Connecticut Data Privacy Act (CTDPA) Assessment

CTDPA applies to persons that conduct business in Connecticut or target Connecticut residents and, during the preceding calendar year, either controlled or processed personal data of 35,000 consumers, excluding data processed solely to complete a payment transaction.

Under the CTDPA, personal data is information linked or reasonably linkable to an identified or identifiable individual. Sensitive data refers to personal data includes racial or ethnic origin, religious beliefs, a mental or health condition, diagnosis, sex life or sexual orientation or status as nonbinary or transgender, citizenship or immigration status, consumer health data, genetic or biometric data used to uniquely identify an individual, personal data from a known child, status as a victim of crime, precise geolocation data, neural data, consumer’s financial data that would allow access to a consumer’s financial account, and government-issued identification number.

The CTDPA includes exemptions for certain entities and data categories, such as government entities, nonprofits, higher education institutions, Gramm-Leach-Bliley Act (GLBA) -regulated financial institutions, Health Insurance Portability and Accountability Act (HIPAA)-covered entities and business associates, and several sector-specific categories of data.

The CTDPA treats data mapping and classification as foundational because organizations need to know what data they collect, where it is stored, how it flows, who has access, and what safeguards apply.

The CTDPA provides rights to confirmation, access, correction, knowledge of third-party deletion, portability, and opt out. Controllers must generally respond within 45 days, with one possible 45-day extension when reasonably necessary, and must also provide an appeals process for denied requests.

The CTDPA gives consumers the right to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of solely automated decisions producing legal or similarly significant effects. Businesses must also honor automated opt-out preference signals, a requirement that became mandatory on January 1, 2025.

It groups accountability and governance around assigned ownership, training, complaints, transparency, non-discrimination, data minimization, purpose specification, and consumer health data obligations. The Attorney General’s guidance also emphasizes transparency and children’s and teens’ data protections.

The CTDPA requires valid consent before processing sensitive data, before processing personal data of a known child in the relevant contexts, and before using personal data for purposes that are not reasonably necessary to or compatible with disclosed purposes. Consent must be a clear affirmative act and not the product of dark patterns.

The CTDPA requires reasonable security practices appropriate to the volume and nature of the personal data. The Attorney General’s guidance also emphasizes transparency and the need to secure sensitive information.

The CTDPA requires contracts with processors that address instructions, confidentiality, deletion or return, assistance with consumer rights and security obligations, subcontractor terms, and assessments or reports demonstrating compliance.

The CTDPA requires documented data protection assessments for targeted advertising, the sale of personal data, certain profiling, and the processing of sensitive data. Comparable assessments done under other laws can count if they are reasonably similar in scope and effect.

The CTDPA requires a reasonably accessible, clear, and meaningful privacy notice containing these specific disclosure elements.

It notes special handling for children, consumers under guardianship or conservatorship, and authorized-agent opt-out requests.

It ties CTDPA readiness to Connecticut’s separate breach-notification requirements under state law. The Connecticut AG also actively reports reviewing data breaches and enforcement trends.

Auditability matters for investigations and enforcement. The Attorney General has published enforcement reports describing notices of violation and focus areas like privacy notices, sensitive data, cookie banners, and dark patterns.