Understanding Connecticut’s Data Privacy Act (CTDPA) — Updated for 2025

On May 10, 2022, Connecticut enacted SB 6 (Public Act 22-15), the Connecticut Data Privacy Act (CTDPA). The law officially took effect on July 1, 2023, granting Connecticut residents new privacy rights and imposing obligations on businesses.

In June 2025, Connecticut enacted SB 1295, which expands and clarifies CTDPA’s scope, obligations, and enforcement. Many of these changes will take effect July 1, 2026. 

This guide provides an up-to-date overview of CTDPA’s applicability, exemptions, consumer rights, compliance requirements, and enforcement.

Applicability

Current (2023–2025)

The CTDPA applies to entities conducting business in Connecticut or targeting Connecticut residents that, during the prior year:

• Controlled or processed personal data of ≥ 100,000 consumers (excluding data processed solely for payment transactions), or

• Controlled or processed personal data of ≥ 25,000 consumers and derived > 25% of gross revenue from the sale of personal data. 

It also applies to processors acting on behalf of controllers, and to Consumer Health Data Controllers regardless of size.

Expanded Scope (Effective July 1, 2026, SB 1295)

• Threshold reduced to ≥ 35,000 consumers.

• Entities processing sensitive data are covered, even below thresholds (excluding payment-only data).

• Entities that sell personal data are covered regardless of consumer count.

• The GLBA exemption shifts from entity-level to data-level. 

Exemptions and Coverage Exceptions

• Exempt entities: state/local governments, nonprofits (except when processing consumer health data), higher education institutions, HIPAA-covered entities, and certain financial/securities institutions.

• Exempt data: de-identified data and publicly available information (though the definition of “publicly available” is narrowed under SB 1295). 

• Coverage excludes commercial and employment context data.

Children and Minors

• Must comply with COPPA for under-13.

• For under-16: opt-in consent required for sale or targeted advertising. 

• Under SB 1295: targeted advertising to minors under 18 is prohibited. 

Sensitive and Health Data

• Explicit opt-in consent required before processing sensitive data (health, biometric, genetic, immigration status, sexual orientation, etc.).

• Consumer health data (including reproductive and gender-affirming care data) has additional protections.

• Geofencing around health facilities is restricted. 

Consumer Rights

Connecticut residents may:

• Access personal data collected about them.

• Correct inaccuracies.

• Delete personal data (including from third parties).

• Port their data in a usable format.

• Opt-out of:

  1. Sale of personal data

  2. Targeted advertising

  3. Profiling leading to legal or similarly significant effects

New / Expanded Rights

• As of January 1, 2025, businesses must recognize universal opt-out preference signals (e.g. Global Privacy Control). 

• Under SB 1295 (2026): consumers gain the right to contest automated decision-making and profiling outcomes. 

Compliance Requirements

To comply with CTDPA, businesses should:

1. Determine coverage — assess thresholds, sensitive data, or sale of data.

2. Data governance — establish privacy policies, training, and oversight.

3. Transparency — publish clear privacy notices describing collection, purposes, sharing, and consumer rights.

4. Consent management — obtain opt-in consent for sensitive and health data; allow easy revocation within 15 days.

5. Data minimization and retention — collect only what’s necessary, retain only as long as needed.

6. Data protection assessments — required for high-risk processing (sale, targeted advertising, profiling, sensitive data). Expanded under SB 1295 to cover AI and automated decision-making. 

7. Rights handling — respond to requests within 45 days (extendable once), provide appeals within 60 days. 

8. Universal opt-out signals — required starting January 2025.

9. Ban dark patterns — opt-outs must be as accessible as opt-ins. 

10. Processor contracts — written agreements with processors must reflect CTDPA obligations.

11. Security measures — implement reasonable safeguards (technical, physical, administrative).

Enforcement and Penalties

• The Connecticut Attorney General enforces CTDPA exclusively. 

• Penalties: up to $5,000 per willful violation, plus restitution, disgorgement, and injunctive relief under CUTPA.

• Cure period: businesses had 60 days to cure violations until December 31, 2024. This right has now expired.

• Since January 1, 2025, the AG may bring enforcement without cure notice. 

• First fine issued: In 2025, TicketNetwork was fined $85,000 for CTDPA violations, marking the start of active enforcement. 

• AG focus areas: privacy notices, opt-out mechanisms, cookie banners, dark patterns, and sensitive data protections. 

Key Dates at a Glance

• July 1, 2023 — CTDPA effective date.

• October 1, 2023 — Consent required for sensitive health data; geofencing ban begins.

• July 1, 2024 — Social media platforms must provide minors/guardians account deletion tools.

• Dec 31, 2024 — Cure period ends.

• Jan 1, 2025 — Universal opt-out mechanisms required; AG may fine without cure.

• July 1, 2026 — Expanded applicability (35,000 threshold, sensitive data, sale triggers) and additional SB 1295 amendments take effect.

Bottom line: The CTDPA is one of the strictest state privacy laws, and enforcement is already underway. Businesses should immediately comply with universal opt-out signals and prepare for expanded applicability and profiling rules in 2026.

Ready to Ensure Compliance with CTDPA?

Contact us today for a personalized consultation and take the first step toward safeguarding your business and building trust with your customers.

© 2025