Connecticut Data Privacy Act (CTDPA) Explained

What is the Connecticut Data Privacy Act? See who must comply after the 2026 threshold drop, consumer rights, penalties, and how it differs from the CCPA.


by Riad Us Salehin • 4 July 2026


The Connecticut Data Privacy Act (CTDPA) is a state law, in effect since July 1, 2023, that gives Connecticut residents rights over their personal data. It requires covered businesses to honor opt-outs and protect sensitive data.

It applies wherever a business is based once it meets Connecticut's consumer thresholds. That threshold drops from 100,000 to 35,000 consumers on July 1, 2026.

This guide covers who must comply before and after that 2026 change, consumer rights, the universal opt-out signal, sensitive data, and enforcement. It closes with how Consently supports the opt-out side of compliance.

What Is the Connecticut Data Privacy Act (CTDPA)?

The Connecticut Data Privacy Act (CTDPA) is also known as Public Act 22-15 or "An Act Concerning Personal Data Privacy and Online Monitoring". It is a Connecticut state law that creates personal-data rights for Connecticut consumers.

It also sets compliance duties for the businesses, called controllers, that collect their data.

Connecticut was the fifth US state to pass a comprehensive privacy law. It joined the broader wave of US state privacy laws that began with California's CCPA.

The CTDPA follows the opt-out, controller-and-processor model used by Virginia and Colorado. A controller decides why and how personal data gets processed. A processor handles that data on the controller's behalf, under contract.

Consumers get rights by default. They do not need to grant permission before a business collects most personal data, only before it collects sensitive data.

When Did the CTDPA Take Effect? (And What Changes on July 1, 2026)

The CTDPA took effect on July 1, 2023. Several later milestones changed what compliance actually requires, and one more milestone resets who has to comply at all.

  • May 2022: Connecticut enacts Public Act 22-15.
  • July 1, 2023: The CTDPA takes effect.
  • December 31, 2024: The 60-day right-to-cure period sunsets.
  • January 1, 2025: Controllers must honor opt-out preference signals.
  • June 24, 2025: Governor Lamont signs SB 1295, enacted as Public Act No. 25-113.
  • July 1, 2026: SB 1295's CTDPA amendments take effect, including the threshold drop to 35,000 consumers.
  • August 1, 2026: New profiling impact-assessment duties begin.

SB 1295 is a broader consumer-protection act. It also updates online-safety rules for minors on social media platforms. Its CTDPA provisions are the part that matters here.

Who Has to Comply with the CTDPA?

A business must comply with the CTDPA if it conducts business in Connecticut, or targets products and services to residents. It also has to meet one of the law's consumer thresholds.

The law reaches businesses outside Connecticut that target Connecticut residents. It excludes data processed solely to complete a payment transaction.

Before July 1, 2026, a covered business meets one of two thresholds.

  • Controls or processes the personal data of 100,000 or more Connecticut consumers annually, or
  • Controls or processes the personal data of 25,000 or more consumers and derives over 25% of its gross revenue from selling personal data

The 2026 Threshold Change: From 100,000 to 35,000 Consumers

Starting July 1, 2026, SB 1295 lowers the consumer threshold to 35,000. It also deletes the "25,000 consumers plus 25% revenue" prong entirely. In its place, the law reaches any business that sells consumers' personal data or that processes their sensitive data, regardless of consumer count.

This change matters because thousands more small and mid-sized sites come into scope. Common advertising or tracking technology can itself count as offering data "for sale", which the CTDPA defines broadly. A sale is exchanging personal data with a third party for money or other value.

RuleBefore July 1, 2026On or After July 1, 2026
Consumer-count threshold100,000 consumers35,000 consumers
Revenue-based prong25,000 consumers + 25% revenue from saleRemoved
Sensitive-data triggerNot a standalone triggerAny volume of sensitive data processing triggers coverage
Data-sale triggerTied to the 25%-revenue prongAny volume of personal data sales triggers coverage

Who Is Exempt from the CTDPA?

Several categories of entities and data sit outside the CTDPA's scope.

  • State and local government agencies
  • Nonprofit organizations, except those that qualify as consumer health data controllers
  • Political committees registered under Connecticut law
  • Higher education institutions
  • Insurance entities, banks, and credit unions
  • Data or entities already regulated under HIPAA, the Fair Credit Reporting Act, and similar sector-specific laws
  • Data covered by the Gramm-Leach-Bliley Act (GLBA)

SB 1295 narrows the GLBA exemption, effective July 1, 2026. Before the amendment, an entire GLBA-regulated entity was exempt. After it, only the specific data and activities that GLBA actually covers are exempt, so the carve-out needs a closer read.

What Rights Does the CTDPA Give Connecticut Consumers?

Connecticut residents get five core rights over the personal data that businesses hold about them.

  • Right to access: confirm whether a controller is processing your personal data and access that data
  • Right to correct: fix inaccuracies in your personal data
  • Right to delete: have your personal data deleted
  • Right to a portable copy: obtain your data in a portable, readily usable format
  • Right to opt out: stop the sale of your personal data, targeted advertising, and profiling that produces a legal or similarly significant effect

A controller must respond to a consumer's request no later than 45 days after receiving it.

How the Universal Opt-Out (Opt-Out Preference Signal) Requirement Works

An opt-out preference signal is a browser or device-level signal, such as Global Privacy Control (GPC). It tells every site a consumer visits, at once, that the consumer opts out of the sale of their data and targeted advertising.

Since January 1, 2025, every controller subject to the CTDPA must detect and honor these signals automatically.

The obligation sits with the business, not the consumer. A covered site must recognize the signal the moment a visitor's browser sends it. It must treat that signal as a valid opt-out request, without requiring a separate form.

GPC is the most widely recognized signal, and Colorado's privacy law imposes a similar requirement.

What Counts as Sensitive Data Under the CTDPA?

Sensitive data is a subset of personal data that requires affirmative, opt-in consent before a business processes it. This holds even though the CTDPA is otherwise an opt-out law. The categories are:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis
  • Sex life or sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data
  • Personal data of a known child
  • Precise geolocation data

Processing any of these categories requires the consumer's consent first. This makes sensitive data an opt-in island inside an otherwise opt-out law.

Effective July 1, 2026, SB 1295 expands this list. New categories include neural data (activity of a person's central nervous system), financial account information, disability or treatment information, and status as nonbinary or transgender. Government-issued identification numbers are also added.

What Does the CTDPA Require Businesses to Do?

Covered businesses, called controllers under the CTDPA, carry a core set of compliance duties.

  • Provide a clear, accessible privacy notice describing what data the business collects and why
  • Limit data collection to what is adequate and relevant for the stated purpose (data minimization)
  • Obtain consent before processing sensitive data
  • Honor consumer requests and opt-out preference signals
  • Run a data protection assessment before any processing that presents a heightened risk of harm, including targeted advertising, profiling, and selling data
  • Maintain reasonable data security practices

Starting August 1, 2026, controllers must also complete a profiling impact assessment. That duty applies to processing activities created on or after that date that produce legal or similarly significant effects.

Much of this overlaps with cookie consent under the GDPR. Both regimes expect a clear notice, a lawful basis before non-essential processing, and a documented consent record.

How Is the CTDPA Enforced? (Penalties and the Attorney General)

The Connecticut Attorney General has exclusive authority to enforce the CTDPA. There is no private right of action, so consumers cannot sue a business directly for a CTDPA violation.

CTDPA violations are enforced as violations of the Connecticut Unfair Trade Practices Act (CUTPA). That exposes controllers to civil penalties of up to $5,000 per violation, plus injunctive relief, restitution, and disgorgement.

A 60-day right to cure violations existed through December 31, 2024, when that provision sunset. Cures are now discretionary rather than guaranteed.

The Attorney General's office has already used this authority. On July 8, 2025, it announced its first public CTDPA enforcement action. Ticket marketplace TicketNetwork was fined $85,000 over a largely unreadable privacy policy and missing rights disclosures. Its access, correction, and deletion mechanisms did not actually work.

How Is the CTDPA Different from the CCPA and GDPR?

The CTDPA, the CCPA, and the GDPR share a goal, consumer control over personal data, but diverge on consent model, coverage trigger, and enforcement.

AttributeCTDPACCPA/CPRAGDPR
Consent modelOpt-out, except sensitive data requires opt-inOpt-outOpt-in by default
Coverage triggerConsumer-count and data-activity thresholds, no revenue-size dollar thresholdRevenue threshold ($26.625 million) or data-volume thresholdsAny processing of EU residents' data, regardless of business size
TerminologyController / processorBusiness / service providerController / processor
Private right of actionNoneLimited, for certain data breachesNone (enforced by supervisory authorities)
Universal opt-out signalRequired since January 1, 2025Required (CCPA regulations)Not applicable (opt-in model)

Unlike California's CCPA, the CTDPA sets no dollar-revenue threshold. Coverage turns on consumer counts and data activity instead.

Whereas the EU's GDPR requires opt-in consent by default, the CTDPA only requires opt-in consent for sensitive data.

The CTDPA follows the same opt-out, controller and processor model as Colorado's privacy law, including a matching universal opt-out signal requirement.

What the CTDPA Means for Your Website and Cookies

A CTDPA-covered website has to translate the law's rights and obligations into concrete, visible changes for visitors.

  • Post a clear privacy notice, linked from the homepage, that describes what data the site collects and why
  • Give Connecticut visitors a way to opt out of targeted-advertising cookies and the sale of their data
  • Detect and honor recognized opt-out preference signals automatically
  • Get affirmative consent before loading any script that processes sensitive data
  • Keep records of each visitor's consent choices

The targeted-advertising and sale opt-out is the direct link between the CTDPA and cookie consent. Any site running ad-tech pixels or third-party analytics needs a way to stop those scripts from firing until a Connecticut visitor makes a choice.

It also needs a record of what that choice was. That is the same banner-and-records discipline behind how to comply with the GDPR, applied to a different set of triggers.

How Consently Helps You Meet Connecticut's Opt-Out and Consent Requirements

Consently supports the consumer-facing side of CTDPA compliance. It shows an opt-out banner to Connecticut visitors, applies region-based display logic, and keeps a consent record you can point to later.

Consently shows Connecticut visitors an opt-out consent banner built on the CCPA and US state-law opt-out tools. It includes a dedicated opt-out or Do Not Sell control.

Automatic geotargeting and country code-based script loading mean Connecticut visitors see that opt-out experience. Visitors elsewhere see the banner model that fits their own state or country's rules.

Two features back that up directly. Consent logs record every visitor's choice with a timestamp. You can export that log as an audit trail if the Attorney General's office ever asks for one.

The cookie, privacy, and terms policy generators produce the clear privacy notice the CTDPA requires, built from your site's actual data practices.

One honest limit applies. Consently does not detect or automatically honor browser opt-out preference signals like Global Privacy Control. Honoring those signals is a separate CTDPA obligation your business has to meet through other means.

Consently's policy generators assist with the notices and disclosures the law requires. They are not a substitute for legal advice, and using Consently does not by itself make a site CTDPA compliant.

Try Consently free with a 14-day trial, no credit card required.

FAQs

What is the Connecticut Data Privacy Act in simple terms?

The Connecticut Data Privacy Act is a Connecticut law that gives residents rights over their personal data. It makes covered businesses honor opt-outs and protect sensitive data with consent.

When did the Connecticut Data Privacy Act take effect?

The CTDPA took effect July 1, 2023. Opt-out preference signal honoring became mandatory January 1, 2025, and SB 1295's major amendments take effect July 1, 2026.

Who has to comply with the Connecticut Data Privacy Act?

Businesses that control or process data for 100,000 or more Connecticut consumers, or 25,000 or more with over 25% of revenue from data sales. That threshold drops to 35,000 consumers on July 1, 2026.

Does the CTDPA apply to small businesses?

Only if a business meets the consumer thresholds. The July 1, 2026 drop to 35,000 consumers pulls more small sites into scope, especially those that sell data or run ad-tech pixels.

What changes for the CTDPA on July 1, 2026?

The threshold drops to 35,000 consumers and the 25%-revenue prong is deleted. Sensitive data expands to include neural data and financial information, and minors' targeted advertising and data sale become outright bans.

What are the penalties for violating the CTDPA?

Violations carry civil penalties of up to $5,000 per violation under the Connecticut Unfair Trade Practices Act, enforced by the Attorney General.

Who enforces the Connecticut Data Privacy Act?

The Connecticut Attorney General enforces the CTDPA exclusively. No other state agency or private party can bring a CTDPA claim.

Is there a private right of action under the CTDPA?

No. Connecticut consumers cannot sue a business directly for a CTDPA violation; only the Attorney General can enforce it.

How is the CTDPA different from the CCPA?

The CTDPA uses an opt-out model with controller and processor terms and has no private right of action. It triggers on a consumer count rather than a dollar-revenue threshold like the CCPA's.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.