enactedUS-CTEffective July 1, 2023

Connecticut Data Privacy Act (CTDPA)

Complete compliance guide for companies with <200 employees. Everything you need to know about CTDPA requirements, deadlines, and penalties.

DSAR Deadline

45 calendar days

+ 45 days extension

Max Penalty

$5,000/violation

Up to $5,000 per violation under the Connecticut Unfair Trade Practices Act (CUTPA). The Attorney General may seek injunctive relief and civil penalties. The initial 60-day cure period expired on December 31, 2024 — violations are now immediately enforceable.

Threshold

100,000 consumers

Est. Cost

$4,000 – $15,000

4-10 weeks

Mid-Market Compliance Guide

Connecticut's CTDPA applies to entities conducting business in Connecticut or targeting Connecticut residents that process personal data of 100,000+ consumers (excluding payment-only transactions) OR 25,000+ consumers while deriving over 25% of gross revenue from personal data sales. The 60-day cure period expired December 31, 2024, making it one of the stricter US state laws. Universal opt-out mechanisms became required as of January 1, 2025.

Key Requirements

Provide a clear and accessible privacy notice
Limit data collection to what is adequate, relevant, and necessary
Obtain consent before processing sensitive data
Conduct data protection assessments for targeted advertising, profiling, and sale of data
Establish, implement, and maintain reasonable data security practices
Honor universal opt-out mechanisms (effective January 1, 2025)

Enforced by: Connecticut Attorney GeneralOfficial site

Consumer Rights

Right to Access personal data

Right to Correct inaccurate data

Right to Delete personal data

Right to Data Portability

Right to Opt-Out of sale, targeted advertising, and profiling

Right to Appeal a controller's refusal

Business Obligations

1.Provide privacy notice disclosing data categories, purposes, and third parties
2.Respond to consumer requests within 45 days
3.Provide an appeals process — respond to appeals within 60 days
4.Implement and maintain reasonable data security measures
5.Execute data processing agreements with processors

Exemptions

•HIPAA-covered entities and data
•GLBA-covered financial institutions
•Nonprofits
•Higher education institutions
•Government entities and contractors acting on their behalf

Related Privacy Laws

VCDPA

US-VA

Virginia Consumer Data Protection Act

CPA

US-CO

Colorado Privacy Act

CCPA/CPRA

US-CA

California Consumer Privacy Act

Recommended Compliance Tools

No vendors have been reviewed for CTDPA coverage yet.

Browse all compliance tools

Get a mid-market compliance checklist for CTDPA

We'll send you a practical, step-by-step checklist tailored for companies with <200 employees. No spam, unsubscribe anytime.

See how DPAs enforce CTDPA in practice

Real fines, real violations, real lessons. Browse our enforcement database to understand what gets penalized under CTDPA.

Browse Enforcement Actions

Disclaimer: This is general information, not legal advice. Consult a qualified attorney for your specific situation. Laws and regulations may change. Last reviewed: 3/3/2026.

Read the official text of CTDPA