1, 2025

The CTDPA's universal opt-out mandate stands out as one of its most consumer-forward provisions. Effective January 1, 2025, all businesses covered by the CTDPA must honor opt-out preference signals (OOPS), such as the Global Privacy Control (GPC), transmitted through a consumer's privacy-protective browser or browser extension when those signals can accurately identify a Connecticut resident.

The GPC is an open technical standard supported by browsers including Firefox, Brave, and DuckDuckGo, and by browser extensions. When a Connecticut resident activates GPC in their browser, every covered business must treat the signal as a binding opt-out request for both targeted advertising and the sale of personal data. Controllers cannot require the consumer to create an account or provide additional information before honoring the signal.

The Attorney General's press release on January 29, 2025, stated plainly: "All businesses covered by the CTDPA must respond to a consumer's OOPS." The AG also clarified that controllers cannot override the signal simply because the consumer previously enrolled in a loyalty program or a discount arrangement. If a controller determines that honoring a GPC signal will conflict with an existing loyalty-program benefit, it may notify the consumer of the conflict and ask the consumer to confirm their opt-out choice, but the controller may not treat the loyalty enrollment as a prior waiver that automatically defeats the signal.

This mandate puts Connecticut in a small group of states that have moved beyond passive opt-out mechanisms to require active infrastructure for browser-level signals. Businesses that display opt-out links but have not implemented GPC recognition are not in compliance.

Minors protections: layered through 2024 and 2025 amendments

The CTDPA's protections for minors have been built up in two distinct legislative rounds, each adding meaningful obligations for businesses that serve younger users online.

Public Act 23-56 (effective October 1, 2024). SB 3 was signed in 2023 and took effect October 1, 2024. It represents the first major expansion of the CTDPA's minors-protection layer. Under PA 23-56, a controller that offers any online service, product, or feature to consumers it knows or willfully disregards to be minors must:

• Use reasonable care to avoid any heightened risk of harm to minors from the service
• Conduct data protection assessments for every such service or feature before deployment
• Refrain from using design features intended to sustain or increase a minor's engagement with the platform, unless parental consent has been obtained
• Provide a clearly visible, persistent signal to a minor whenever the controller collects precise geolocation data from them

The "willfully disregards" standard in PA 23-56 is broader than actual knowledge. A controller cannot avoid these obligations simply by claiming it did not know its service attracted minors: if the design or targeting of the service is such that a reasonable operator would know minors are present, the obligations apply.

Public Act 25-113 (signed June 25, 2025; CTDPA amendments effective July 1, 2026). SB 1295 significantly expanded the CTDPA's minors protections and made other sweeping changes to the law, most of which take effect July 1, 2026. The minors-specific additions from PA 25-113 include: a requirement that social media platform owners establish and maintain an online safety center and adopt and enforce a cyberbullying policy; a tightened definition of "heightened risk of harm to minors" to expressly include physical and mental health harms; and a default setting on any online service offered to minors that blocks adults from sending unsolicited direct communications to minors.

PA 23-56 is fully in force as of October 1, 2024. PA 25-113's CTDPA provisions are not yet effective as of mid-2026. For the full scope of PA 25-113 changes taking effect July 1, 2026, see the Upcoming Changes section below.

Enforcement: AG-exclusive, CUTPA, cure period sunset, up to $5,000 per violation

The CTDPA is enforced exclusively by the Connecticut Attorney General. Conn. Gen. Stat. § 42-524 provides that every CTDPA violation constitutes an unfair trade practice under the Connecticut Unfair Trade Practices Act (CUTPA), Conn. Gen. Stat. § 42-110b et seq. There is no private right of action for consumers under the CTDPA; individual Connecticut residents cannot bring a lawsuit against a business directly for violating their CTDPA rights.

The CUTPA enforcement mechanism matters for understanding the penalty exposure. CUTPA is Connecticut's general consumer protection statute, and the AG's enforcement toolkit under it is substantial. Under Conn. Gen. Stat. § 42-110o, CUTPA civil penalties can reach up to $5,000 per violation. Beyond penalties, the AG may seek injunctive relief, restitution to affected consumers, and disgorgement of ill-gotten revenues.

The cure period that operated during the law's first 18 months is worth understanding precisely, because it has changed. From July 1, 2023 through December 31, 2024, the CTDPA imposed a mandatory cure requirement: if the AG determined that a violation could be cured, the AG was required to issue a written notice of violation to the controller before commencing any enforcement action. The controller then had 60 days to cure the violation. If the controller cured and delivered a written statement of compliance within that period, no enforcement action could be brought for that specific violation.

That mandatory cure period sunset on December 31, 2024. After that date, the AG has discretion to pursue enforcement directly without first offering a cure opportunity. The AG may choose to issue a warning or cure notice, but is no longer required to do so. This represents a meaningfully tougher enforcement posture: businesses that received warning letters in 2023 and 2024 while the mandatory cure period was in effect should not assume the same procedural protection applies to any future violation.

For a step-by-step guide to what businesses must do to achieve and document compliance, see the Connecticut data privacy laws parent page.

Upcoming changes: PA 25-113 amendments effective July 1, 2026

Governor Lamont signed Public Act 25-113 (SB 1295) on June 25, 2025. The statute's most significant CTDPA amendments take effect July 1, 2026. Businesses subject to the CTDPA now have a compliance deadline to prepare for these changes, which materially expand the law's scope.

Lowered applicability threshold. The primary threshold drops from 100,000 Connecticut consumers to 35,000. In addition, any entity that controls or processes the personal data of even a single Connecticut resident's sensitive data, or that sells personal data at any volume, will be covered regardless of consumer count. This dramatically expands the number of businesses subject to the CTDPA.

Under-18 categorical ban replacing the under-16 opt-in. The current requirement that controllers obtain opt-in consent before selling data or processing it for targeted advertising for consumers under 16 will be replaced with a categorical prohibition. After July 1, 2026, no consent can authorize those activities for consumers younger than 18. Controllers will not be able to use a parental opt-in to unlock data sales or targeted advertising for minors in the 16-to-17 age range.

Neural data and expanded sensitive categories. New sensitive data categories added by PA 25-113 include neural data, financial account numbers with access credentials, government-issued identification numbers, disability or treatment status, and transgender or nonbinary status. These will require the same affirmative opt-in consent currently required for health, biometric, and geolocation data.

LLM training disclosure requirement. Controllers subject to the CTDPA must update their consumer-facing privacy notices to include a clear and conspicuous statement disclosing whether they collect, use, or sell personal data for the purpose of training large language models (LLMs). This obligation applies to all covered controllers regardless of whether they actually engage in LLM training.

Additional consumer rights and profiling assessments. Consumers will gain the right to obtain a list of third parties that purchased their personal data and the right to access inferences a controller has derived from their data. Profiling impact assessments for certain activities will be required for processing activities created on or after August 1, 2026.

None of these provisions are in effect today. Businesses operating under the current CTDPA framework should treat July 1, 2026 as the compliance deadline for these amendments.

CTDPA vs. CCPA: key differences at a glance

The CTDPA and California's CCPA are frequently compared because both give consumers the same five rights and both use an opt-in model for sensitive data. But three CTDPA features are structurally distinctive.

Revenue threshold. The CTDPA's secondary threshold requires more than 25 percent of gross revenue from data sales, making it significantly easier to satisfy than the 50 percent threshold in Virginia's VCDPA. For a business with 25,000 Connecticut consumers, this difference is the entire question of coverage. A data analytics company that derives 30 percent of revenue from selling personal data is covered under the CTDPA; the same company, selling the same data with the same consumer count, would not be covered under the VCDPA.

Universal opt-out signal mandate. As of January 1, 2025, the CTDPA requires businesses to honor browser-level opt-out preference signals like the GPC. California also imposes a similar requirement under CPRA, and the two states are among the most aggressive in the country on this front. Many other state privacy laws do not include a comparable mandate, meaning businesses operating in Connecticut must build technical infrastructure for signal recognition rather than relying solely on a website opt-out link.

CUTPA enforcement vehicle. The CTDPA does not set its own penalty dollar figure or create its own enforcement statute. Instead, every CTDPA violation becomes a CUTPA violation, giving the AG access to CUTPA's full toolkit including disgorgement and restitution in addition to per-violation civil penalties. This structure means the AG can pursue CTDPA violations using CUTPA's established procedural framework and can seek remedies that go beyond what a standalone privacy penalty statute might offer. The $5,000 per-violation figure is CUTPA's civil penalty cap, not a number written into the CTDPA itself.

For a broader cross-state comparison that includes Virginia, Colorado, Texas, and other state frameworks, see the state privacy law comparison page and the California's CCPA explainer.

Related guides

• CTDPA Consumer Rights: Exercise Your Connecticut Privacy Rights
• CTDPA Compliance Checklist for Businesses (2026)
• Connecticut Data Privacy Laws: CTDPA Consumer Rights Guide (2026)
• Connecticut Biometric Privacy Laws: Collection, Consent & Penalties (2026)
• US State Privacy Laws Comparison Chart (2026)

Sources