This article explains the Connecticut Data Privacy Act for educational purposes. It is not legal advice. For guidance specific to your organisation, consult a qualified privacy lawyer.
What Is the Connecticut Data Privacy Act?
Connecticut enacted the Connecticut Data Privacy Act (CTDPA) on 10th May 2022, when Governor Ned Lamont signed Senate Bill 6 into law. This made Connecticut one of the earliest US states to pass a consumer privacy law, following California, Virginia, and Colorado.
The law grants Connecticut residents rights over their personal data, including the ability to access, correct, delete, and control how businesses use their information. It also places obligations on businesses that process personal data of Connecticut residents.
Connecticut has distinguished itself through active enforcement. Since the law took effect, the Attorney General has issued dozens of violation notices, settled enforcement cases, and published detailed reports on enforcement priorities.
Timeline of Key Dates
Understanding the CTDPA requires knowing its key milestones:
- 10th May 2022: Governor Lamont signs the original CTDPA (Senate Bill 6) into law
- 1st July 2023: The CTDPA takes effect
- 1st October 2023: Consent requirements for processing sensitive health data and geofencing restrictions around healthcare facilities begin
- 1st July 2024: Social media platforms must provide minors and guardians with account deletion tools
- 31st December 2024: The 60-day cure period expires
- 1st January 2025: Businesses must recognise universal opt-out mechanisms like Global Privacy Control; Attorney General can proceed directly to enforcement without offering cure period
- 24th June 2025: Governor Lamont signs SB 1295, significantly amending the CTDPA
- 1st July 2026: SB 1295 amendments take effect, including lowered applicability thresholds
- 1st August 2026: Profiling impact assessment requirements begin
Does This Apply to Your Organisation?
The CTDPA applies to businesses that conduct business in Connecticut or produce products or services targeted to Connecticut residents. Under the original thresholds (in effect until 30th June 2026), the law applies if your business, during the preceding calendar year:
- Controlled or processed personal data of 100,000 or more Connecticut consumers (excluding data processed solely to complete payment transactions), OR
- Controlled or processed personal data of 25,000 or more Connecticut consumers AND derived more than 25% of gross revenue from selling personal data
The 2026 Threshold Changes (SB 1295)
From 1st July 2026, SB 1295 significantly expands who must comply:
- The general threshold drops from 100,000 to 35,000 Connecticut consumers
- No minimum threshold applies if you process sensitive data of Connecticut residents
- No minimum threshold applies if you sell Connecticut residents’ personal data
This means businesses that process any amount of sensitive data or sell any personal data of Connecticut residents will need to comply, regardless of volume.
Who Is Exempt?
The following entities are exempt from the CTDPA:
- Government agencies and state entities
- Non-profit organisations
- Higher education institutions
- Financial institutions governed by the Gramm-Leach-Bliley Act (GLBA) – though SB 1295 narrows this exemption from entity-level to data-level, meaning only the specific data subject to GLBA requirements is exempt, not the entire organisation
- Covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA)
- National securities associations registered under the Securities Exchange Act of 1934
Certain types of data are also exempt, including data maintained under the Fair Credit Reporting Act, Driver’s Privacy Protection Act, and Family Educational Rights and Privacy Act (FERPA).
Key Definitions
Understanding these terms is essential for CTDPA compliance:
Consumer: A Connecticut resident acting in an individual or household context. This excludes individuals acting in employment or business-to-business contexts.
Personal data: Information that is linked or reasonably linkable to an identified or identifiable individual. This excludes de-identified data and publicly available information. For more on what constitutes personal data, see our article on what counts as personal data under GDPR.
Sensitive data: A category requiring heightened protection, including racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation or sex life, citizenship or immigration status, genetic or biometric data used to identify an individual, personal data of children under 13, and precise geolocation data (within 1,750 feet).
The 2026 amendments (SB 1295) expand sensitive data to include disability status or treatment, neural data, status as nonbinary or transgender, financial account numbers and login credentials, and government-issued identification numbers.
Controller: An individual or legal entity that determines the purposes and means of processing personal data.
Processor: An entity that processes personal data on behalf of a controller.
Targeted advertising: Displaying advertisements based on personal data collected across different websites or applications over time. This excludes contextual advertising and advertising based on a consumer’s current search or website visit.
Dark patterns: User interface designs that manipulate or coerce consumers into making choices they would not otherwise make, such as making it easier to accept tracking than to decline it. For examples of problematic consent interfaces, see our article on common cookie banner mistakes.
Universal opt-out mechanism: A browser-based or device-based signal that communicates a consumer’s preference to opt out of certain data processing, such as Global Privacy Control (GPC).
Consumer Rights
Connecticut residents have the following rights under the CTDPA:
- Right to access: Confirm whether a business is processing their personal data and access that data
- Right to correction: Request correction of inaccurate personal data
- Right to deletion: Request deletion of personal data the business has collected
- Right to data portability: Obtain their personal data in a portable, readily usable format
- Right to opt out of targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects
New Rights from the 2026 Amendments
SB 1295 adds:
- Right to know about inferences: Consumers can request information about inferences drawn from their personal data and profiling activities that produce significant effects
- Right to question profiling results: Consumers can challenge profiling results that significantly affect them, requiring businesses to explain the logic behind automated decisions
For comparison with how other jurisdictions handle consumer data requests, see our guide to GDPR data subject access requests.
Business Obligations
If the CTDPA applies to your organisation, you have several obligations:
Privacy Notice Requirements
You are required to provide a privacy notice that is clear, accessible, and written in plain language. The notice should explain categories of personal data you process, purposes for processing, how consumers can exercise their rights, categories of personal data shared with third parties, and categories of third parties with whom you share data.
From 1st July 2026, if you use personal data to train artificial intelligence systems or large language models, you must disclose this in your privacy notice.
Responding to Consumer Requests
Businesses are expected to respond to consumer rights requests within 45 days. You may extend this by an additional 45 days if reasonably necessary, but you should inform the consumer of the extension and explain the reason.
Universal Opt-Out Signals
Since 1st January 2025, businesses are required to recognise and honour universal opt-out mechanisms such as Global Privacy Control. When a consumer’s browser sends an opt-out signal, you should treat it as a valid opt-out request for targeted advertising and sale of personal data.
Data Protection Assessments
Businesses are expected to conduct and document data protection assessments for processing activities that present a heightened risk of harm, including processing personal data for targeted advertising, selling personal data, processing sensitive data, and profiling that presents a foreseeable risk of unfair treatment or substantial harm.
From 1st August 2026, businesses must conduct specific profiling impact assessments whenever engaging in profiling that produces legal or similarly significant effects on consumers.
Restrictions on Processing Minors’ Data
The 2026 amendments introduce a categorical prohibition: controllers cannot process personal data of minors (under 18) for targeted advertising or sale, regardless of whether consent is obtained. This is an absolute restriction with no exceptions.
Businesses are also prohibited from using system design features to significantly increase, sustain, or extend a minor’s use of an online service.
Enforcement and Penalties
The Connecticut Attorney General has exclusive authority to enforce the CTDPA. There is no private right of action, meaning consumers cannot sue businesses directly under this law.
Cure Period Changes
Until 31st December 2024, businesses received a 60-day notice to cure violations before enforcement action. Since 1st January 2025, the Attorney General may proceed directly to enforcement. The Attorney General has discretion to offer a cure period based on factors including the number of violations, the business’s size and complexity, and whether the violation appears wilful.
Penalties
Violations of the CTDPA are treated as unfair trade practices under the Connecticut Unfair Trade Practices Act (CUTPA). Penalties can include civil penalties of up to $5,000 per wilful violation, restitution for affected consumers, disgorgement of profits from illegal activity, and injunctive relief to prevent further violations.
Because each affected consumer may count as a separate violation, penalties can accumulate quickly for businesses processing large amounts of data.
First Enforcement Settlement: TicketNetwork
In July 2025, the Attorney General announced the first monetary settlement under the CTDPA. TicketNetwork LLC agreed to pay $85,000 to resolve allegations that its privacy notice was largely unreadable and missing key information about consumer rights, rights request mechanisms were misconfigured or inoperable, the company repeatedly represented it had fixed deficiencies when it had not, and the company failed to respond timely to follow-up correspondence from the Attorney General.
The Attorney General’s office had first issued a cure notice to TicketNetwork in November 2023. Despite having 60 days to resolve the issues, the company failed to do so, leading to the enforcement action.
Enforcement Priorities
The Attorney General’s 2025 enforcement report highlights key priority areas including privacy notices (over two dozen cure notices issued for inadequate privacy notices), dark patterns (active targeting of cookie banners and interfaces that make opting out difficult), universal opt-out signals (focus on businesses failing to honour GPC and similar signals), and sensitive data processing (including enforcement against a regional supermarket using facial recognition technology for loss prevention).
Preparing for Compliance
For Businesses Already Compliant
If you currently comply with the CTDPA, review the 2026 amendments (SB 1295) carefully. Assess whether the lowered threshold (35,000 consumers) affects your compliance obligations. Review whether you process sensitive data or sell data, which triggers compliance regardless of volume. Update your privacy notice to include AI training disclosures if applicable. Prepare for profiling impact assessments (by 1st August 2026). Audit all processing of minors’ data to ensure compliance with the new prohibition.
For Businesses Newly Covered
If the lowered thresholds bring your organisation within scope, consider conducting a data inventory to understand what personal data you collect and process, implementing mechanisms for consumers to exercise their rights, updating or creating a CTDPA-compliant privacy notice, implementing universal opt-out signal recognition, reviewing cookie consent interfaces for dark patterns, establishing contracts with processors that meet CTDPA requirements, and training your staff on privacy requirements and how to handle consumer requests.
Where to Get Help
For compliance advice specific to your business, consult a privacy lawyer familiar with US state privacy laws. Given Connecticut’s active enforcement, professional guidance is particularly valuable.
The Connecticut Attorney General’s office publishes enforcement reports and guidance. Review these materials to understand current enforcement priorities.
Measured Collective offers data privacy training covering principles applicable to US state privacy laws including the CTDPA.
Official Sources:
- Connecticut General Statutes Title 42, Chapter 745a – The full text of the CTDPA
- Senate Bill 6 (2022) – The original CTDPA legislation
- Senate Bill 1295 (2025) – The 2025 amendments
- Connecticut Attorney General Privacy & Data Security – Official guidance and enforcement information
- Connecticut AG 2025 Enforcement Report – Detailed enforcement priorities and statistics
