CTDPA

Connecticut Data Privacy Act

Connecticut Office of the Attorney General

Connecticut privacy law granting consumer rights, requiring data protection assessments, and honoring opt-out signals, as amended by Public Act No. 25-113.

6Citations
0Audited
6Reference only
Jun 2025Last amended
Official source ↗Effective July 1, 2023
§ 42-515Reference

Definitions

Establishes key definitions under the Connecticut Data Privacy Act, including controller, processor, consumer, personal data, and consent, as amended by Public Act No. 25-113.

ScopeSensitive PI
§ 42-516Reference

Applicability

Applies to entities conducting business in Connecticut or targeting Connecticut residents that meet any one of three independent triggers. Under Public Act No. 25-113 (signed June 24, 2025, effective July 1, 2026), the prior 100,000/25,000-consumer thresholds are replaced by: (1) processing the personal data of at least 35,000 consumers; (2) controlling or processing consumers' sensitive data in any amount, with no consumer-count floor; or (3) offering consumers' personal data for sale in trade or commerce, also with no consumer-count floor. A business can therefore fall in scope solely by touching sensitive data or selling personal data, regardless of how many consumers' records it processes.

Scope
§ 42-518Reference

Consumer Rights

Grants consumers rights to access, correct, delete, and obtain a portable copy of personal data. Mandates honoring technical universal opt-out signals (like GPC) since January 1, 2025.

Consumer RightsOpt-OutGPC
§ 42-520Reference

Duties of Controllers

Requires data minimization, security safeguards, detailed privacy notices, and explicit consent for processing sensitive data. Also includes requirements for revoking consent.

Privacy PolicyData CollectionConsentSensitive PI
§ 42-522Reference

Data Protection Assessments

Requires controllers to conduct and document data protection assessments for activities that present a heightened risk of harm, such as targeted advertising, sale of personal data, and profiling.

Data Protection AssessmentOpt-Out
§ 42-525Reference

Enforcement and Penalties

Vests enforcement authority exclusively in the Connecticut Attorney General. Rejects a private right of action, and specifies investigative procedures and cure periods.

Enforcement

Stop Guessing. Start Knowing.

Find out exactly where your website stands before a regulator does.

Get My Compliance Audit