Connecticut Data Privacy Act (CTDPA)

• May 10, 2022: CTDPA signed into law.
• July 1, 2023: Law became enforceable.
• January 1, 2025: Opt-out preference signals became effective; cure-period sunset took effect.
• June 2025: Public Act 25-113 signed.
• July 1, 2026: Amendments become effective, introducing lower thresholds, LLM disclosures, and expanded minor protections.

The July 2026 amendments eliminated the original 100,000 consumer and revenue-based thresholds. The CTDPA now applies to companies conducting business in Connecticut or targeting Connecticut residents that meet any of the following criteria:

• Control or process the personal data of 35,000 or more consumers annually (excluding payment-only data).
• Process any amount of sensitive data.
• Offer any consumers' personal data for sale in trade or commerce.

• Government entities, nonprofits, higher education institutions.
• Organizations subject to HIPAA, GLBA, COPPA, or other federal rules.
• Employment-related and publicly available data.
• New as of 2026: Tribal nation governments, air carriers, insurers, specific banks/credit unions, and SEC-regulated broker-dealers.

• Transparency: Provide detailed privacy notices. As of 2026, these must explicitly state if data is collected, used, or sold to train Large Language Models (LLMs), and prominently display the month and year the notice was last updated.
• Opt-out mechanisms: Allow refusal of targeted ads, data sales, and profiling.
• Sensitive data: Consent is required before processing. The definition now explicitly includes consumer health data (reproductive/gender-affirming), neural data, financial account access information, and government-issued IDs.
• Children’s data: FOpt-in consent is now required before targeted advertising or selling data for consumers under 18 years of age (ages 13–17). Businesses must also use reasonable care to avoid heightened risk of harm to minors.
• Profiling: Consumers can opt out of any automated decision with legal or similarly significant effects.
• Consent revocation: Must be as easy as giving consent; businesses must stop processing within 15 days.
• Data security: Implement safeguards proportional to risk.

• Provide at least one secure method for rights requests.
• Respond within 45 days, extendable once.
• Maintain appeals process: 60 days, with written reasoning and AG complaint contact.
• Display clear, accessible privacy notices featuring the new LLM disclosures and the last-updated date.

• Conduct data protection assessments for high-risk processing (ads, sales, profiling).
• Honor browser/device opt-out signals as of January 1, 2025.
• Loyalty programs: Businesses must honor opt-out signals but may notify consumers of program conflicts.

• Access: Obtain confirmation and copies.
• Correction: Rectify inaccuracies.
• Deletion: Request removal.
• Portability: Receive data in machine-readable format.
• Opt-out: Targeted advertising, sales, profiling.
• Know Data Buyers (New): Obtain a specific list of third parties to whom the business has sold their data.
• Question Profiling (New): Challenge profiling decisions, review the input data, and demand a reevaluation based on corrected data (especially for housing).
• Appeals: Consumers can appeal denials; businesses must respond in 60 days with reasoning and AG contact.

• Enforced by the Connecticut Attorney General.
• Cure period: Ended January 1, 2025; AG discretion applies thereafter.
• Violations constitute unfair trade practices under CUTPA.
• Penalties: Up to $5,000 per violation (~USD 5,000).
• No private right of action.