# Connecticut Consumer Privacy Law (CTDPA)[^about] The Connecticut Data Privacy Act gives Connecticut consumers rights over their personal data and imposes notice, universal-opt-out, contracting, and consent duties on controllers above defined thresholds — it is enforced exclusively by the Attorney General, its cure period sunset at the end of 2024, and it provides no private right of action. ## Does the Connecticut Data Privacy Act apply to your business? {#does-ctdpa-apply} **Short answer.** It depends on consumer volume, not revenue. The CTDPA applies to persons that do business in Connecticut or target its residents and, in the preceding year, controlled or processed the personal data of 100,000 or more consumers, or 25,000 or more while deriving more than 25% of gross revenue from selling personal data [^stat-516-apply]. Like Colorado, Connecticut sets no dollar revenue floor — the trigger is a consumer-count plus a Connecticut nexus, and the 100,000-consumer count excludes data processed solely to complete a payment transaction. Unlike Colorado, Connecticut exempts nonprofit organizations, along with the usual entity- and data-level carve-outs for state agencies and GLBA-, HIPAA-, and FCRA-regulated data. A consumer is a Connecticut resident acting in an individual or household context, not an employee or business contact. ## What must your Connecticut privacy policy contain? {#privacy-policy-contents} **Short answer.** A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purpose for processing, how consumers exercise their rights, the categories of personal data shared with third parties, and the categories of those third parties [^stat-520-notice]. For a template privacy policy, treat section 42-520 as the content checklist. Connecticut also requires data minimization (collection limited to what is adequate, relevant, and reasonably necessary) and consent before processing sensitive data, so the practices the notice describes must line up with the consents actually collected. If you sell personal data or process it for targeted advertising, the policy must clearly disclose that and how to opt out. ## What must your contracts with processors say? {#vendor-contracts} **Short answer.** A contract between a controller and a processor must govern the processor's data processing on the controller's behalf — making a data processing agreement a statutory requirement, not a best practice [^stat-521-contract]. Section 42-521 then specifies the required terms: processing instructions, the nature and purpose of processing, the type of data and duration, a duty of confidentiality, deletion or return of data at the controller's direction, the information needed to demonstrate compliance, cooperation with assessments, and a requirement to bind subcontractors by written contract to the same obligations. A compliant template DPA tracks each of these. ## Must you honor a universal opt-out signal? {#universal-opt-out} **Short answer.** Yes. Since January 1, 2025, a controller must let consumers opt out of targeted advertising and the sale of their personal data through an opt-out preference signal — a browser- or device-level mechanism such as the Global Privacy Control — not just a website link [^stat-520-uoom]. This puts Connecticut among the states (with California and Colorado) that require honoring universal opt-out signals. A template privacy program should wire opt-out-preference-signal handling into its consent and preference logic. The opt-out is part of a fuller set of consumer rights — access, correction, deletion, portability, and opt-out of targeted advertising, sale, and certain profiling — to which a controller must respond within 45 days. ## Can a consumer sue your business under the CTDPA? {#consumer-lawsuit} **Short answer.** No. The CTDPA states that nothing in it provides a basis for a private right of action, so consumers cannot sue under it [^stat-525-nopra]. Enforcement belongs to the Connecticut Attorney General, who treats violations as unfair trade practices. There is an important timing wrinkle: the CTDPA's mandatory right-to-cure ran only from July 1, 2023 through December 31, 2024 [^stat-525-cure]. Since the start of 2025, a cure is discretionary, not guaranteed — the Attorney General may, but need not, offer one. The compliance posture is to build the privacy notice, opt-out, and contracting controls up front rather than counting on a cure window that has lapsed. [^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-04. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Connecticut. This article synthesizes Connecticut primary law and is not legal advice from a Connecticut-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship. [^stat-516-apply]: **Conn. Gen. Stat. § 42-516** — "apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and that during the preceding calendar year: (1) Controlled or processed the personal data of not less than one hundred thousand consumers" *Conn. Gen. Stat. § 42-516.* [^stat-520-notice]: **Conn. Gen. Stat. § 42-520** — "reasonably accessible, clear and meaningful privacy notice that includes: (1) The categories of personal data processed by the controller; (2) the purpose for processing personal data;" *Conn. Gen. Stat. § 42-520(c).* [^stat-521-contract]: **Conn. Gen. Stat. § 42-521** — "A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller." *Conn. Gen. Stat. § 42-521(c).* [^stat-520-uoom]: **Conn. Gen. Stat. § 42-520** — "Not later than January 1, 2025, allowing a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer's consent, by a platform, technology or mechanism to the controller indicating such consumer's intent to opt out of any such processing or sale." *Conn. Gen. Stat. § 42-520(e).* [^stat-525-nopra]: **Conn. Gen. Stat. § 42-525** — "Nothing in sections 42-515 to 42-524 , inclusive, or section 42-526 , shall be construed as providing the basis for, or be subject to, a private right of action for violations of said sections or any other law." *Conn. Gen. Stat. § 42-525(d).* [^stat-525-cure]: **Conn. Gen. Stat. § 42-525** — "During the period beginning on July 1, 2023, and ending on December 31, 2024, the Attorney General shall, prior to initiating any action for a violation of any provision of sections 42-515 to 42-524 , inclusive, issue a notice of violation to the controller if the Attorney General determines that a cure is possible." *Conn. Gen. Stat. § 42-525(b).*