The Connecticut Data Privacy Act (CTDPA) went into effect on July 1, 2023. Connecticut was the fifth state to pass such a law, and its requirements are similar to those in Colorado and Virginia, which are known for being more consumer-friendly than some states’ privacy laws.
What is the Connecticut Data Privacy Act (CTDPA)?
The Connecticut Data Privacy Act (CTDPA) protects the privacy rights of residents of Connecticut and establishes data privacy responsibilities for companies that process the personal data of Connecticut residents in the course of doing business in the state.
The CTDPA covers the sale of personal data, and defines a sale as: “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.”
The law also notes that a sale can also occur “in exchange for other valuable consideration”, i.e. not strictly direct monetary exchange, however, it does not apply to data sharing.
Like all of the other US state-level privacy laws to date, the CTDPA uses an opt-out model for consent, which means that personal data can be collected without first requiring consumers’ consent, but with some exceptions, consent must be obtained before the data can be sold.
Who has to comply with the Connecticut Data Privacy Act?
Like Virginia and Colorado, the Connecticut privacy law does not have a revenue threshold. So, for example, a company earning USD 25 million annual gross revenue does not automatically have to comply, as they would in California.
The CTDPA compliance thresholds are:
- Controlling or processing the personal data of 100,000 or more consumers annually
- unless the personal data is controlled or processed solely for the purpose of completing a payment transaction
or
- Deriving over 25 percent of their gross revenue from the sale of personal data, and
- control or process the personal data of 25,000 or more consumers
Exemptions to Connecticut Data Privacy Act compliance
There is a variety of exemptions to the compliance requirements that are included in the CTDPA, relating to type of entity, types of data, and other factors.
Organizational exemptions
The Connecticut data privacy law exempts the following entities and institutions from compliance requirements:
- State and local government entities
- Nonprofits
- Institutions of higher education
- Certain national security associations
- Financial institutions covered by the Gramm-Leach-Bliley Act (GLBA)
- “Covered entities” and “business associates” as defined under the Health Insurance Portability and Accountability Act (HIPAA)
Data Exemptions
There are data-related exemptions for information that has been de-identified or is publicly available, as well as data collected and processed in the course of an employment or business relationship.
In addition, data and processing that falls under compliance requirements of these US federal regulations is exempt from the CTDPA:
- Fair Credit Reporting Act (FCRA)
- Driver’s Privacy Protection Act (DPPA)
- Family Educational Rights and Privacy Act (FERPA)
- Farm Credit Act (FCA)
- Airline Deregulation Act (ADA)
Employment exemptions
Connecticut exempts personal data that is processed or maintained for the following employment-related purposes:
- In the course of an individual applying to, or acting as an employee, agent, or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role
or
- As emergency contact information for an individual and used for emergency contact purposes
or
- To administer benefits for another individual and used to administer those benefits
What rights do consumers have under the Connecticut Data Privacy Act?
Connecticut residents’ rights under the CTDPA are fairly consistent with many other US state-level privacy laws in terms of what they can request and have done with their data. The primary rights are:
- Right to access – to confirm whether a controller is processing their personal data and to have access to such data, with some exceptions
- Right to correction – to have inaccuracies or outdated information in their collected personal data corrected, with some limitations
- Right to deletion – to have personal data that was provided by or about the individual deleted by the controller or processor
- Right to portability – to obtain a portable copy of their personal data, to a technically feasible extent and with some restrictions
- Right to opt-out – of the processing of their personal data for the purposes of:
- Sale
- Targeted advertising
- Profiling in connection with automated decision-making that could have legal or comparably significant effects
Connecticut residents’ privacy requests and appeals
Controllers must respond to verified consumer requests within 45 days. This period can be extended by an additional 45-day period if “reasonably necessary”. For example, if the controller has a high volume of requests or the consumer’s request is particularly complex, the response period can be extended.
Consumers have the right to appeal a company’s denial of their requests, and can designate another person as an authorized agent who can exercise their right to opt out on the consumer’s behalf.
Connecticut’s privacy law does not enable consumers to sue companies in the event of a data breach or other violation, as is allowed (with restrictions) in California.
What are companies’ responsibilities under the Connecticut privacy law?
While using a consent model that’s different from the EU and other countries, the CTDPA does have consent requirements that must be met for individuals’ consent for data collection and processing to be considered valid. There are also specific situations in which prior consent does need to be obtained.
Connecticut Data Privacy Act and consent
As established by the European Union’s General Data Protection Regulation (GDPR) and widely adopted, the CTDPA requires consent to be “freely given, specific, informed and unambiguous”.
Prior consent requirements for sensitive or children’s data
Companies must obtain valid user consent before processing sensitive personal data or the data of children (individuals under the age of 13.) Where children’s data is concerned, consent must be obtained from a verifiable parent or legal guardian.
Sensitive personal data is information could reveal the following, or be used to cause harm based on these revelations:
- racial or ethnic origin
- religious beliefs
- mental or physical health condition or diagnosis
- sex life or sexual orientation
- citizenship or immigration status
- genetic or biometric data for the purpose of uniquely identifying an individual
- personal data collected from a known child
- precise geolocation data
New consent required for updated processing purposes
Controllers may not process personal data for purposes that are “neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed”, unless consumers’ consent has been obtained prior to collection and processing.
Updated information about processing, including purposes, third-party access to the data, and length of retention, also need to be updated in the organization’s privacy notice.
Prohibition on user manipulation to obtain consent
As is becoming more common, the CTDPA explicitly notes that dark patterns cannot be used in requesting and obtaining consent. If such manipulations are used the consent is not valid because it violates one or more of the requirements that consent needs to be freely given, specific, informed and unambiguous.
Consent must be easily revocable
Controllers must provide individuals with at least one method to revoke their consent that is as accessible and easy to use as the method used to give consent. If consent is revoked, the controller must cease processing the consumer’s personal data “as soon as practicable but no later than 15 days after receipt of the request.”
The principle of transparency and privacy policy requirements
All data privacy laws require data subjects to be notified about a number of things relating to data collection, processing, security, and user rights. This information is typically provided in a privacy notice or privacy policy, and must be reasonably clear to the average person.
Such a document must include the following information for CTDPA compliance:
- Categories of personal data processed
- Purpose(s) of processing the data
- Instructions to exercise consumers’ rights, including:
- How to submit a rights-related request
- How to appeal a rejection of a request
- Categories of personal data shared with third parties
- Online means of contact for the controller, e.g. email address or web form
Data minimization
Controllers must limit collection of personal data to what is “adequate, relevant and reasonably necessary” for the disclosed processing purposes.
Data security
Controllers must “establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data.”
These practices have to take the volume and nature of the personal data collected and processed into account. Greater amounts of data or data of greater sensitivity should be subject to more stringent processes and protections.
Companies also have responsibility for data processing by third parties, and thus need to have contractual agreements in place and monitor their standards and operations.
Right to nondiscrimination
Controllers are prohibited from discriminating against consumers for exercising their rights under Connecticut’s privacy law, or from violating other state or federal laws that prohibit unlawful discrimination against consumers.
The law does note that if a consumer opts out of processing, but that decision conflicts with their privacy settings or voluntary participation in a loyalty or rewards program, the controller may notify the consumer of the conflict and ask them to reconfirm their privacy setting or program participation.
Data protection assessments
Controllers must conduct a data protection assessment (DPA), also known as a data protection impact assessment, for personal data processing activities that present “heightened risk of harm to a consumer.”
These DPAs must identify and weigh risks and benefits of the processing to consumers, the controller, other stakeholders and the public at large. Activities considered to increase risk include:
- Processing personal data for targeted advertising
- Sale of personal data
- Processing sensitive data
- Processing personal data for profiling where it involves a foreseeable risk of:
- Unfair or deceptive treatment or unlawful disparate impact on consumers
- Financial, physical or reputational injury to consumers
- Intrusion upon the solitude or seclusion or private affairs of consumers
- Other substantial injury to consumers
If the Connecticut Attorney General launches an investigation into an alleged violation, the controller must provide the DPAs for compliance evaluation.
Under the Connecticut data privacy law, DPAs cannot be retroactive to before the law came into effect in July 2023. However, if the controller already creates DPAs to satisfy the requirements of another law, and the assessments are “reasonably similar,” then those pre-existing DPAs can be used to satisfy CTDPA requirements.
Request/notification mechanism for consumer data processing opt-out
If a controller sells personal data to third parties or processes it for targeted advertising, the controller must provide a “clear and conspicuous link” on their website that enables consumers to opt out of either of those activities.
Exact text requirements for the link are not specified, but using something similar to the CCPA/CPRA’s required “Do Not Sell Or Share My Personal Information” would likely suffice.
Controllers must enable consumers to opt out of personal data collection for targeted advertising or sale via an “opt-out preference signal”. This requirement began on January 1, 2025.
Consumers can set such a signal in their browser using settings or a plugin, which is then automatically communicated to all websites they visit.
The Global Privacy Control (GPC) is a prominent variant of this browser-based signal and supported by Usercentrics solutions.
Noncompliance fines and penalties under the Connecticut Data Privacy Act
The Connecticut Attorney General has exclusive enforcement authority for the CTDPA. The law does not outline specific penalties itself, financial or otherwise, as violations are considered unfair trade practices under the Connecticut Unfair Trade Practices Act (CUTPA).
CTDPA fines and penalties
Courts can impose civil penalties of up to USD 5,000 for willful violations and award actual and punitive damages, costs, and attorneys’ fees. Courts can also issue restraining orders, which could lead to a cease of data collection. Violation of a restraining order could result in a USD 25,000 penalty.
Cure period and sunsetting
Under the CTDPA companies had the right to a 60-day cure period. If provided with a notice of alleged violation(s) they had 60 days to correct it without penalty, if it is determined that a cure is possible. The cure period sunset in December 2024, however, so now a company can only be provided a cure period at the Attorney General’s discretion.
Such decisions would be based on:
- Number of violations
- Size and complexity of the controller or processor
- Nature and extent of the controller’s or processor’s processing activities
- Substantial likelihood of injury to the public
- Safety of persons or property
- Whether the alleged violation was likely caused by human or technical error
If the Attorney General decides not to provide notice and a cure period, e.g. in the case of a particularly large or damaging violation, they can pursue penalties for the violation right away.
Connecticut Data Privacy Act and consent management
The CTDPA requires companies to obtain valid user consent in a number of cases, and requires clear notification about data processing and rights in all cases. To provide clear information about data processing, companies need to know what kinds of tracking they’re doing on websites and apps at all times.
Cookiebot CMP automatically scans sites and apps to detect all cookies and trackers in use. This list can also be automatically categorized and used to populate the cookie banner and the privacy policy. It’s also kept up to date for you as technologies in use and data processing changes, to give you compliance peace of mind.
Connecticut’s data privacy law has been in effect long enough for regulators to receive reports and discuss adaptations. Privacy laws are always changing, and Usercentrics helps customers stay up to date with regulatory requirements with solutions like Cookiebot CMP™.
As more states pass data privacy laws, the likelihood that businesses will need to comply with more state-level laws, and even international privacy laws, continues to grow. Usercentrics has the solutions you need to achieve and maintain data privacy compliance, protect your revenue, and build trust and long-term engagement with your audience.
Learn how easy privacy compliance can be
Start your 14-day free trial today and get powerful automated features, extensive customization, and privacy compliance peace of mind.
FAQ
The CTDPA or Connecticut Data Protection Act is the data privacy law of the US state of Connecticut. It governs the collection and processing of personal data from Connecticut residents and sets out requirements for companies processing that data.
The law sets out key rights, such as the right to access one’s personal data or have it corrected, as well as being able to opt-out of having personal data sold to third parties or used for targeted advertisement. The CTDPA has been in effect since July 1, 2023.
The CTDPA applies to companies or for-profit organizations doing business in Connecticut or that produces products and services for Connecticut residents. The law applies to companies located inside and outside of the state if they process residents’ personal data.
Additionally, there are two potential compliance thresholds companies have to meet to be required to comply with the CTDPA:
- Controlling or processing the personal data of 100,000 or more consumers annually
- unless the personal data is controlled or processed solely for the purpose of completing a payment transaction
or
- Deriving over 25 percent of their gross revenue from the sale of personal data, and control or process the personal data of 25,000 or more consumers
Under the Connecticut Data Privacy Act (CTDPA), consumers have several rights:
- Right to know and access: confirm whether a controller is processing their personal data and to have access to such data, with some exceptions
- Right to correction: have inaccuracies in their collected personal data corrected, with some limitations
- Right to deletion: have personal data that was provided by or about them deleted by the controller or processor
- Right to data portability: obtain a portable copy of their personal data, to a technically feasible extent and with some restrictions
- Right to opt out: of the processing of their personal data for the purposes of: sale, targeted advertising, or profiling
Companies are also prohibited from discriminating against consumers who exercise their privacy rights under the CTDPA.
Businesses that are required to comply with the CTDPA must be transparent about their data collection and processing. They must provide clear information in privacy notices or policies, for example, about what data is collected, how it is used, who may have access to it, what users’ rights are, how users can exercise their rights, and more.
Companies also need to enable consumers to opt out of their data being sold or used for targeted advertising or profiling, and if the personal data is categorized as sensitive or belongs to a child, consent is required prior to collection and processing.
The CTDPA defines personal data “any information that is linked or reasonably linkable to an identified or identifiable individual.”
The CTDPA also distinguishes between “personal data” and “sensitive personal data”, the latter includes data from users under the age of 13, health and biometric data, geolocation data and data about racial or ethnic origin, religious beliefs, political convictions, and sexual orientation.
The Connecticut Attorney General enforces the CTDPA, and violations of the regulation are considered unfair trade practices under the Connecticut Unfair Trade Practices Act (CUTPA). The cure period sunset at the end of 2024, so is now at the Attorney General’s discretion.
Courts can impose civil penalties of up to USD 5,000 for willful violations and award actual and punitive damages, costs, and attorneys’ fees. Courts can also issue restraining orders, which could lead to a cease of data collection. Violation of a restraining order could result in a USD 25,000 penalty.
CTDPA compliance software enables businesses to meet the Connecticut data privacy law’s requirements, such as providing consumers with information about data processing and exercising their rights, and obtaining consent where required.
A consent management platform (CMP) is a type of CTDPA compliance software. A CMP enables businesses to achieve and maintain their Connecticut data privacy law compliance for websites and apps. A CMP displays information to users about what cookies and other tracking technologies are in use that collect personal data, and enable users to make granular consent choices while securely storing and documenting consent information over time, which users can update.
