Applies to businesses processing personal data of 100,000+ Connecticut residents, or 25,000+ if you derive 25%+ of revenue from selling personal data — a lower threshold than most states.
Effective
2023-07-01
Penalty max
$25,000
Cure period
None
Honor GPC
Required
Overview
The Connecticut Data Privacy Act (CTDPA) took effect July 1, 2023. Connecticut's law is structurally similar to Colorado and Virginia but has two important differences: a lower revenue-from-data-sales threshold (25% vs. 50%), and a higher penalty cap ($25,000 per intentional violation, enforced through the Connecticut Unfair Trade Practices Act). The 60-day cure period sunset on December 31, 2024, meaning the AG can now pursue enforcement immediately upon discovering a violation. Beginning January 1, 2025, Connecticut requires businesses to honor browser-level Global Privacy Control (GPC) signals. Connecticut also has specific protections for minors aged 13–17 that require opt-in consent before processing for targeted advertising or sale.
Who it applies to
Businesses processing personal data of 100,000+ Connecticut residents annually.
Businesses processing personal data of 25,000+ Connecticut residents AND deriving 25%+ of revenue from selling personal data.
Consumer rights
Right to access
Consumers can request a copy of the personal data you hold about them.
Right to correction
Consumers can request you correct inaccurate personal data.
Right to deletion
Consumers can request you delete their personal data, subject to limited exceptions.
Right to portability
Consumers can request a machine-readable copy of their data to transfer elsewhere.
Right to opt out of sale
Consumers can opt out of the sale of their personal data to third parties.
Right to opt out of targeted advertising
Consumers can opt out of personalized ad targeting based on their behavior.
Right to opt out of profiling
Consumers can opt out of automated profiling for decisions with legal or similarly significant effects.
What this means for e-commerce
Connecticut has one of the highest civil penalties on this list — up to $25,000 per intentional violation under the Connecticut Unfair Trade Practices Act (CUTPA), which is how the AG enforces CTDPA. The cure period sunset on December 31, 2024, so the AG can now bring enforcement actions immediately. Connecticut requires honoring GPC signals as of January 1, 2025. Connecticut also has a lower revenue-from-data threshold (25%) than California or Colorado — meaning more affiliate-marketing and ad-tech-heavy e-commerce businesses are covered.
Penalties & enforcement
Enforced by the Connecticut Attorney General. Penalties range from $0 to $25,000 per violation.
The cure period sunset on 2024-12-31 — the AG can bring enforcement actions immediately upon finding a violation, without first giving you time to fix the problem.
Compliance checklist
Add a 'Your Privacy Choices' link in the site footer
Implement an opt-out mechanism for targeted advertising and data sales
Configure your site to detect and honor Global Privacy Control (GPC) signals (required since 1/1/2025)
If you serve users aged 13–17, obtain opt-in consent before targeted advertising or data sales
Update privacy policy with CTDPA-required disclosures
Respond to consumer requests within 45 days, with one 45-day extension allowed
Conduct data protection assessments for high-risk processing
Update vendor and processor agreements with CTDPA-required terms
Does the CTDPA apply to your business?
Run a free 60-second compliance check across all state privacy laws — including Connecticut.
BriefStack is for informational purposes only and does not constitute legal advice. For decisions specific to your business, consult a qualified attorney.