Privacy Laws in Connecticut: What You Need to Know

Connecticut is among the growing number of states that have enacted comprehensive consumer privacy legislation, and its law includes several forward-thinking provisions that set it apart. The Connecticut Data Privacy Act (CTDPA) gives residents meaningful control over how businesses collect, use, and share their personal information. Here is what you need to know about your privacy rights under state law.

What Is the Connecticut Data Privacy Act (CTDPA)?

The CTDPA was signed into law in May 2022 and took effect on July 1, 2023. Connecticut became the fifth state in the nation to enact a comprehensive consumer privacy law, following California, Virginia, Colorado, and Utah. The law draws on frameworks established by Virginia and Colorado but includes several provisions that make it notably stronger, particularly around universal opt-out mechanisms.

The CTDPA applies to businesses that conduct business in Connecticut or produce products or services targeted at Connecticut residents and meet at least one of the following thresholds during the prior calendar year:

• Controlled or processed the personal data of 100,000 or more consumers, excluding data processed solely to complete a payment transaction, or
• Controlled or processed the personal data of 25,000 or more consumers while deriving more than 25% of gross revenue from the sale of personal data.

Unlike California's CCPA, there is no standalone revenue threshold. The law focuses on the volume of data a business handles and how much of its revenue depends on selling that data.

Your Rights Under the CTDPA

Connecticut residents have a robust set of rights when it comes to their personal data:

Right to Access

You can confirm whether a business is processing your personal data and obtain a copy of that data.

Right to Correct

If a business holds inaccurate personal data about you, you can request that they correct the errors.

Right to Delete

You can request that a business delete the personal data it has collected from you or about you, unless an exemption applies.

Right to Data Portability

You can obtain a copy of your personal data in a portable, readily usable format, making it easier to switch providers.

Right to Opt Out

The CTDPA gives you the right to opt out of three specific types of data processing:

• Targeted advertising — advertising based on personal data collected from your activities across different websites, apps, and online services.
• Sale of personal data — the exchange of your personal data for monetary consideration to third parties.
• Profiling — automated processing of your data that produces legal or similarly significant effects on you.

Sensitive Data Requires Opt-In Consent

The CTDPA classifies certain categories of personal data as sensitive and requires businesses to obtain your affirmative, opt-in consent before collecting or processing them. Sensitive data includes:

• Racial or ethnic origin
• Religious beliefs
• Health conditions or diagnoses
• Sexual orientation or sex life
• Citizenship or immigration status
• Genetic data
• Biometric data used for identification purposes
• Precise geolocation data
• Personal data of a known child under 13

Businesses cannot silently collect your biometric scans, health information, or children's data. They must receive a clear affirmative response before processing any of these categories.

Enforcement: Attorney General Authority Only

The CTDPA does not include a private right of action. Individual consumers cannot sue businesses directly for violations. Enforcement authority rests exclusively with the Connecticut Attorney General.

Originally, the law required the AG to provide a 60-day cure period before taking enforcement action. However, this provision was set to sunset on December 31, 2024. With the cure period expired, the AG now has discretion to pursue enforcement immediately upon discovering a violation.

Who Is Exempt from the CTDPA?

The CTDPA includes exemptions for organizations already regulated under other frameworks:

• HIPAA-covered entities — healthcare providers, health plans, and healthcare clearinghouses.
• Financial institutions — entities governed by the Gramm-Leach-Bliley Act (GLBA).
• Nonprofits — nonprofit organizations are not covered.
• Higher education institutions — colleges and universities are exempt.
• Government entities — state and local government bodies fall outside the law's scope.

Note that exemptions can be entity-level or data-level, so a company partly covered by GLBA may still need to comply with the CTDPA for processing activities outside GLBA's scope.

How the CTDPA Compares to Other State Privacy Laws

Connecticut's law shares its structural framework with Virginia and Colorado but includes several distinguishing provisions:

• Universal opt-out requirement: Connecticut was among the first states to mandate recognition of Global Privacy Control signals, alongside Colorado. Virginia's VCDPA does not include this requirement.
• Lower revenue threshold for sellers: The CTDPA requires only 25% of revenue from data sales to trigger coverage, compared to Virginia's 50% threshold.
• No private right of action: Like Virginia and Colorado, Connecticut relies solely on AG enforcement. California's CCPA, by contrast, allows consumers to sue for certain data breaches.
• Cure period sunset: Connecticut's 60-day cure period was designed to expire, giving the AG more enforcement flexibility over time. Some other states maintain a permanent cure period.
• Sensitive data consent model: Like Virginia and Colorado, Connecticut requires opt-in consent for sensitive data. California allows businesses to process sensitive data until the consumer opts out.

How to Exercise Your CTDPA Rights

If you are a Connecticut resident and want to take control of your personal data, here is how to get started:

1. Enable Global Privacy Control. Install a GPC-supported browser or extension to automatically send opt-out signals to every website you visit.
2. Submit requests directly to businesses. Look for a "Privacy" or "Your Privacy Choices" link in a company's website footer. Most covered businesses provide a web form, email address, or toll-free number for access, correction, deletion, and opt-out requests.
3. Keep records. Document when you submitted each request and to which company. Businesses must respond within 45 days, with a possible 45-day extension.
4. Appeal denials. If a business denies your request, you have the right to appeal. If the appeal is unsuccessful, file a complaint with the Connecticut Attorney General.
5. Use PrivacyOn to handle data brokers. Your CTDPA rights let you go directly to companies you interact with, but hundreds of data brokers also publish your name, address, phone number, and family details without your knowledge. PrivacyOn automates removal requests across more than 100 data broker sites, continuously monitors for your information reappearing, and re-files removals whenever it does.

Why the CTDPA Matters

Connecticut's Data Privacy Act represents a thoughtful approach to consumer data protection. Its universal opt-out requirement, opt-in consent for sensitive data, and expiring cure period all signal a legislative intent to prioritize consumer rights. But having rights on paper is only half the equation. Enabling GPC, submitting individual requests to companies, and using a service like PrivacyOn to systematically remove your data from broker sites gives you the most comprehensive protection available under Connecticut law.