On this pageDoes the Connecticut Data Privacy Act apply to your business?
State Law Practice Note

Connecticut Consumer Privacy Law (CTDPA)

The Connecticut Data Privacy Act gives Connecticut consumers rights over their personal data and imposes notice, universal-opt-out, contracting, and consent duties on controllers above defined thresholds — it is enforced exclusively by the Attorney General, its cure period sunset at the end of 2024, and it provides no private right of action.

Lawyer Harvard Law '18 (J.D.) MIT '13 (S.B.) Former Ropes & Gray (6 yrs) Admitted in NY Last reviewed
More details about this document
Editor
, OpenAgreements editor
Feedback
Report a correction
Errata
View reported errata
License
CC BY 4.0
Authorities relied on
Primary lawConn. Gen. Stat. § 42-516; Conn. Gen. Stat. § 42-520; Conn. Gen. Stat. § 42-521; Conn. Gen. Stat. § 42-525

Does the Connecticut Data Privacy Act apply to your business?

It depends on consumer volume, not revenue. The CTDPA applies to persons that do business in Connecticut or target its residents and, in the preceding year, controlled or processed the personal data of 100,000 or more consumers, or 25,000 or more while deriving more than 25% of gross revenue from selling personal data .

Like Colorado, Connecticut sets no dollar revenue floor — the trigger is a consumer-count plus a Connecticut nexus, and the 100,000-consumer count excludes data processed solely to complete a payment transaction. Unlike Colorado, Connecticut exempts nonprofit organizations, along with the usual entity- and data-level carve-outs for state agencies and GLBA-, HIPAA-, and FCRA-regulated data. A consumer is a Connecticut resident acting in an individual or household context, not an employee or business contact.

Sources for this answer

Primary law

A.1 Conn. Gen. Stat. § 42-516

The CTDPA applies to persons doing business in Connecticut or targeting its residents that controlled or processed the data of 100,000+ consumers, or 25,000+ while deriving over 25% of gross revenue from selling personal data.

apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and that during the preceding calendar year: (1) Controlled or processed the personal data of not less than one hundred thousand consumers

See Conn. Gen. Stat. § 42-516.

What must your Connecticut privacy policy contain?

A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purpose for processing, how consumers exercise their rights, the categories of personal data shared with third parties, and the categories of those third parties .

For a template privacy policy, treat section 42-520 as the content checklist. Connecticut also requires data minimization (collection limited to what is adequate, relevant, and reasonably necessary) and consent before processing sensitive data, so the practices the notice describes must line up with the consents actually collected. If you sell personal data or process it for targeted advertising, the policy must clearly disclose that and how to opt out.

Sources for this answer

Primary law

B.1 Conn. Gen. Stat. § 42-520

A controller must provide a reasonably accessible, clear, and meaningful privacy notice listing the categories of personal data processed and the purpose for processing, among other required disclosures.

reasonably accessible, clear and meaningful privacy notice that includes: (1) The categories of personal data processed by the controller; (2) the purpose for processing personal data;

See Conn. Gen. Stat. § 42-520(c).

What must your contracts with processors say?

A contract between a controller and a processor must govern the processor's data processing on the controller's behalf — making a data processing agreement a statutory requirement, not a best practice .

Section 42-521 then specifies the required terms: processing instructions, the nature and purpose of processing, the type of data and duration, a duty of confidentiality, deletion or return of data at the controller's direction, the information needed to demonstrate compliance, cooperation with assessments, and a requirement to bind subcontractors by written contract to the same obligations. A compliant template DPA tracks each of these.

Sources for this answer

Primary law

C.1 Conn. Gen. Stat. § 42-521

A contract between a controller and a processor must govern the processor's data processing performed on behalf of the controller.

A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller.

See Conn. Gen. Stat. § 42-521(c).

Must you honor a universal opt-out signal?

Yes. Since January 1, 2025, a controller must let consumers opt out of targeted advertising and the sale of their personal data through an opt-out preference signal — a browser- or device-level mechanism such as the Global Privacy Control — not just a website link .

This puts Connecticut among the states (with California and Colorado) that require honoring universal opt-out signals. A template privacy program should wire opt-out-preference-signal handling into its consent and preference logic. The opt-out is part of a fuller set of consumer rights — access, correction, deletion, portability, and opt-out of targeted advertising, sale, and certain profiling — to which a controller must respond within 45 days.

Sources for this answer

Primary law

D.1 Conn. Gen. Stat. § 42-520

By January 1, 2025, a controller must allow consumers to opt out of targeted advertising and the sale of personal data through an opt-out preference signal sent by a platform, technology, or mechanism.

Not later than January 1, 2025, allowing a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer's consent, by a platform, technology or mechanism to the controller indicating such consumer's intent to opt out of any such processing or sale.

See Conn. Gen. Stat. § 42-520(e).

Can a consumer sue your business under the CTDPA?

No. The CTDPA states that nothing in it provides a basis for a private right of action, so consumers cannot sue under it . Enforcement belongs to the Connecticut Attorney General, who treats violations as unfair trade practices.

There is an important timing wrinkle: the CTDPA's mandatory right-to-cure ran only from July 1, 2023 through December 31, 2024 . Since the start of 2025, a cure is discretionary, not guaranteed — the Attorney General may, but need not, offer one. The compliance posture is to build the privacy notice, opt-out, and contracting controls up front rather than counting on a cure window that has lapsed.

Sources for this answer

Primary law

E.1 Conn. Gen. Stat. § 42-525

The CTDPA bars any private right of action for its violation.

Nothing in sections 42-515 to 42-524 , inclusive, or section 42-526 , shall be construed as providing the basis for, or be subject to, a private right of action for violations of said sections or any other law.

See Conn. Gen. Stat. § 42-525(d).

Primary law

E.2 Conn. Gen. Stat. § 42-525

The CTDPA's mandatory notice-and-cure period ran only from July 1, 2023 through December 31, 2024.

During the period beginning on July 1, 2023, and ending on December 31, 2024, the Attorney General shall, prior to initiating any action for a violation of any provision of sections 42-515 to 42-524 , inclusive, issue a notice of violation to the controller if the Attorney General determines that a cure is possible.

See Conn. Gen. Stat. § 42-525(b).