Consentise Logo

REGULATIONSConnecticut Data Privacy Act (CTDPA)

CTDPA is a state privacy law that empowers Connecticut residents with greater control over their personal data and requires businesses to be transparent and accountable in handling that data.

Subscription Icon

The Connecticut Data Privacy Act (CTDPA) is a comprehensive privacy law that enhances data protection rights for Connecticut residents and imposes new responsibilities on businesses that collect, use, or share personal information. Signed into law in May 2022, the CTDPA took effect on July 1, 2023, making Connecticut the fifth U.S. state to pass a consumer privacy law, following California, Virginia, Colorado, and Utah.

What’s the Purpose of the CTDPA?

The CTDPA empowers consumers and creates a framework for responsible data handling by businesses. It:

  • Gives individuals more control over their personal data,
  • Requires transparency in how data is collected and used,
  • Limits the use of personal data for targeted advertising and profiling,
  • Introduces rules for processing sensitive data, such as race, health information, and precise geolocation.

It’s modeled after similar state laws but incorporates unique features, such as mandatory data protection assessments and a strong opt-out framework.

Who Needs to Comply with the CTDPA?

The CTDPA applies to businesses — regardless of where they’re based — that:

  • Conduct business in Connecticut or target Connecticut residents, and
  • Meet one of the following thresholds:
    • Control or process the personal data of 100,000+ consumers annually (excluding data processed solely for payment transactions), or
    • Derive over 25% of gross revenue from selling personal data of 25,000+ consumers.

Nonprofits and government agencies are exempt, and employee or B2B data is currently excluded.

What Rights Do Connecticut Consumers Have?

Connecticut residents are granted several important rights under the CTDPA:

  • Right to access: Know what data a company has about you,
  • Right to correct: Fix any inaccuracies in your personal information,
  • Right to delete: Request deletion of personal data,
  • Right to data portability: Obtain a copy of your data in a machine-readable format,
  • Right to opt out of:
    • Targeted advertising,
    • Sale of personal data,
    • Automated decision-making and profiling.

Businesses must respond to requests within 45 days, and they must provide a simple and accessible appeals process for denied requests.

What Are the Consequences of Non-Compliance?

The CTDPA is enforced by the Connecticut Attorney General. Key enforcement features include:

  • A 60-day cure period for violations (ends on December 31, 2024),
  • After that, businesses may face investigations and civil penalties,
  • There is no private right of action, so only the Attorney General can enforce violations.

Unlike some states, Connecticut has signaled it will take an active role in monitoring business compliance and promoting best practices.

Does the CTDPA Only Apply in Connecticut?

No. Like other U.S. state privacy laws, the CTDPA applies to any business that meets the consumer or revenue thresholds and targets Connecticut residents, regardless of its physical location. If your business operates online or serves users across multiple states, you may fall under the scope of the CTDPA.

How Consentise Helps You Navigate CTDPA Compliance

Consentise helps simplify CTDPA compliance through easy-to-integrate tools that include:

  • Customizable consent banners that allow users to opt out of data sales and targeted ads,
  • Tools for managing access, correction, and deletion requests,
  • Support for appeals processes and compliance workflows,
  • Built-in logs for data protection assessments and sensitive data consent,
  • Seamless integration with your website or app to maintain a compliant user experience.

With Consentise, you can confidently align your data practices with Connecticut’s privacy law — while building greater trust with your users.

Ready to start?

Start for free