Connecticut Data Privacy Act

The Connecticut Data Privacy Act (CTDPA) took effect on July 1, 2023, and follows the structure of the Washington Privacy Act model. The law has undergone several amendments since going into effect, including additional protections for children’s data and “consumer health data,” adjustments to applicability thresholds, and changes to definitions.

Note: The information below contains obligations included in amendments that go into effect July 1, 2026 (majority of amendments) and August 1, 2026 (Impact Assessments) respectively.

Schedule a Free Consultation

What you need to know about the CTDPA:

To Whom Does the CTDPA Apply?

The CTDPA applies to for-profit entities that:

  1. Conduct business or provide products or services to residents of Connecticut (consumers), and
  2. Controls or processes the PI of:
    • 35,000 residents annually, excluding data solely used for completing payment transactions; or
    • ANY amount of sensitive personal information excluding that used solely used for payment transactions; or
    • Offers ANY amount of personal information for sale.
When Does the CTDPA NOT Apply?

Exempt Entities include:

  • Non-profits;
  • State government entities;
  • Higher Education Institutions;
  • HIPAA covered entities and business associates;
  • Tribal nation governments;
  • Air Carriers;
  • National securities associations that are registered under the SEC Act;
  • The following types of organizations that meet specific criteria:
    • Insurers and affiliates
    • Credit unions and affiliates
    • Entities regulated by certain banking regulators.

Exempt Data: The CTDPA exempts many different types of data from coverage under the law. Below is a list of some of the more commonly held data types that are exempt under the law.

  • Protected Health Information under HIPAA;
  • Various federally and internationally protected health and patient information, including that protected by the Common Rule, human subject data, and more;
  • Various forms of credit data regulated by the Fair Credit Reporting Act; and
  • Data covered by a wide variety of other federal laws including Gramm-Leach-Bliley Act (GLBA), Family Educational Rights and Privacy Act (FERPA), Farm Credit Act, and Driver’s Privacy Protection Act (DPPA).

Exempt Use Cases: The CTDPA is not applicable in some circumstances, such as:

  • Processing PI in an employment or commercial (B2B) context;
  • Processing PI for emergency contact purposes; and
  • Processing PI of another individual in relation to the provision of benefits.
  • Processing PI for certain political activities.

Additionally, CTDPA specifies that its law should not be construed to restrict a business’s collection, use, or retention of PI for:

  • Conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
  • Product recalls;
  • Identifying and repairing technical errors that impair existing or intended functionality; and
  • Performing internal operations.

Key Components of Connecticut’s Data Privacy Law

What Constitutes Personal Information Under CTDPA?

The CTDPA covers “personal data,” also called personal information or PI, which Connecticut defines as any information that is linked or reasonably linkable to an identified or identifiable individual. “PI” does not include de-identified data or publicly available information.

What Constitutes Sensitive Data?

CTDPA’s definition of sensitive PI consists of:

  • Racial or ethnic origin;
  • Religious beliefs;
  • Mental or physical condition or diagnosis;
  • Disability or treatment information;
  • Sex life or sexual orientation;
  • Status as non-binary or transgender;
  • Consumer health data;
  • Citizenship or immigration status;
  • Government issued identification;
  • Financial account number, login information, security information;
  • PI collected from a known child;
  • Precise geolocation data;
  • Data concerning an individual’s status as a victim of crime;
  • Neural data; and
  • Genetic or biometric data or information derived therefrom.
Any Other Categories of Data I Should Think About?

De-identified or Pseudonymous Data: Where a controller processes de-identified data, the CTDPA requires it to take reasonable measures to ensure the data cannot be associated with an individual; publicly commit to maintaining such data without an attempt to re-identify it; and contractually obligate any recipients of the data to comply with the CTDPA.

Additionally, the CTDPA exempts pseudonymous data from access, correction, portability, and deletion rights requests where the controller can show it keeps information that would allow the data to be re-identified separate and subject to technical and organizational controls that prevent its use for re-identification.

Consumer Health Data: Introduced in the June 2023 amendments, processing consumer health data brings a variety of new requirements including the need for consent to sell or offer to sell this type of data; bans on geofences and certain types of targeted advertising near certain mental/sexual/reproductive health facilities; confidentiality rules regarding processing this type of data; and more.

Minors (under 18):  Rules regarding the PI of minors (u18) were strengthened with the 2023 and 2025 amendments to the CTDPA. The 2025 amendments prohibit targeted advertising, processing for non-disclosed purpose/those that are not reasonably necessary, selling minors’ personal information, and collecting their precise geolocation information unless strictly necessary.

Businesses also must obtain consent for automated decision-making or profiling in furtherance of legal or similarly significant decisions concerning the provision or denial of some essential goods and services (e.g., housing, education, money, health unless reasonably necessary.  The law also prohibits social media platforms’ use of systems intended to “significantly increase” minors’ use of an online service, product, or feature, and requires safeguards for direct messaging services to protect minors from being contacted by adults.

It also requires data protection assessments and impact assessments (a new type of assessment) for certain processing of minor’s PI such as any profiling or processing that represent a heightened risk of harm.

Is Consent Needed to Process Sensitive Data?

In a word: Yes!

Is Consent Needed for Any Other Processing?

Parental consent is required to process PI about a known child (under 13) in accordance with COPPA. The consent of the minor person is required for minors under 18 for several processing activities; however, the 2025 amendments prohibit any unnecessary profiling, collection of precise geolocation data and any sale of minors’ personal information.

Consent is required prior to processing or selling consumer health data as well as sensitive personal information.

Consent is also required for secondary use of information that is not necessary or compatible with the purpose for collection and hasn’t been noticed to the consumer. This includes for materially new purposes that are neither reasonably necessary for, nor compatible with, the purposes originally disclosed to the consumer.

What Needs to be Included in the Privacy Notice?

Under the CTDPA, a privacy notice must include (among other requirements):

  • Categories of PI processed;
  • Business purpose for processing PI;
  • Privacy rights available to consumers;
  • Whether personal information is sold or used for targeted advertising;
  • Methods for a consumer to exercise their privacy rights (see below) and appeal a rights decision;
  • Categories of PI shared with third parties;
  • Whether personal information is used or shared for training large language models;
  • Categories of third parties with which PI is shared;
  • An active electronic mail address or other online contact mechanism; and
  • Month and year of latest update.
What Constitutes “Sale” of PI?

Connecticut defines “sale” as an exchange of PI for monetary or other valuable consideration by the controller to a third party.

There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of PI to provide a product or service requested by the consumer, the disclosure of PI to an affiliate, disclosure of PI intentionally made public, and the disclosure of PI as part of a merger or bankruptcy.

How Will the CTDPA Be Enforced?

The Connecticut attorney general (AG) has sole enforcement authority over the CTDPA. Under the CTDPA the AG may bring an enforcement action after providing a 60-day notice and an opportunity for the business to cure the alleged violation(s). The cure period ended December 31, 2024, at which time the AG now has discretion over whether to grant an opportunity to cure based on statutorily defined factors. Penalties may include injunctive relief (the company must stop certain behaviors) and/or civil penalties, with fines up to $5,000 as determined by the CT Unfair Trade Practices Act.

Privacy Rights

 

If CTDPA applies to your business, you must provide the following privacy rights to consumers:

  • Right to know whether a business is processing your PI, including whether a business is making inferences based on PI or using PI for profiling in furtherance of legal or similarly significant decisions;
  • Right to access PI, including the right to obtain a list of third parties with which the business has shared a consumer’s PI or that of anyone’s PI if it doesn’t maintain a specific list as it relates to the requesting consumer;
  • Added rights to question results of decisions based on profiling; know why the profiling resulted in a decision; review PI involved in decision; allow corrections to PI that led to decision when related to housing and get reevaluation.
  • Right to correct inaccuracies in PI;
  • Right to delete PI about them;
  • Right to obtain a copy of PI (data portability); and
    • Right to opt out of the sale of PI, processing for targeted advertising, or profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the consumer.

The CTDPA requires that businesses respond to privacy rights requests within 45 days of receipt of the request, with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge once every 12 months. Businesses may deny a rights request in certain circumstances, including inability to verify the identity of a requestor. When a business denies a request, the business must notify the consumer within the 45-day timeframe and provide the reason for the denial as well as instructions for how to appeal the decision.

The appeals process must be conspicuously available to consumers and similar to the process for submitting an initial privacy rights request. Businesses must respond to appeals within 60 days of receipt and, if denying an appeal, must provide the consumer with an online method to file a complaint with the AG.

 

Universal Opt Out

 

Connecticut requires that controllers recognize universal opt-out signals. Universal opt-out, or global privacy control, is a technical standard that enables users to automatically communicate their privacy preferences, such as opting out of the sale of their PI, to websites through their web browser or other technologies.

 

 

The CTDPA requires that covered organizations conduct data protection impact assessments, or privacy impact assessments (PIAs), for certain high-risk processing.

Connecticut requires assessments for processing that presents a heightened risk of harm, specifically including:

  • Processing for targeted advertising;
  • Processing sensitive PI;
  • Selling PI;
  • Processing for the purposes of profiling if it presents a ‘reasonably foreseeable risk’ of:
  • Unfair or deceptive treatment or unlawful disparate impact on consumers;
  • Financial, physical or reputational injury to consumers;
  • Physical or other intrusion on the solitude or seclusion, or private affairs or concerns, which would be offensive to a reasonable person; or
  • Other substantial injury.

The 2025 amendments to the CTDPA introduced a new assessment called the Impact Assessment, which goes into effect August 1, 2026, and is required for the specific high-risk processing activity of profiling for Automated Decision-Making that produces any legal or similar significant effect. Additionally, any service, product, or feature, that is offered to minors (u18) and engages in profiling, regardless of the legal or similar effects to the minor by the profiling, the Controller must conduct an Impact Assessment.

 

Vendor Contracts

 

The CTDPA requires that organizations have a contract in place with vendors that dictates obligations with respect to processing PI. Contracts must include:

  • Instructions for processing PI;
  • The nature and purpose of processing;
  • Type of data that is subject to processing;
  • The duration of processing;
  • A duty of confidentiality for individuals who process the PI;
  • Obligation to delete or return all PI at the controller’s direction or when it has completed the services, unless retention of the PI is required by law;
  • Obligation to make available all information necessary to demonstrate the vendor’s compliance with its obligations;
  • Compliance with audits by the controller or independent auditor and to provide a report of the assessment to the controller; Provide the opportunity for the controller to object to any sub-processors;
  • And pass along the same obligations to any subcontractors in a written contract.

 

Data Minimization

 

The CTDPA limits the collection of PI “to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.” Where processing is not necessary or compatible with the purpose for collection, organizations must obtain consumers’ consent for the processing.

Data Privacy is Just Good Business

Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.

You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.

Book a Free Consultation