Connecticut Data Privacy Act (CTDPA)

Key definitions in CTDPA

The Connecticut Privacy law introduces several critical terms, as outlined in Section 1 of the act.

• Consumer: A Connecticut resident acting in an individual or household capacity (excludes employees and B2B transactions).
• Personal data: Information linked or reasonably linkable to an identifiable individual (excludes de-identified or publicly available data).
• Sensitive data: Includes race, ethnicity, religious beliefs, health data, biometric data, children’s data, and precise geolocation.
• Controller: A business that determines the purpose and means of processing personal data.
• Processor: An entity that processes personal data on behalf of a controller.
• Sale of personal data: Exchange of personal data for monetary or other valuable consideration (with certain exceptions).
• Targeted advertising: Ads based on personal data collected across different websites or apps, excluding contextual ads and first-party interactions.

Who must comply with CTDPA?

The Connecticut data privacy law applies to entities conducting business in Connecticut or targeting products/services to Connecticut residents if they meet one of the following thresholds:

• Control or process the personal data of at least 100,000 consumers (excluding data processed solely for payment transactions).
• Control or process the personal data of at least 25,000 consumers and derive over 25% of gross revenue from the sale of personal data.

"As the digital landscape changes and evolves, it is crucial that we prevent the unauthorized use and trade of personal data. Data privacy is a priority for all, and this act protects all of our residents while they are online."

- State Representative Mike D'Agostino

CTDPA exemptions

Certain entities, such as state agencies, nonprofits, financial institutions under the Gramm-Leach-Bliley Act (GLBA), and entities covered by HIPAA, are exempt from CTDPA compliance.

Key provisions of CTDPA

The Connecticut privacy law  includes several key provisions:

• Consumer rights: Residents can access, correct, delete, and obtain a copy of their personal data. They can also opt out of targeted advertising, data sales, and certain profiling.
  
  
• Business obligations: Controllers must limit data collection, ensure data security, and obtain consent before processing sensitive data.
  
  
• Opt-In for sensitive data: Businesses must obtain explicit consent before processing sensitive personal data, such as health, biometric, and children’s data.
  
  
• Data protection assessments: Businesses must conduct assessments for high-risk data processing activities, such as targeted advertising and profiling.
  
  
• Processor requirements: Controllers must have contracts with processors that define data protection responsibilities.
  
  
• Enforcement: The Connecticut Attorney General has exclusive enforcement authority, with no private right of action for consumers.

‍

“Online data is a billion-dollar industry that profits from violating the privacy of our residents. Connecticut Democrats are standing up for consumers with these new privacy rights.”

- Senate Majority Leader Bob Duff

Is CTDPA opt-in or opt-out?

The Connecticut Data Privacy Act primarily follows an opt-out model for data processing, particularly for targeted advertising, data sales, and profiling. This means that businesses can process consumer data by default, but consumers have the right to opt out of certain data uses.

However, opt-in consent is required for processing sensitive data, such as:

• Racial or ethnic origin
• Religious beliefs
• Health conditions
• Sexual orientation
• Biometric or genetic data
• Data of children under 13 (which also requires compliance with COPPA)‍

The price of non-compliance

Non-compliance with the CTDPA can lead to significant financial and legal consequences for businesses. 

‍

CTDPA fines & penalties

The Connecticut Data Privacy Act is enforced exclusively by the Connecticut Attorney General, with the following fines and penalties:

CTDPA penalties

Violations are subject to fines under the Connecticut Unfair Trade Practices Act (CUTPA), which can include civil penalties up to $5,000 per willful violation and possible restitution for affected consumers.

There is no private right of action, meaning consumers cannot sue businesses directly under CTDPA.

Cure period 

Until December 31, 2024, businesses received a 60-day notice to fix violations before enforcement actions are taken. Starting on January 1st, 2025, the Attorney General may take immediate enforcement action without a cure period.

The impact of CTDPA on businesses

What businesses need to know about CTDPA

The Connecticut privacy law has a significant impact on businesses, requiring them to adopt stricter data protection measures and enhance consumer privacy rights.

• Compliance requirements: Businesses must implement privacy policies, conduct data protection assessments, and obtain opt-in consent for sensitive data processing.
• Consumer rights management: Companies must provide mechanisms for consumers to access, correct, delete, and opt out of data processing.
• Data minimization & security: Organizations must limit data collection to what is necessary and ensure reasonable security measures to protect personal information.
• Contractual obligations: Controllers must establish legally binding agreements with processors, ensuring compliance with data processing requirements.
• Risk of enforcement: The Connecticut Attorney General can impose fines up to $5,000 per willful violation and take legal action under CUTPA.

Businesses operating in multiple states must ensure compliance with CTDPA alongside other state privacy laws, increasing regulatory complexity and compliance cost.

What are the CTDPA requirements for businesses?

To comply with CTDPA, businesses must:

• Honor consumer rights (access, correct, delete, opt-out of data sales and targeted ads)
• Obtain opt-in consent for sensitive data processing
• Limit data collection and ensure security measures
• Conduct data protection assessments for high-risk processing
• Have contracts with processors defining data responsibilities
• Provide transparent privacy notices on data practices
• Comply with enforcement by the Attorney General

‍

‍

The impact of CTDPA on consumers

Understanding Connecticut consumer rights

The Connecticut Data Privacy Act enhances consumer privacy rights and control over personal data.

• Grants rights to access, correct, delete, and obtain a copy of personal data.
• Allows opting out of targeted advertising, data sales, and profiling.
• Requires businesses to get opt-in consent before processing sensitive data.
• Improves transparency by mandating clear privacy notices.
• Enhances data security and limits unnecessary data collection.
• Provides enforcement through the Attorney General, ensuring compliance.

CTDPA empowers consumers with greater control over their personal information and strengthens data protection.

“The Connecticut Data Privacy Act gives consumers powerful new baseline rights, including the right to access, correct, and delete personal data stored and collected by businesses, and the right to opt-out of the sale of personal data and targeted advertising."

- Attorney General William Tong

How CTDPA compares to other U.S. data privacy laws

The CTDPA aligns with several existing U.S. state privacy laws but also presents distinct features on scope, consumer rights, data controller obligations and penalties. 

CTDPA vs other state privacy laws

‍

What makes CTDPA stand out?

The CTDPA stands out due to:

• Opt-in for sensitive data processing, requiring explicit consumer consent
• Strong consumer rights, including access, correction, deletion, and opt-out options
• Mandatory data protection assessments for high-risk processing
• Strict processor contract requirements, ensuring compliance in data handling
• Limited enforcement flexibility, with a 60-day cure period only until Dec. 31, 2024

CTDPA vs. CCPA vs. GDPR

What are the differences between CTDPA and GDPR?

The CTDPA differs from GDPR in key ways: CTDPA applies to businesses meeting consumer data thresholds, while GDPR applies broadly. GDPR requires a lawful basis for data processing, whereas CTDPA follows an opt-out model (except for sensitive data). GDPR has higher fines, while CTDPA is enforced by the Attorney General under CUTPA.

What are the differences between CTDPA and CCPA?

CTDPA requires opt-in consent for sensitive data, while CCPA follows an opt-out model. CTDPA applies based on consumer data thresholds, while CCPA applies based on revenue or data volume. Unlike CCPA, CTDPA mandates data protection assessments and has no private right of action.

How to ensure CTDPA compliance

If you’ve read this far, you know that building a privacy-compliant business is important, but also far from easy. Here are eight key steps every business should take to ensure they don’t fall foul of regulators:

What is CTDPA compliance

CTDPA compliance requires businesses to honor consumer rights (access, correction, deletion, and opt-outs), obtain opt-in consent for sensitive data, limit data collection, ensure security, conduct data protection assessments, have contracts with processors, provide clear privacy notices, and comply with enforcement by the Attorney General.

How to comply with CTDPA

To comply with CTDPA, you must:

• Provide consumers with rights to access, correct, delete, and opt-out of data sales and targeted ads
• Obtain opt-in consent for sensitive data processing
• Limit data collection to what is necessary and ensure security measures
• Conduct data protection assessments for high-risk processing
• Establish contracts with processors to define data handling responsibilities
• Maintain clear privacy notices explaining data practices
• Ensure compliance with Attorney General enforcement, with a 60-day cure period until Dec. 31, 2024

How Ketch can simplify CTDPA compliance

With the Ketch Data Permissioning Platform, you can do the following:

• Automate your data mapping. Understand where sensitive personal data lives throughout your data ecosystem. 
• Deploy CTDPA-compliant privacy notices for Connecticut residents. Ketch Consent Management includes a pre-built policy template for the NDPA, with ability to customize rights as desired, no coding required to make changes. 
• Gather the consent necessary to process sensitive data. Ketch consent banners and modals are customizable, making it easy for you to ensure consent is gathered for processing various types of data. 
• Provide a consumer-facing portal for submitting rights requests, as well as automated workflows connecting to your systems and applications. 

With Ketch, businesses can streamline compliance, reduce risk, and maintain regulatory alignment effortlessly.

Follow this tour for a detailed tour of Ketch CMP:

‍

When you automate these processes, you enable your internal stakeholders: 

• Your developers and marketers can do their jobs without fretting about regulations
• Your legal team can set guidelines for notice and consent, secure in the knowledge that any changes they make will ripple through your whole data ecosystem (including vendors or third-party companies using your data!)

‍Final thoughts: Preparing your business for CTDPA

Now that the CTDPA is in effect, businesses must proactively adjust their data privacy practices  to meet its requirements. Compliance goes beyond meeting legal obligations—it involves fostering a culture of data protection and consumer trust. Staying updated on regulatory changes and continuously improving privacy measures will be essential as laws evolve.

Contact Ketch today to streamline your compliance and future-proof your privacy strategy. 

Read further: 2025 U.S. State Privacy Laws: what you need to know

FAQs about the Connecticut privacy regulation