What Is the Connecticut Data Privacy Act?
Connecticut enacted the Connecticut Data Privacy Act in May 2022, making it one of the earliest comprehensive state privacy laws in the United States. The law took initial effect on 1st July 2023, with significant amendments taking effect on 1st July 2026.
Connecticut has distinguished itself through active enforcement. The Attorney General has issued dozens of violation notices, settled enforcement cases, and published detailed reports. This makes Connecticut’s approach notably more aggressive than most US states.
If your organisation processes personal data of Connecticut residents, understanding the 2026 amendments is essential.
Who Must Comply?
The 2026 amendments significantly broaden the Connecticut Data Privacy Act’s applicability. Under the original law, businesses needed to process data of 100,000 Connecticut consumers to be covered. The amended threshold drops to 35,000 or more Connecticut consumers during a calendar year.
Additionally, the amendments create new thresholds with no minimum consumer counts. If you process sensitive data of Connecticut residents or offer Connecticut residents’ data for sale, the law applies to you regardless of how many consumers are affected.
The law doesn’t apply to non-profit organisations, government agencies, financial institutions covered by the Gramm-Leach-Bliley Act (though the GLBA exemption has been narrowed), covered entities and business associates under HIPAA, or higher education institutions.
Consumer Rights Under the Act
Connecticut residents have comprehensive rights regarding their personal data: the right to confirm whether you’re processing their data and access that data, the right to request corrections to inaccurate information, the right to request deletion of personal data you’ve collected, the right to obtain their data in a portable format for transfer to another business, and the right to opt out of targeted advertising, the sale of their personal data, and profiling used for automated decisions.
The 2026 amendments add important new rights. Connecticut residents will have the right to know about inferences drawn from their personal data and profiling activities that produce significant effects. They’ll also have the right to question profiling results that affect them significantly, requiring businesses to explain the logic behind automated decisions and allow consumers to dispute outcomes.
What Are Your Obligations?
If the Connecticut Data Privacy Act applies to your organisation, you must maintain a clear, accessible privacy notice explaining what data you collect, why you collect it, with whom you share it, and how consumers exercise their rights. The notice must be written in plain language and avoid legal jargon.
Starting with the 2026 amendments, if you use personal data to train large language models or other artificial intelligence systems, you must disclose this in your privacy notice. This requirement reflects growing concerns about AI training data transparency.
You must respond to consumer requests within 45 days. You can extend this by another 45 days if necessary, but you must inform the consumer and explain why the extension is needed.
You must recognise and honour universal opt-out signals. Since 1st January 2025, Connecticut has required businesses to recognise browser-based privacy signals like Global Privacy Control. If a consumer’s browser sends an opt-out signal, you must honour it as if the consumer had manually opted out. This requirement is already in effect, not part of the 2026 amendments.
You must conduct data protection assessments for high-risk processing activities. Starting 1st August 2026, you must conduct profiling impact assessments whenever you engage in profiling that produces legal or similarly significant effects. These assessments must evaluate the purpose, benefits, and potential harms of profiling, analyse safeguards implemented to mitigate risks, and be available to the Attorney General upon request.
The 2026 amendments include a categorical prohibition: you cannot process personal data of minors for targeted advertising or sale, regardless of parental consent. This absolute ban reflects heightened protection for children’s data.
Training Your Team
Given Connecticut’s active enforcement, training your staff is essential. Your team needs to understand what personal data your organisation collects, how to recognise and respond to consumer rights requests, what targeted advertising means and how it differs from contextual advertising, how to implement universal opt-out signals, the absolute prohibition on processing minors’ data for advertising or sale, and what constitutes dark patterns.
The Connecticut Attorney General has specifically focused on dark patterns—deceptive design practices that manipulate consent. Train your teams to avoid interface designs that make opting out difficult, misleading language that obscures data practices, pre-checked boxes for data sharing, or confusing layouts that steer users toward choices that benefit your business over their privacy.
Regular refresher training helps maintain compliance as the law evolves and as your business practices change.
Enforcement and Penalties
The Connecticut Attorney General has exclusive enforcement authority. There is no private right of action, meaning consumers cannot sue businesses directly.
Connecticut initially provided a cure period allowing businesses to fix violations before facing penalties. This cure period expired on 1st January 2025. The Attorney General can now proceed directly to enforcement without giving businesses time to cure violations.
Connecticut has been exceptionally active in enforcement. In April 2025, the Attorney General announced the first monetary settlement under the Connecticut Data Privacy Act. TicketNetwork LLC agreed to pay $85,000 to resolve allegations that it failed to honour consumer opt-out requests and used dark patterns in its cookie consent interface.
The Attorney General’s 2025 enforcement report revealed that the office received 75 consumer complaints about Connecticut Data Privacy Act violations during 2024. Common issues included failures to honour opt-out requests, inadequate privacy notices, dark patterns in consent interfaces, and failures to respond to consumer rights requests within 45 days.
The Attorney General issued dozens of notices of violation during 2024, primarily targeting cookie banners that failed to provide genuine choice, websites that didn’t recognise universal opt-out signals, and businesses that made opting out unnecessarily difficult.
Connecticut treats violations as unfair trade practices, allowing civil penalties that vary based on violation type and severity. For businesses processing large amounts of data, penalties can accumulate quickly since each affected consumer may count as a separate violation.
Preparing for Compliance
If you currently comply with the Connecticut Data Privacy Act, review the 2026 amendments carefully to ensure continued compliance. Focus on the lowered threshold (35,000 consumers instead of 100,000), new thresholds for sensitive data processing and data sales, disclosure requirements for AI training data use, profiling impact assessments (by 1st August 2026), and the absolute prohibition on processing minors’ data for advertising or sale.
If you’re newly covered under the lowered thresholds, assess whether the law applies to you by counting Connecticut consumers whose data you process. Review and update your privacy notice to meet all requirements, including AI training disclosures if applicable.
Implement universal opt-out signal recognition if you haven’t already. This requirement has been in effect since January 2025 and is a priority enforcement area for the Attorney General.
Review your cookie consent interfaces and opt-out processes for dark patterns. The Attorney General has specifically targeted misleading design practices, so ensure your interfaces provide genuine choice and make opting out straightforward.
Prepare for profiling impact assessments if you engage in profiling that produces legal or similarly significant effects. These assessments must be ready by 1st August 2026.
Audit all processing of minors’ data. Ensure you have systems to identify when you’re processing data of individuals under 18 and that you absolutely do not process that data for targeted advertising or sale.
Train your staff now on current requirements and upcoming changes. Given Connecticut’s aggressive enforcement approach, waiting until July 2026 is too late.
Where to Get Help
For detailed compliance advice specific to your business, consult a privacy lawyer familiar with US state privacy laws and Connecticut’s specific enforcement priorities. Given the active enforcement environment, legal guidance is particularly valuable for Connecticut compliance.
The Connecticut Attorney General’s office publishes enforcement reports and guidance on its website. Review these materials to understand current enforcement priorities and common violations.
Measured Collective offers privacy compliance training that covers principles applicable to US state privacy laws. Connecticut’s enforcement experience demonstrates that privacy law consequences are real. The Attorney General investigates complaints, issues violation notices, and pursues monetary settlements.
The 2026 amendments strengthen protections around AI transparency, profiling, and children’s data. Start your preparation now by reviewing data practices, updating your privacy notice, implementing universal opt-out signals, eliminating dark patterns, and training your staff.
Official Sources:
- Connecticut General Statutes Title 42, Chapter 745a: https://www.cga.ct.gov/current/pub/chap_745a.htm
- Connecticut Attorney General Privacy & Data Security: https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act
- Connecticut AG 2025 Enforcement Report: https://portal.ct.gov/-/media/ag/press_releases/2025/updated-enforcement-report-pursuant-to-connecticut-data-privacy-act-conn-gen-stat–42515-et-seq.pdf
