Connecticut

Comprehensive Privacy Law

Connecticut has enacted a comprehensive data privacy law called the Connecticut Data Privacy Act (CTDPA), which was originally signed into law on May 10, 2022, and became effective on July 1, 2023 [1][2][3]. This makes Connecticut the fifth state in the U.S. to pass comprehensive consumer data privacy legislation, following California, Virginia, Colorado, and Utah [3][4].

The law grants Connecticut residents significant rights over their personal data and establishes clear obligations for businesses that collect and process consumer information. The CTDPA is enforced by the Connecticut Attorney General’s office, which has already begun taking enforcement actions, including announcing the first settlement in July 2025 [5][6].

Legislative Activity

Connecticut continues to actively strengthen its privacy protections through ongoing legislative amendments. In June 2025, Governor Ned Lamont signed Senate Bill 1295, which significantly expands and enhances the original CTDPA [7][8][9]. This marks the second major revision to the law since its original passage, demonstrating Connecticut’s commitment to staying at the forefront of consumer data privacy protection [10].

The Connecticut Attorney General has issued annual enforcement reports with recommendations for legislative improvements, many of which were incorporated into the 2025 amendments [5][11][12]. This collaborative approach between enforcement and legislative branches ensures the law continues to evolve to address emerging privacy challenges.

Implementation Timeline

The original CTDPA became effective on July 1, 2023, and businesses had until December 31, 2024, to receive a 60-day cure period for violations before facing immediate enforcement action [13]. Starting January 1, 2025, the Attorney General can take immediate enforcement action without providing a cure period [13].

The significant amendments passed in 2025 will take effect on July 1, 2026, giving businesses approximately one year to prepare for the expanded requirements [7][8][9][10]. These amendments include lowered thresholds for coverage, expanded definitions of sensitive data, and stronger protections for minors.

Your Rights as a Connecticut Resident

The Connecticut Data Privacy Act provides residents with comprehensive control over their personal information held by businesses. These rights apply to any business that meets the law’s coverage thresholds and processes your data.

Right to know and access: You can request to know what personal data a business has collected about you, how it’s being used, and who it’s shared with. You also have the right to access and receive a copy of your personal data [1][2][13].
Right to correct: You can request that businesses correct any inaccurate personal information they maintain about you [1][2][13].
Right to delete: You have the right to request deletion of your personal data, including data collected about you from other sources, not just data you provided directly [1][2][13].
Right to opt out: You can opt out of the sale of your personal data, targeted advertising, and certain profiling activities that may have legal or significant effects on you [1][2][13].
Right to data portability: You can request to receive your personal data in a common, machine-readable format that allows you to transfer it to another service [1][2][13].
Right to consent for sensitive data: Businesses must obtain your explicit opt-in consent before processing sensitive data, which includes information about your race, religion, health, sexual orientation, precise location, and biometric data [1][2][13].
Right to non-discrimination: Businesses cannot discriminate against you for exercising any of your privacy rights, such as denying services or charging different prices [1][13].

Connecticut’s law includes particularly strong protections for minors, requiring parental consent for processing data of children under 13 and additional protections for teens under 18, including restrictions on targeted advertising [8][10][13].

Business Requirements

The CTDPA establishes clear obligations for businesses that collect and process Connecticut residents’ personal data, with recent amendments expanding coverage and strengthening requirements.

Coverage thresholds: The law applies to businesses that conduct business in Connecticut or target products/services to Connecticut residents and either process personal data of at least 35,000 consumers, process any sensitive data, or engage in selling personal data (thresholds lowered from 100,000 consumers in 2025 amendments) [8][9][10].
Privacy notices and transparency: Covered businesses must provide clear, accessible privacy notices explaining what data they collect, how it’s used, who it’s shared with, and how consumers can exercise their rights [1][13].
Consumer request procedures: Companies must establish mechanisms for consumers to submit privacy rights requests and must respond within 45 days, with possible 45-day extensions for complex requests [1][13].
Data protection assessments: Businesses must conduct formal risk assessments for certain high-risk processing activities, including profiling and processing sensitive data [1][10][13].
Consent requirements: Companies must obtain opt-in consent for processing sensitive data and provide easy-to-use opt-out mechanisms for data sales and targeted advertising [1][2][13].
Data minimization: Businesses must limit data collection and processing to what is necessary for the specified purposes, with recent amendments strengthening these requirements [8][12][10].

Practical Impact

Enhanced control over online privacy: Connecticut residents now have meaningful tools to control how their personal information is collected and used by websites, apps, and online services they interact with daily. This includes the ability to stop targeted advertising and prevent the sale of their data to third parties [1][13].
Stronger protections for sensitive information: The law requires explicit consent before processing sensitive data like health information, location data, and biometric identifiers, giving residents greater control over their most personal information [2][13].
Enforcement and violations: If your privacy rights are violated, you can file complaints with the Connecticut Attorney General’s office, which has already begun enforcement actions, including issuing warning letters and securing monetary settlements from non-compliant businesses [5][11][6].
Limitations in coverage: The law does not apply to certain entities including government agencies, nonprofits, small businesses below the thresholds, and data already covered by federal laws like HIPAA and GLBA (though recent amendments narrowed some exemptions) [1][9][13].
Private right of action for sensitive data: Residents have the right to seek civil damages for violations specifically related to sensitive data, while general enforcement is handled by the Attorney General’s office [13][14].

Comparison Context

Leading privacy protection: Connecticut’s law is considered among the stronger state privacy laws, similar to Colorado and Virginia’s approaches, with comprehensive consumer rights and meaningful business obligations [3][4][15].
Recent enhancements: The 2025 amendments position Connecticut ahead of many other states by lowering coverage thresholds, expanding sensitive data definitions, and strengthening protections for minors [7][8][10].
Areas for improvement: Privacy advocacy groups have noted that Connecticut’s law could be strengthened further, particularly regarding data minimization requirements and broader coverage of entities like nonprofits [12].
Compared to California: Connecticut’s law is more limited than California’s CCPA/CPRA, which covers employee data and provides broader enforcement mechanisms, but Connecticut offers stronger opt-in requirements for sensitive data processing [3][4][14].
Federal context: Connecticut residents benefit from state-level protection while federal privacy legislation remains limited, making state laws like the CTDPA particularly important for privacy protection [4].

Action Steps for Residents

Review privacy policies: Start reading the privacy policies of websites and services you use regularly to understand what data is collected and how to exercise your rights under Connecticut law.
Exercise your opt-out rights: Look for “Do Not Sell My Personal Information” links on websites and consider using universal opt-out mechanisms that became required as of January 1, 2025 [2].
Request your data: Consider making data access requests to major companies to understand what information they have about you and how it’s being used.
Monitor enforcement actions: Stay informed about the Attorney General’s enforcement activities and public reports to understand how the law is being applied in practice [5][11].
Report violations: If you believe a business has violated your privacy rights under the CTDPA, file a complaint with the Connecticut Attorney General’s office through their consumer protection division.
Stay informed about updates: Follow news about privacy legislation in Connecticut, as the law continues to evolve with regular amendments and improvements.

Official Resources and Contact Information

Connecticut Legislature

For information about privacy legislation and to contact your representatives about privacy issues, visit the Connecticut General Assembly website at https://www.cga.ct.gov. You can find your specific state legislators using your address at https://www.cga.ct.gov/asp/menu/cgafindleg.asp [16][17].

To contact legislators by phone, you can call the appropriate legislative caucus office [18]:

Senate Democrats: 1-800-842-1420
Senate Republicans: 1-800-842-1421
House Democrats: 1-800-842-1902
House Republicans: 1-800-842-1423

Connecticut Attorney General

The Connecticut Attorney General’s office enforces the CTDPA and handles consumer privacy complaints. While specific contact information for privacy-related complaints should be obtained from their official website, general consumer protection inquiries can be directed through their established channels.

Governor’s Office

To contact the Governor’s office about privacy policy issues:

Hartford area: (860) 566-4840
Toll-free: (800) 406-1527

Consumer Protection Resources

The Connecticut Department of Consumer Protection handles various consumer issues and can be contacted at (860) 713-6050. For complaints, email DCP.complaints@ct.gov [19][20].

Federal Resources

For federal privacy and consumer protection issues, Senator Richard Blumenthal’s office provides consumer affairs assistance and can be reached at (860) 258-6940 for urgent matters [21].

For general questions about the Connecticut General Assembly, contact the Office of Legislative Management at (860) 240-0100 [16].

Sources and Citations

[1] https://www.consumerprivacyact.com/connecticut-consumer-privacy-law/

[2] https://www.cookieyes.com/blog/ctdpa-connecticut-data-privacy-law/

[3] https://www.mayerbrown.com/-/media/files/perspectives-events/publications/2022/05/update_connecticutpassescomprehensiveprivacylaw_v3.pdf

[4] https://www.burr.com/newsroom/articles/summary-and-comparison-of-u-s-data-privacy-laws

[5] https://portal.ct.gov/ag/press-releases/2025-press-releases/attorney-general-tong-releases-updated-report-on-connecticut-data-privacy-act

[6] https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/connecticut-ag-announces-first-settlement-under-the-connecticut-data-privacy-act

[7] https://www.bytebacklaw.com/2025/06/connecticut-enacts-significant-amendments-to-states-data-privacy-law/

[8] https://www.cyberadviserblog.com/2025/06/connecticut-amends-privacy-law/

[9] https://www.shb.com/intelligence/newsletters/pds/hansen-connecticut-privacy-law-2025

[10] https://fpf.org/blog/the-connecticut-data-privacy-act-gets-an-overhaul-again/

[11] https://natlawreview.com/article/connecticut-office-attorney-general-issues-annual-report-ctdpa-enforcement

[12] https://statescoop.com/connecticut-ag-state-data-privacy-law-report-2025/

[13] https://www.ketch.com/regulatory-compliance/connecticut-data-privacy-act-ctdpa

[14] https://www.truevault.com/learn/california-vs-virginia

[15] https://www.khlaw.com/insights/state-us-state-privacy-laws-comparison

[16] https://www.cga.ct.gov/olr/contact.asp

[17] https://www.cga.ct.gov/webapps/cgafyl.asp

[18] https://cthealthpolicy.org/resources-2/advocacy-tool-box/contact-officials/

[19] https://business.middlesexchamber.com/list/member/connnecticut-department-of-consumer-protection-2362

[20] https://www.instagram.com/ctdcp/?hl=en

[21] https://www.blumenthal.senate.gov/services/resources/consumer-affairs-protection

Last Updated August 2025. Written with contributions from both human authors and Perplexity AI. If you find incorrect or outdated information let us know at support@optery.com.