What Is the Connecticut Data Privacy Act?
CTDPA covers controllers processing personal data of 100,000+ Connecticut consumers or 25,000+ while selling data. It grants access, deletion, correction, portability, and opt-out rights. Connecticut recognizes universal opt-out mechanisms (GPC) as legally binding. Enforcement is exclusively by the AG. The 60-day cure period sunset on January 1, 2025.
At a glance
- Full name
- Connecticut Data Privacy Act
- Short code
- CTDPA
- Effective date
- July 1, 2023
- Response deadline
- 45 days
- Cure period
- None (sunset)
- Private right of action
- No
- Enforcement
- Connecticut Attorney General
- Maximum penalty
- Up to $5,000 per willful violation under the Connecticut Unfair Trade Practices Act
- Statutory citation
- Conn. Gen. Stat. § 42-515 et seq.
Who CTDPA applies to
A business is covered if it meets the applicability thresholds set out in Conn. Gen. Stat. § 42-515 et seq.. Most state laws use an “or” framework — any one of the thresholds triggers coverage unless otherwise noted.
- Controls or processes personal data of 100,000+ Connecticut consumers (excluding data processed solely for completing a payment transaction), OR
- Controls or processes personal data of 25,000+ Connecticut consumers AND derives over 25% of gross revenue from the sale of personal data
Consumer rights under CTDPA
Right to deletion, access, correction, portability
Right to opt-out via GPC universal opt-out
AG exclusive enforcement
Notable features (vs. CCPA)
CTDPA requires businesses to honor Global Privacy Control (GPC) as a valid opt-out signal — a stronger default than CCPA at the time of enactment. Connecticut added protections for teens (13-16) requiring opt-in for targeted advertising and sale, and enhanced consumer health data provisions through a 2023 amendment. Connecticut also requires businesses to recognize authorized agent requests.
Enforcement & penalties
Enforcing agency: Connecticut Attorney General
Maximum penalty: Up to $5,000 per willful violation under the Connecticut Unfair Trade Practices Act
Cure period: The 60-day cure period sunset on December 31, 2024. Violations occurring after that date are directly enforceable.
Private right of action: CTDPA has no private right of action. Enforcement is exclusive to the Connecticut Attorney General.
Where to file a complaint: Connecticut Attorney General
How to exercise your CTDPA rights
- 1
Identify the business that holds your data (or use OfflistMe, which pre-targets 300+ known brokers and applies CTDPA citations automatically).
- 2
Submit a verifiable consumer request to the business's designated contact. Include enough identifying data that the business can verify you as a Connecticut resident (e.g., ZIP code, email associated with your record).
- 3
Under CTDPA, businesses have 45 days to respond. Extensions are permitted with written notice under most state laws.
- 4
If the business fails to respond or denies the request without legal basis, file a complaint with the Connecticut Attorney General at https://portal.ct.gov/AG/Complaints/Consumer-Complaints.
Use your rights
CTDPA-compliant deletion emails, $5 one-time
OfflistMe drafts CTDPA-compliant deletion emails for 300+ data brokers. Citations included. You send from your own inbox. No account, no ID upload.
Start for $5 →FAQ
Is the CTDPA cure period still active?+
No. The cure period expired on January 1, 2025. The Connecticut AG can now enforce violations immediately.
Do I need to be a Connecticut resident to use CTDPA?+
Yes. CTDPA covers Connecticut consumers. Non-residents rely on their home state laws or on federal/broker voluntary policies.
Official sources & citations
Compare with sibling state laws
CTDPA is one of 18 comprehensive US state privacy laws. Its closest peers by effective date — useful when tracking how this law influenced or was influenced by neighbouring legislation: