Connecticut Data Privacy Act

Posted: March 30 2026

The Connecticut Data Privacy Act (“CTDPA”) is Connecticut's comprehensive consumer privacy law, giving residents rights over how businesses collect, use, and sell their personal data.

History

2022

Connecticut Public Act No. 22-15, also known as the Connecticut Data Privacy Act (CTDPA) was signed into law on May 10, 2022 by Governor Ned Lamont.

2023

Prior to going into effect, the CTDPA was amended by Public Act No. 23-56 to include additional protections related to consumer health data.

The CTDPA went into effect on July 1, 2023.

2025

In 2025, SB 1295 amended the CTDPA by lowering the threshold for businesses subject to the CTDPA, increase protections for minors, require impact assessments for activities involving personal data that present a heightened risk of harm to consumers, and to narrow exemptions. These changes will go into effect July 1, 2026 and are not covered in the following overview.

Scope

Who

The CTDPA is intended to protect personal data of consumers – residents of Connecticut who are not acting as a business or employee.1

The CTDPA applies to entities that conduct business in Connecticut or produce products or services that are targeted to residents of Connecticut and do one or more of the following2:

  • control or process personal data of at least 100,000 consumers in a year, or
  • control or process personal data of at least 25,000 consumers and derive over 25% of gross revenue from the sale of personal data.

The CTDPA distinguishes between controllers and processors.3 A controller is an entity that alone, or jointly with others, determines the purposes and means for processing personal data.4 A processor is an entity that processes personal data on behalf of a controller. 5

Processing means any operation performed on personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.6

The CTDPA imposes restrictions and obligations on the relationship between controllers and processors – requiring that processors follow instructions from the controller related to how personal data may be processed.7 Contracts between controllers and processors must include the following8:

  • the types of personal data to be processed,
  • instructions for processing the personal data,
  • the purpose for processing the personal data,
  • a duty of confidentiality, meaning the data is protected from disclosure to or access by unauthorized parties
  • an obligation to delete or return personal data upon the controller’s request,
  • the ability to demonstrate compliance with the contractual requirements,
  • an opportunity for the controller to object to any subcontractor,
  • an obligation that any subcontractors of the processor have controls to protect personal data that are at least as protective as the obligations in the agreement between the controller and the processor, and
  • the right for the controller to engage an independent third party to conduct an assessment of the processor’s technical and organizations measures related to the protection of personal data.

What

Personal Data

The CTDPA regulates how companies can collect, use, and share personal data.“Personal data” means information that is linked or reasonably linkable to an identified or identifiable person, subject to some exceptions.9

Sensitive Data

The CTDPA provides additional guidance around a subcategory of personal data – sensitive data.10 Sensitive data is treated differently because misuse, loss, or unauthorized disclosure of the data can have a more significant impact on consumers than with other types of personal data. For example, this data can facilitate discrimination, financial loss, identity theft, or reputational damage.

Sensitive data includes11:

  • racial or ethnic origin,
  • religious beliefs,
  • mental or physical health diagnosis,
  • sex life,
  • sexual orientation,
  • citizenship or immigration status,
  • consumer health data, which is personal data used to identify a consumer's physical or mental health condition or diagnosis (incl. gender-affirming health data and reproductive or sexual health data),
  • genetic information,
  • biometric data for the purposes of uniquely identifying an individual,
  • personal data of children (someone younger than 13 years of age),
  • data concerning an individual’s status as a victim of a crime, and
  • precise geolocation data.

With respect to consumer health data, CTDPA adds further protections, including prohibiting geofencing within 1,750 ft of a mental health or reproductive or sexual health facility.12

Exemptions

Exempt Entities

The CTDPA does not apply to the following entities13:

  • any body, authority, board, bureau, commission, district or agency of this state or of any political subdivision of Connecticut or persons who have entered into contracts with such entities,
  • nonprofit organizations,
  • higher education institutions,
  • national securities associations that are registered under 15 U.S.C. § 78o-3 of the Securities Exchange Act of 1934,
  • financial institutions subject to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.,
  • covered entities or business associates as defined in the Health Insurance Portability and Accountability Act (HIPAA),
  • tribal nation government organizations, and
  • air carriers as defined in 49 U.S.C. § 40102 governing aviation programs and regulated under the Federal Aviation Act of 1958 (49 U.S.C. 40101 et seq.) and the Airline Deregulation Act of 1978 (49 U.S.C. § 41713).

Exempt Data

The following types of data are exempt from the CTDPA14:

  • Protected Health Information under the Health Insurance Portability and Accountability Act (HIPAA),
  • patient Identifying Information for the purposes of 42 U.S.C. § 290dd-2, which covers confidentiality of records related to substance abuse and mental health services,
  • identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46, which governs research involving human subjects,
  • identifiable private information that is collected as part of human subjects research pursuant to the “Good Clinical Practice” guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or for the protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, which govern research involving human subjects,
  • information and documents created for purposes of the Health Care Quality Improvement Act of 1986 (42 USC 11101 et seq.),
  • patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act (42 U.S.C. § 299b-21 et seq.),
  • information used for public health activities and purposes as authorized by HIPAA,
  • collection, maintenance, disclosure, sale, communication, or use of personal data bearing on a consumer's credit worthiness to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.),
  • personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994 (18 U.S.C. § 2721 et seq.),
  • personal data regulated by the federal Family Educational Rights and Privacy Act (20 U.S.C. § 1232g et seq.),
  • personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act (12 U.S.C. § 2001 et seq.),
  • data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.),
  • data processed or maintained for applications for employment or employment purposes, including consumer health data collected in the employment context,
  • emergency contact information used for emergency contact purposes,
  • data necessary to administer benefits, and
  • personal data collected, processed, sold or disclosed in relation to price, route or service, as such terms are used in the Federal Aviation Act of 1958 (49 U.S.C. § 40101 et seq.) and the Airline Deregulation Act of 1978 (49 U.S.C. § 41713).

Deidentified Data

The CTDPA includes an exemption for deidentified data.15

Deidentified data is data that cannot reasonably be used to infer information about or be linked to an identified individual or a device linked to such individual.16 Controllers processing deidentified data must17:

  • take reasonable measures to ensure that the data is deidentified and cannot be linked to an individual,
  • publicly commit to not attempt to reidentify the data, and
  • contractually obligate recipients to not attempt to reidentify the data.

Publicly Available Data

The CTDPA does not apply to publicly available information.18 Publicly available information is information that is19:

  • lawfully made available through government records or widely distributed media, or
  • lawfully made available to the general public by an individual.

Pseudonymous Data

Pseudonymous data is data that cannot be attributed to a specific individual without the use of additional information that is maintained separately.20 Where the controller is able to demonstrate that any information necessary to identify the individual is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information, the controller is not required to grant the individual rights to access, deletion or control over the individual’s data.21

Rights

Consumers have several rights under the CTDPA22:

  • Right to Know,
  • Right to Correct,
  • Right to Delete,
  • Right to Opt-Out,
  • Right to Opt-In to the Processing of Sensitive Data,
  • Right to Not Be Discriminated Against, and
  • Minors’ Rights.

Right to Know

Consumers have the right to know whether a controller is processing their personal data and what personal data is being processed about them.23 This includes the right to obtain a copy of their data in a format that is portable such that the consumer can transmit the data to another controller.24

Additionally, this right is embodied in the various disclosures that businesses must make in their privacy notice. The notice must include25:

  • the categories of personal data processed by the controller,
  • the purpose for processing personal data,
  • how consumers can exercise their rights,
  • the categories of personal data that the controller shares with third parties,
  • the categories of third parties with whom the controller shares personal data, and
  • an email address or other online mechanism the consumer can use to contact the controller.

Right to Correct

Consumers have the right to request that a controller correct inaccuracies in the consumer’s personal data.26

Right to Delete

Consumers have the right to request that a controller delete any personal data provided by the consumer or obtained about the consumer.27

Right to Opt Out

Consumers have the right to opt out of a controller processing their personal data for the purpose of targeted advertising, the sale of personal data, or consumer profiling used to analyze individuals and make decisions about them that have legal consequences or have other serious impacts on their lives.28

Targeted advertising is when a controller displays advertisements to a consumer where the advertisements are selected based on the consumer’s personal data that has been obtained over time and from across nonaffiliated websites or online applications and is used to predict the consumer's preferences or interests.29 Targeted advertising does not include30:

  • advertisements based on activities within a controller's own websites or online applications,
  • advertisements based on the context of a consumer's current search query or current visit to a website or online application,
  • advertisements directed to a consumer in response to the consumer's request for information or feedback, or
  • personal data processed solely for measuring or reporting advertising performance.

Sale of data occurs when a controller exchanges personal data with a third party for money or other economic value.31 Sale does not include32:

  • the disclosure of personal data to a processor that processes the personal data on behalf of the controller,
  • the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer,
  • the disclosure or transfer of personal data to an affiliate of the controller or that is made as part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets,
  • the disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party, or
  • the disclosure of information that the consumer intentionally made available to the general public.

Profiling is when a controller uses automated processing on personal data to evaluate, analyze, or predict personal aspects related to a consumer’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.33

Right to Opt In for Sensitive Data

Controllers may not process sensitive data without obtaining consent from the consumer.34 Accordingly, the consumer has the right to not have their sensitive data processed unless they have opted into such processing.35

Consent must be: 36

  • freely given, meaning the consent is given voluntarily,
  • specific, meaning the consent is given for a clearly defined purpose,
  • informed, meaning the data subject is provided an explanation of how the data will be processed, and
  • unambiguous, meaning it is clear the data subject has consented (e.g., by clicking “I agree”).

Notably, this opt-in approach for sensitive data gives Connecticut consumers stronger protections than California’s opt out framework by requiring affirmative approval from consumers before collecting sensitive data.

Right to Not Be Discriminated Against

Consumers have the right for their personal data to not be processed in violation of state and federal laws that prohibit unlawful discrimination.37 Consumers also have the right to not be discriminated against by a controller for exercising their consumer rights.38 A controller cannot deny goods or services, charge different prices or rates for goods or services, or provide a different level of quality of goods and services to the consumer because that consumer exercised their CTDPA rights.39

However, the CTDPA does not prevent a controller from offering different prices, rates, levels, qualities, or selections of goods or service if such difference is unrelated to the consumer’s assertion of their consumer rights.40

Minors’ Rights

Controllers may not use a minor’s personal data without consent of the minor or their legal guardian for the following purposes41:

  • targeted advertising,
  • sale of personal data, and
  • profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Controllers must also not42:

  • use system design features to increase or extend the minor’s use of such service or application unless such service or application is used under the direction of an educational entity, and
  • collect precise geolocation data unless such data is necessary to provide the service, in which case such data may only be collected for the time needed to provide the service and there is a signal indicating that the controller is collecting precise geolocation data.

A minor or their legal guardian may request that a social media platform unpublish or delete the minor’s social media platform account.43 Social media platforms must unpublish such accounts within fifteen business days of the request or delete the account within 45 business days of the request.44

Exercising Rights

A consumer may exercise their rights to know, correct, delete, or opt out under the CTDPA by submitting a request to the controller that specifies the right they wish to invoke.45 Consumers may also assign another person – an authorized agent - to exercise such rights on their behalf.46

Within the controller’s privacy notice, the controller must describe one or more means by which a consumer can submit a request to exercise their consumer rights.47 This mechanism cannot require the creation of a new account to exercise the consumer’s rights.48

A controller must respond to the consumer’s request within 45 days of receipt and may request additional information needed to authenticate the consumer and their request.49 If reasonably necessary due to the complexity or quantity of consumer requests, the controller may extend their response period by 45 days so long as the controller notifies the consumer within the initial 45-day period of such extension and provides a reason for the extension.50

Furthermore, a controller must provide information in response to a consumer request free of charge, up to one time per year.51 If a consumer’s requests are unfounded, excessive, or repetitive, the controller may charge a reasonable administrative fee or refuse to act on the request.52 A controller may also refuse the request if they cannot reasonably authenticate the consumer.53

Controllers must establish an appeals process for a consumer to appeal any refusal by the controller to take action on a request.54

Enforcement

The Attorney General of Connecticut has sole authority to enforce the provisions of the CTDPA.55 Violations constitute an unfair trade practice as defined by the Connecticut Unfair Trade Practices Act.56 Under the Connecticut Unfair Trade Practices Act, the Attorney General may seek civil penalties of up to $5,000 per violation, injunctive relief, restitution, and/or disgorgement.57

The Attorney General may determine whether to grant a controller a cure period based on the number of violations, the size and complexity of the controller, the nature of the processing, the likelihood of injury to the public, impacts to the safety of persons or property, whether the violation was the result of human or technical error, and the sensitivity of the data.58

On July 8th, 2025, Connecticut’s Attorney General announced its first public enforcement of the CTDPA against TicketNetwork, Inc related to a privacy notice that did not contain sufficient mechanisms for consumers to exercise their rights. TicketNetwork agreed to pay $85,000, comply with the CTDPA, and maintain metrics related to consumer rights requests.

Notes

  1. Conn. Gen. Stat. § 42-515(8).
  2. Conn. Gen. Stat. § 42-516
  3. Conn. Gen. Stat. § 42-515(11), (29).
  4. Conn. Gen. Stat. § 42-515(11).
  5. Conn. Gen. Stat. § 42-515(29).
  6. Conn. Gen. Stat. § 42-515(28).
  7. Conn. Gen. Stat. § 42-521(a).
  8. Conn. Gen. Stat. § 42-521(b).
  9. Conn. Gen. Stat. § 42-515(26).
  10. Conn. Gen. Stat. § 42-515(38).
  11. Id.
  12. Conn. Gen. Stat. § 42-526(a)(1)(C).
  13. Conn. Gen. Stat. § 42-517(a).
  14. Conn. Gen. Stat. § 42-517(b).
  15. Conn. Gen. Stat. § 42-515(26).
  16. Conn. Gen. Stat. § 42-515(16).
  17. Conn. Gen. Stat. § 42-523(a).
  18. Conn. Gen. Stat. § 42-515(26).
  19. Conn. Gen. Stat. § 42-515(33).
  20. Conn. Gen. Stat. § 42-515(32).
  21. Conn. Gen. Stat. § 42-523(c), (d).
  22. Conn. Gen. Stat. §§ 42-518(a), 42-520(a)(5),(a)(7), 42-528(b)(1)-(2).
  23. Conn. Gen. Stat. § 42-518(a)(1).
  24. Conn. Gen. Stat. § 42-518(a)(4).
  25. Conn. Gen. Stat. § 42-520(c).
  26. Conn. Gen. Stat. § 42-518(a)(2).
  27. Conn. Gen. Stat. § 42-518(a)(3).
  28. Conn. Gen. Stat. § 42-518(a)(5).
  29. Conn. Gen. Stat. § 42-515(39).
  30. Id.
  31. Conn. Gen. Stat. § 42-515(37).
  32. Id.
  33. Conn. Gen. Stat. § 42-515(30).
  34. Conn. Gen. Stat. § 42-520(a)(4),
  35. Id.
  36. Conn. Gen. Stat. § 42-515(7).
  37. Conn. Gen. Stat. § 42-520(a)(5).
  38. Conn. Gen. Stat. § 42-520(a)(7).
  39. CId.
  40. Conn. Gen. Stat. § 42-520(b).
  41. Conn. Gen. Stat. § 42-529-a(b)(1).
  42. Id.
  43. Conn. Gen. Stat. § 42-528(b)(1).
  44. Id.
  45. Conn. Gen. Stat. § 42-518(b).
  46. Id.
  47. Conn. Gen. Stat. § 42-520(c).
  48. Conn. Gen. Stat. § 42-520(e)(1).
  49. Conn. Gen. Stat. § 42-518(c)(1).
  50. Id.
  51. Conn. Gen. Stat. § 42-518(c)(3).
  52. Id.
  53. Conn. Gen. Stat. § 42-518(c)(4).
  54. Conn. Gen. Stat. § 42-518(d).
  55. Conn. Gen. Stat. § 42-525(a).
  56. Conn. Gen. Stat. § 42-525(e).
  57. Conn. Gen. Stat. § 42-110(m)-(p).
  58. Conn. Gen. Stat. § 42-525(c).