Connecticut Data Privacy Act (CTDPA) signed into law

The CTDPA makes Connecticut the 5th state in the US to pass a comprehensive state privacy law

Alexis Kateifides, Senior Counsel of Excellence, Counsel
May 2, 2022

Green gradient graphic

Connecticut is the 5th state in the US to pass a comprehensive privacy law. With the signature from Governor Ned Lamont for final approval complete, it will take effect on July 1st, 2023. 

The law is referred to as the Connecticut Data Privacy Act, or CTDPA.

Who does the CTDPA affect?

Like other state privacy laws, Connecticut’s law will cover the following businesses that:

  • Conduct business in the state or sell products/services to residents of the state 


  • Control/process the data of 100,000 customers (excludes personal data controlled/processed solely to complete a transaction)


  • Control/process the data of 25,000 or more customers and derive over 25% of their gross revenue from the sale of personal data

What consumer rights are laid out by the CTDPA?

The CTDPA gives consumers the right to access, correction, deletion, data portability, and opt-out for targeted advertising, the sale of personal data, and automated decision-making profiling. 

It also has a provision that allows businesses 45 days to respond to these consumer data requests.

What are the consent/opt-out rules under the CTDPA?

Connecticut’s privacy act requires controllers to obtain consent for processing sensitive data. It also defines certain limitations around when companies may reject consumer requests to opt out of data sales, targeted advertising, and profiling. The CTDPA defines “sales” like California and Colorado’s laws (monetary or other valuable consideration), thus covering a broader scope than the sale definitions for Virginia and Utah. 

Regarding opt-out, the CTDPA has a requirement to recognize ‘global’ signals exercising opt-out rights in relation to targeted ads and sales by January 1st, 2025. This means that from the beginning of 2025, businesses will have to put opt-out signals in place.

What does the CTDPA specify regarding privacy notices?

The CTDPA makes it mandatory for data controllers to provide privacy notices in a clear, conspicuous manner, and include ways in which the consumer can opt-out. Requirements around details need to be included as well, such as the categories of personal data processed and the purposes for the processing. 

Along with the specifications above, businesses must provide a link on their website for customers to opt-out of targeted advertising. 

How should security and vendors be managed under the CTDPA?

Businesses must establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at hand. 

Contracts need to be in place with processors and vendors who process data on behalf of controllers. 

How does the CTDPA deal with assessments?

Controllers must conduct and document a data protection assessment for each of their processing activities that carries a higher risk of harm to consumers, for example targeted advertising. 

In cases where the risk posed is significant, the Attorney General may request the assessment to be disclosed. 

What are the data mapping requirements under the CTDPA?

Data collection and minimization principles and practices are laid out for businesses to follow under the CTDPA. There are also requirements around de-identified data, as well as clear definitions around biometric data. It differs from other state laws in its definitions of what does not constitute biometric data, namely: digital or physical photography, or an audio or video recording unless such data is generated to identify a specific individual.

What does the CTDPA cover regarding children’s data?

Controllers must obtain parental consent for the collection of personal data from a child under the age of 13 years. 

It also states that controllers shall not “process the personal data of a consumer for targeted advertising or sell their personal data without consent, under circumstances where a controller has the knowledge, but willfully disregards that the consumer is at least 13 years of age but younger than 16 years of age.” 

What does this mean for your business?

With the CTDPA introducing a similar set of consumer rights, consent rules, and other data protection stipulations to California and Colorado, businesses will at least have a blueprint this time around for compliance set by these previous state privacy laws. 

The CTDPA provides a right to cure violations which will sunset on December 31, 2024. After the sunset period is over, the state will then begin enforcement actions with appropriate circumstances. The possibility of a multistate enforcement body is also something that businesses should keep in mind when keeping their data policies and practices compliant. 

The important dates to keep in mind regarding the CTDPA are July 1, 2023, December 31, 2024, and January 1, 2025, as the introduction of the law, the last date to fix violations in data practices, and the beginning of mandatory consent and opt-out requirements. 

For more information on the CTDPA and other US state privacy laws, visit OneTrust’s DataGuidance

You may also like


Responsible AI

Unpacking the EU AI Act

Prepare your business for EU AI Act and other AI regulations with this expert webinar. We explore the Act's key points and requirements, building an AI compliance program, and staying ahead of the rapidly changing AI regulatory landscape.

July 12, 2023

Learn more


Consent & Preferences

Live demo: How to automate consent and preference management with OneTrust

In this webinar, we demonstrate how OneTrust Consent and Preferences helps build stronger customer relationships by providing transparency, giving users control over their data use, and delivering personalized experiences.

June 29, 2023

Learn more


Privacy Management

Unpacking the EU-US DPF

In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.

June 28, 2023

Learn more