Connecticut
💡 Last Updated October 2025. Written with contributions from both human authors and LLMs. If you find incorrect or outdated information let us know at support@optery.com.
Connecticut's CTDPA gives you the right to opt out of data brokers.
What the CTDPA does for you
Connecticut's data privacy law (CTDPA) gives you real control over your personal information. You have the right to see what data businesses collect about you, correct mistakes, delete your data, and opt out of your data being sold or used for targeted advertising. You also have the right to get a portable copy of your data and to stop businesses from using automated decisions that significantly affect you.
Your rights under the CTDPA
Right to Know
You have the right to confirm whether a business is processing your personal data and to access that data. You can find out what information a company holds about you.
Exceptions: Does not apply if confirming or providing access would require the business to reveal a trade secret; Does not apply to pseudonymous data where identifying information is kept separately with appropriate controls; Does not apply if the business cannot reasonably associate the request with the personal data.
Source: Public Act No. 22-15, Sec. 4(a)(1)
Right to Delete
You have the right to request that a business delete personal data it has collected about you or obtained from other sources.
Exceptions: A business may retain minimum data necessary to record that a deletion request was made; Does not apply where retention is required by law; Does not apply to pseudonymous data where identifying information is kept separately with appropriate controls; Does not apply if the business cannot reasonably associate the request with the personal data.
Source: Public Act No. 22-15, Sec. 4(a)(3)
Right to Correct
You have the right to ask a business to correct inaccurate personal data it holds about you, taking into account the nature of the data and the purposes for which it is processed.
Exceptions: Does not apply to pseudonymous data where identifying information is kept separately with appropriate controls.
Source: Public Act No. 22-15, Sec. 4(a)(2)
Right to Opt Out of Sales
You have the right to opt out of having your personal data sold to third parties. Businesses that sell personal data must provide a clear link on their website for you to opt out.
Exceptions: Does not apply to disclosures to processors acting on the business's behalf; Does not apply to disclosures for providing a product or service you requested; Does not apply to transfers to affiliates of the controller; Does not apply to data you intentionally made publicly available.
Source: Public Act No. 22-15, Sec. 4(a)(5)(B)
Right to Opt Out of Processing
You have the right to opt out of having your personal data processed for targeted advertising — that is, ads selected based on your activities tracked across different websites and apps.
Exceptions: Does not apply to ads based on activity within a single company's own websites or apps; Does not apply to ads based on your current search query or page visit; Does not apply to processing solely to measure or report advertising performance.
Source: Public Act No. 22-15, Sec. 4(a)(5)(A)
Right to Opt Out of Automated Decisions
You have the right to opt out of profiling that uses solely automated processing to make decisions with legal or similarly significant effects on you — such as decisions about credit, housing, insurance, employment, or health care.
Exceptions: Only applies to solely automated decisions that produce legal or similarly significant effects; Does not apply to profiling that involves meaningful human involvement in the decision.
Source: Public Act No. 22-15, Sec. 4(a)(5)(C)
Right to Data Portability
You have the right to receive a copy of your personal data in a portable and, where technically feasible, readily usable format so you can transfer it to another company.
Exceptions: Only applies where processing is carried out by automated means; The business is not required to reveal any trade secret; Does not apply to pseudonymous data where identifying information is kept separately with appropriate controls.
Source: Public Act No. 22-15, Sec. 4(a)(4)
Right to Non-Discrimination
A business cannot discriminate against you for exercising your privacy rights. This means they cannot deny you goods or services, charge you different prices, or provide a lower quality of service just because you made a privacy request.
Exceptions: A business may offer different prices or benefits if you voluntarily participate in a bona fide loyalty, rewards, or club card program; A business is not required to provide a product or service that requires data it does not collect.
Source: Public Act No. 22-15, Sec. 6(a)
Right to Limit Sensitive Data
Businesses must get your consent before processing sensitive data about you. Sensitive data includes your race or ethnicity, religious beliefs, health conditions, sex life, sexual orientation, immigration status, genetic or biometric data, precise location, and data collected from children.
Exceptions: Processing of sensitive data from children may comply with COPPA requirements instead; Certain health-related sensitive data may be processed under HIPAA exemptions.
Source: Public Act No. 22-15, Sec. 6(a)(4)
How to exercise your rights
- See which data brokers have your information. Optery scans 200+ brokers to show you what’s exposed. Start a free scan →
- Submit a CTDPA deletion or opt-out request. Covered businesses have 45 days to respond (Public Act No. 22-15, Sec. 4(c)), with up to 45 additional days if they invoke the extension provision.
- Let Optery automate the whole process. We submit opt-out and deletion requests on your behalf, track compliance, and resubmit whenever brokers re-add your data. Sign up free →
Authorized agents
The CTDPA mentions authorized agents only in the context of opt-out requests (Conn. Gen. Stat. Ann. § 42-515 et seq.). Data brokers may choose to — but are not required to — honor deletion requests submitted by an authorized agent. In practice, many brokers do accept agent-submitted deletion requests. Optery handles both types on your behalf where permitted.
Enforcement and penalties
The CTDPA is enforced by Connecticut Attorney General. The Connecticut Attorney General has exclusive authority to enforce this law. Violations are treated as unfair trade practices. During July 1, 2023 through December 31, 2024, businesses received a 60-day notice and opportunity to cure violations before enforcement action. After January 1, 2025, the Attorney General has discretion on whether to grant a cure period. There is no private right of action — individual consumers cannot sue directly under this law.
Who does the CTDPA apply to?
This law applies to businesses that conduct business in Connecticut or target products and services to Connecticut residents, and that during the previous year either: (1) handled personal data of 100,000 or more Connecticut consumers, or (2) handled personal data of 25,000 or more Connecticut consumers AND earned more than 25% of their gross revenue from selling personal data. Nonprofits, government bodies, higher education institutions, financial institutions covered by Gramm-Leach-Bliley, and HIPAA-covered entities are exempt.
Frequently asked questions
Which businesses does Connecticut's privacy law apply to?
The law applies to businesses that operate in Connecticut or target Connecticut residents, and that during the previous year either processed personal data of at least 100,000 Connecticut consumers, or processed personal data of at least 25,000 consumers and derived more than 25% of gross revenue from selling personal data (Public Act No. 22-15, Sec. 2). Nonprofits, government agencies, universities, and health-care entities covered by HIPAA are exempt (Public Act No. 22-15, Sec. 3).
How long does a business have to respond to my privacy request?
A business must respond to your request within 45 days of receiving it (Public Act No. 22-15, Sec. 4(c)(1)). If your request is complex, they can take an additional 45 days, but they must notify you of the extension within the initial 45-day period and explain why they need more time. Responses are free once per 12-month period.
Can I use a third party or service to submit opt-out requests on my behalf?
Yes, but only for opt-out requests. You can designate an authorized agent — including through a browser setting, browser extension, or global device setting — to opt out of data sales, targeted advertising, or automated profiling on your behalf (Public Act No. 22-15, Sec. 5). Authorized agents cannot submit other types of requests (such as deletion or access) on your behalf under this law.
What happens if a business violates my privacy rights?
The Connecticut Attorney General has exclusive authority to enforce this law — you cannot sue a business directly under it (Public Act No. 22-15, Sec. 11(d)). Violations are treated as unfair trade practices. If your appeal of a denied request is rejected, the business must provide you with a way to contact the Attorney General to file a complaint (Public Act No. 22-15, Sec. 4(d)).
Does a business need my permission before collecting sensitive information about me?
Yes. Businesses must obtain your consent before processing sensitive data, which includes your race, religion, health conditions, sex life, sexual orientation, immigration status, genetic or biometric data, precise location, and personal data collected from children (Public Act No. 22-15, Sec. 6(a)(4)). They must also provide an easy way for you to revoke that consent, and must stop processing within 15 days of your revocation request.