Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View
Contact Us See a demo

Connecticut Data Privacy Act (CTDPA)

Operationalize CTDPA Compliance with PrivacyOps Platform

Last Updated on July 1, 2025

Schedule Your
Personal Demo

Learn how you can leverage Securiti’s Data Command Center to address data security, privacy, governance, and compliance.

See a demo
Schedule your demo today

In the absence of a comprehensive federal data privacy law within the United States, states have taken it upon themselves to provide appropriate protection for their residents' data. In May 2022, Connecticut became the fifth state after California, Colorado, Virginia, and Utah to pass its own comprehensive data privacy regulation.

Senate Bill 6, known as Public Act No. 22-15 and "An Act Concerning Personal Data Privacy and Online Monitoring," was signed into law by Connecticut Governor Ned Lamont. The Connecticut Data Privacy Act (CTDPA), as it has come to be known, went into effect on July 1, 2023, with additional obligations such as the requirement to recognize universal opt-out became effective on January 1, 2025.

The CTDPA shares several similarities with its sister regulations passed in Colorado, Virginia, Utah, and California. It applies to data controllers and processors who offer products and services to Connecticut residents and control or process the personal data of at least 100,000 consumers annually or derive over 25 percent of their gross revenue from the sale of personal data while controlling or processing the personal data of 25,000 or more consumers.

The Connecticut Attorney General has exclusive enforcement authority of CTDPA, with violations constituting unfair trade practices under the Connecticut Unfair Trade Practices Act (CUTPA).

The Solution

Securiti promises thorough compliance with the Connecticut Privacy Act thanks to its PI data discovery, DSR automation, documented accountability, and AI-process automation features, among others.

These data solutions and a plethora of similar solutions, backed up by state-of-the-art artificial intelligence and machine-learning-based algorithms, make Securiti an ideal option for organizations that want to achieve effective and efficient compliance with the CTDPA.

Connecticut Data Privacy Act Compliance

Request a demo today to learn how Securiti can aid you and your organization's compliance efforts.

 

Assess Readiness

Sections: 2, 6(a), 6(b), 10(f)

Automate and schedule regular internal assessments of various internal data-related activities and mechanisms to maintain a real-time update related to their effectiveness and identify potential gaps and blindspots, allowing for timely adjustments if necessary.

CTDPA assessment
CTDPA Data Subject Request Workbench

Automate Consumer Data Request Handling

Sections: 4, 5

Organizations can easily automate the process related to data access requests while being compliant with the law.

Secure Fulfillment of Data Access & Porting Requests

Sections: 4(a)(1), 4(a)(4)

Automate the fulfillment of any and all users' data access requests while maintaining real-time updates on the status of each request via the central dashboard.

CTDPA Data Access Request Management
CTDPA data rectify request

Automate Processing of Rectification Requests

Sections:4(a)(2)

Automate the fulfillment of any and all users' data rectification requests while maintaining real-time updates on the status of each request via the central dashboard.

Automate Erasure/Destroy/Anonymize Requests

Section: 4(a)(3)

Automate the fulfillment of any and all users' data deletion requests while maintaining real-time updates on the status of each request via the central dashboard.

CTDPA data erasure request
CTDPA Cookie Consent Configuration

Automate Opt-out/GPC Requests

Sections: 4(c)(4), 6(e)(1)(A)(i), 6(e)(1)(A)(ii), 6(e)(1)(B), 6(e)(2)

Automate the fulfillment of any and all users' opt-out requests while maintaining real-time updates on the status of each request via the central dashboard and honoring the browser preference settings enabled by the user.

Automate Data Protection Impact Assessment (DPIA)

Sections: 7(a)(3), 8

Automate the execution of a data protection impact assessment (DPIA) to ensure it is conducted at regular intervals, giving you ample time, data, and insights to take appropriate actions.

CTDPA Data Protection Impact Assessment
CTDPA Universal Consent Management

Monitor & Track Consent

Sections: 1(6), 6(a)(2), 6(a)(4), 6(a)(6), 6(a)(7)

Organizations can monitor users' consent for various data processing activities via the central dashboard. This ensures that all data collection complies with the data protection requirements while guaranteeing no illegal transfers, sharing, or selling of data not consented to by the user occurs.

Automate Records of Processing Activities

Section: 4(c)(5)(A)

Automate the recording of all internal processing activities to aid in future DPIA and regulatory documentation needs.

CTDPA Records of Processing
CTDPA breach response notification

Automate Data Breach Response Notifications

Sections: 7(a)(2), 9(e)

Connecticut General Statutes Section 36a-701b
Organizations can implement and automate every step of their data breach incident response plan to ensure a proactive approach is adopted, resulting in minimal damage.

Manage Vendor Risk

Sections: 6(d), 7, 10(d)

Organizations can easily track all their vendors' data processing activities to ensure their practices comply with the law.

CTDPA manage vendor risk
CTDPA Privacy Notice Management

Privacy Policy & Notice Management

Sections: 4(b), 6(c), 6(e)

Generate privacy policies that comply with the appropriate data protection laws in informing the users about the data collection practices of the organization while also automating any notice requirements.

Assess Data Protection Measures & Enable Appropriate Security Controls

Sections: 6(a)(3), 7(a)(2), 10(a)(9)

Assess all implemented internal data protection measures' effectiveness and make any relevant changes, additions, and adjustments necessary for the appropriate degree of protection.

CTDPA data protection assessment
ctdpa data mapping overview

Map Data to Discover & CatalogSensitive Personal Information

Sections: 1(27), 8(a)(4)

Automate all incoming and outgoing data transfers in real-time to ensure all transfers are compliant with the appropriate data protection requirements.

Automate Data Classification & Labeling

Sections: 1(13), 8(b), 9(a), 9(b), 9(e)

Automate the data classification and labeling process to get better insights related to all personal and sensitive data assets.

ctdpa data classification

Key Rights Under CTDPA

Here are the rights guaranteed to all Connecticut residents by the CTDPA:

Right to Access

All consumers have the right to know and confirm whether or not a controller is processing the consumer's personal data and accessing this personal data unless such confirmation or access would require the controller to reveal a trade secret.

Right to Correction

All consumers have the right to correct inaccuracies in their personal data that may have become outdated/incomplete/obsolete since its collection, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.

Right to Deletion

All consumers have the right to request the deletion of all their data collected for the purposes of the processing.

Right to Copy

All consumers have the right to obtain a copy of the consumer's personal data processed by the controller in a portable and, to the extent technically feasible, readily usable format that can be used to transmit the data to another controller without any unnecessary hindrance.

Right to Opt-Out of the Processing

All consumers have the right to opt out of any processing of their data related to targeted advertising, sale of their personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Facts To Know About the CTDPA

Here are something important facts to know about the CTDPA:

1

Non-profit organizations, higher education institutes, national securities associations, financial institutions subject to the Gramm–Leach–Bliley Act (GLBA), and state bodies, authorities, boards, bureaus, commissions, districts, and agencies are exempt from the CTDPA;

2

CTDPA does not apply to certain information such as protected health information, patient identification, information used for public health activities, personal data regulated by Family Educational Rights and Privacy Act, and data processed and controlled under Farm Credit Act, etc.;

3

A controller must respond to all consumer rights requests without undue delay but not later than forty-five (45) days after receiving the request;

4

The controller may request forty-five (45) additional days extension if reasonably necessary to respond to consumer rights requests;

5

A controller may charge the consumer a reasonable fee to cover the administrative costs of complying with consumer requests if they are manifestly unfounded, excessive, or repetitive;

6

All controllers are required to have a privacy policy on their website that includes the categories of personal data processed by the controller, the purpose for processing personal data, how consumers may exercise their consumer rights, the categories of personal data that the controller shares with third parties, the categories of third parties, if any, with which the controller shares personal data, and an active electronic mail address or other online mechanisms that the consumer may use to contact the controller;

7

All controllers must conduct and document a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a consumer;

8

During the period beginning on July 1, 2023, and ending on December 31, 2024, the Attorney General shall, before initiating any action for a violation of the CTDPA, issue a notice of violation to the controller if the Attorney General determines that a cure is possible;

9

The controller will have sixty (60) days from the receipt of the notice to cure any violation.

IDC MarketScape

Securiti named a Leader in the IDC MarketScape for Data Privacy Compliance Software

Read the Report
Please enter a minimum of 3 characters to begin your search.
Videos
View More
January 20, 2025
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
January 15, 2025
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
January 2, 2025
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
December 24, 2024
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
November 1, 2024
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
October 29, 2024
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
August 12, 2024
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
June 3, 2024
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
January 29, 2024
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
October 17, 2023
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix View More
July 6, 2025
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix
The Challenge of Navigating Global Data Privacy Laws In today’s privacy-first world, navigating data protection laws and direct marketing compliance requirements is no easy...
View More
June 27, 2025
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA) View More
July 6, 2025
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA)
Delve into Uganda's Data Protection and Privacy Act (DPPA), including data subject rights, organizational obligations, and penalties for non-compliance.
Data Risk Management View More
July 6, 2025
What Is Data Risk Management?
Learn the ins and outs of data risk management, key reasons for data risk and best practices for managing data risks.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
June 9, 2025
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
May 28, 2025
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders View More
July 7, 2025
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Singapore’s PDPA and consent requirements. Stay compliant and protect your business.
View More
July 7, 2025
Australia’s Privacy Act & Consent: Essential Guide for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Australia’s Privacy Act and consent requirements. Stay compliant and protect your business.
Gencore AI and Amazon Bedrock View More
January 7, 2025
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
November 18, 2024
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New