Connecticut's CTDPA: What E-commerce Businesses Need to Know
Connecticut's Data Privacy Act (CTDPA) took effect on July 1, 2023, making Connecticut the fifth state to enact comprehensive consumer privacy legislation. Nearly three years in, enforcement is active and the Connecticut AG has signaled that e-commerce businesses are squarely in scope. For e-commerce businesses, this means potentially significant new compliance obligations.
The law closely mirrors Virginia's Consumer Data Protection Act but includes some notable differences that could impact your operations. Whether you're already dealing with California's CPRA or this is your first encounter with state privacy laws, understanding Connecticut's requirements is crucial for continued e-commerce operations.
Who Must Comply: CTDPA Thresholds
The CTDPA applies to businesses that meet specific volume thresholds during the preceding calendar year. Not every e-commerce business will fall under its scope.
Primary Thresholds
| Threshold Type | Requirement |
|---|---|
| Data Processing | Process personal data of 100,000+ Connecticut consumers |
| Revenue + Data Sales | Control/process personal data of 25,000+ Connecticut consumers AND derive 25%+ of gross revenue from selling personal data |
Important Exemptions
Several business types are exempt from CTDPA requirements:
- Small businesses (under $25 million annual revenue)
- HIPAA-covered entities and business associates
- Financial institutions subject to Gramm-Leach-Bliley Act
- Higher education institutions
- Nonprofit organizations
Note that the small business exemption is unique to Connecticut and more generous than similar laws in other states.
Consumer Rights Under the CTDPA
Connecticut consumers gain eight specific privacy rights that e-commerce businesses must honor. These rights create operational requirements around data handling and customer service.
The Eight Consumer Rights
- Right to Know: Confirmation of personal data processing and access to that data
- Right to Delete: Deletion of personal data provided by or obtained about the consumer
- Right to Correct: Correction of inaccurate personal data
- Right to Data Portability: Personal data in a portable, readily usable format
- Right to Opt-Out of Sales: Opt-out of personal data sales to third parties
- Right to Opt-Out of Targeted Advertising: Opt-out of targeted advertising
- Right to Opt-Out of Profiling: Opt-out of profiling for decisions with legal effects
- Right to Non-Discrimination: Equal service and pricing regardless of rights exercise
Response Requirements
Businesses must respond to consumer requests within 45 days, with a possible 45-day extension for complex requests. Unlike some state laws, Connecticut requires free responses to consumer requests.
Key Compliance Requirements
Privacy Notice Requirements
Your privacy policy must include specific disclosures:
- Categories of personal data processed
- Purposes for processing
- Third-party data sharing practices
- Consumer rights and how to exercise them
- Contact information for privacy inquiries
Data Protection Assessments
Certain high-risk processing activities require conducting and documenting data protection assessments:
- Targeted advertising
- Personal data sales
- Profiling with legal or significant effects
- Sensitive data processing
- Processing that presents heightened privacy risks
Sensitive Data Protections
The CTDPA requires opt-in consent for processing sensitive personal data, including:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health conditions
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data
- Personal data from children under 13
Third-Party Contracts
Contracts with processors, vendors, and service providers must include specific data protection provisions:
- Clear processing instructions
- Confidentiality requirements
- Data security obligations
- Subprocessor restrictions
- Data breach notification procedures
Penalties and Enforcement
Connecticut's Attorney General has exclusive enforcement authority over CTDPA violations. There's no private right of action for consumers.
Penalty Structure
| Violation Type | Maximum Penalty |
|---|---|
| Per Violation | Up to $5,000 |
| Pattern/Practice | Additional penalties may apply |
| Intentional Violations | Enhanced penalties possible |
While $5,000 per violation might seem manageable, violations can multiply quickly across consumers and time periods, potentially reaching significant amounts for e-commerce businesses with large customer bases.
The 60-Day Cure Period
One of the CTDPA's business-friendly features is its cure period provision. Before imposing penalties, the Attorney General must provide written notice of alleged violations.
Businesses then have 60 days to cure the violation and provide written confirmation of remedial action. The CTDPA originally included a 60-day cure period, which has since sunset for most violations — meaning the Connecticut AG can now pursue enforcement without first giving notice and an opportunity to remediate. Check BriefStack state tracking for the current cure-period status before relying on it.
Making the Most of Cure Periods
To benefit from cure periods:
- Maintain detailed compliance documentation
- Establish incident response procedures
- Create remediation playbooks for common violations
- Designate responsible personnel for regulatory communications
Practical Compliance Steps for E-commerce
Phase 1: Assessment
Determine Applicability: Calculate your Connecticut consumer volume and revenue sources. Remember to count unique consumers, not total transactions.
Data Mapping: Document what personal data you collect, where it's stored, how it's used, and who has access. Include all customer data, analytics data, and marketing data.
Vendor Audit: Review all third-party relationships that involve personal data sharing, including payment processors, marketing platforms, and analytics tools.
Phase 2: Policy and Process Updates
Privacy Policy Updates: Revise your privacy policy to include all required CTDPA disclosures. Ensure it's accessible from your homepage and checkout pages.
Consumer Request Infrastructure: Implement systems to receive, track, and respond to consumer rights requests within required timeframes.
Opt-Out Mechanisms: Create clear, accessible methods for consumers to opt out of data sales, targeted advertising, and profiling.
Phase 3: Operational Implementation
Staff Training: Train customer service, marketing, and technical teams on privacy requirements and consumer rights.
Data Security: Implement appropriate technical and organizational measures to secure personal data throughout its lifecycle.
Contract Updates: Revise vendor and processor agreements to include required data protection provisions.
Phase 4: Ongoing Compliance
Regular Assessments: Conduct periodic reviews of your data practices, especially when launching new products or marketing campaigns.
Monitoring and Documentation: Maintain records of compliance efforts, consumer requests, and any privacy incidents.
Legal Updates: Stay informed about regulatory guidance, enforcement actions, and potential law amendments.
Special Considerations for E-commerce
Customer Analytics and Tracking
Many e-commerce businesses rely heavily on customer analytics, which may trigger CTDPA requirements:
- Web analytics may constitute profiling
- Behavioral tracking could require opt-out options
- Cross-device tracking may need specific disclosures
Marketing and Advertising
Targeted advertising is specifically regulated under the CTDPA:
- Consumers can opt out of targeted advertising
- Retargeting campaigns may need consent mechanisms
- Third-party advertising networks require contractual protections
Payment and Transaction Data
E-commerce transaction data often includes sensitive information:
- Payment data may qualify as sensitive personal data
- Purchase history profiling could trigger assessment requirements
- Financial account information has additional protections
Three Years In: The CTDPA Enforcement Landscape in 2026
CTDPA has been in force since July 2023. If your e-commerce business has Connecticut customers and hasn't done a formal review of CTDPA compliance, you're already behind — but not irrecoverably so. The Connecticut AG has focused initial enforcement on clear-cut failures: missing privacy notices, ignored opt-out requests, and failure to honor universal opt-out signals.
Start with determining whether your business meets the thresholds, then work systematically through data mapping, policy updates, and operational changes. Remember that compliance is ongoing, not a one-time project.
For businesses already complying with other state privacy laws, Connecticut's requirements will feel familiar but include state-specific nuances that require attention.
Stay on top of changes like these — BriefStack monitors all 20+ state privacy laws and delivers what matters to your inbox daily.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.