What Is the Connecticut Data Privacy Act?
CTDPA covers controllers processing personal data of 100,000+ Connecticut consumers or 25,000+ while selling data. It grants access, deletion, correction, portability, and opt-out rights. Connecticut recognizes universal opt-out mechanisms (GPC) as legally binding. Enforcement is exclusively by the AG. The 60-day cure period sunset on January 1, 2025.
At a glance
- Full name
- Connecticut Data Privacy Act
- Short code
- CTDPA
- Effective date
- July 1, 2023
- Response deadline
- 45 days
- Cure period
- None (sunset)
- Private right of action
- No
- Enforcement
- Connecticut Attorney General
- Maximum penalty
- Up to $5,000 per willful violation under the Connecticut Unfair Trade Practices Act
- Statutory citation
- Conn. Gen. Stat. § 42-515 et seq.
Who CTDPA applies to
A business is covered if it meets the applicability thresholds set out in Conn. Gen. Stat. § 42-515 et seq.. Most state laws use an “or” framework — any one of the thresholds triggers coverage unless otherwise noted.
- Controls or processes personal data of 100,000+ Connecticut consumers (excluding data processed solely for completing a payment transaction), OR
- Controls or processes personal data of 25,000+ Connecticut consumers AND derives over 25% of gross revenue from the sale of personal data
Consumer rights under CTDPA
Right to deletion, access, correction, portability
Right to opt-out via GPC universal opt-out
AG exclusive enforcement
Notable features (vs. CCPA)
CTDPA requires businesses to honor Global Privacy Control (GPC) as a valid opt-out signal, a stronger default than CCPA at the time of enactment. Connecticut added protections for teens (13-16) requiring opt-in for targeted advertising and sale, and enhanced consumer health data provisions through a 2023 amendment. Connecticut also requires businesses to recognize authorized agent requests.
Enforcement & penalties
Enforcing agency: Connecticut Attorney General
Maximum penalty: Up to $5,000 per willful violation under the Connecticut Unfair Trade Practices Act
Cure period: The 60-day cure period sunset on December 31, 2024. Violations occurring after that date are directly enforceable.
Private right of action: CTDPA has no private right of action. Enforcement is exclusive to the Connecticut Attorney General.
Where to file a complaint: Connecticut Attorney General
How to exercise your CTDPA rights
- 1
Identify the business that holds your data (or use OfflistMe, which pre-targets 500+ known brokers and applies CTDPA citations automatically).
- 2
Submit a verifiable consumer request to the business's designated contact. Include enough identifying data that the business can verify you as a Connecticut resident (e.g., ZIP code, email associated with your record).
- 3
Under CTDPA, businesses have 45 days to respond. Extensions are permitted with written notice under most state laws.
- 4
If the business fails to respond or denies the request without legal basis, file a complaint with the Connecticut Attorney General at https://portal.ct.gov/AG/Complaints/Consumer-Complaints.
Use your rights
CTDPA-compliant deletion emails, $7 one-time
OfflistMe drafts CTDPA-compliant deletion emails for $500+ data brokers. Citations included. You send from your own inbox. No account, no ID upload.
Start for $7 →FAQ
Is the CTDPA cure period still active?+
No. The cure period expired on January 1, 2025. The Connecticut AG can now enforce violations immediately.
Do I need to be a Connecticut resident to use CTDPA?+
Yes. CTDPA covers Connecticut consumers. Non-residents rely on their home state laws or on federal/broker voluntary policies.
Official sources & citations
Compare with sibling state laws
CTDPA is one of 18 comprehensive US state privacy laws. Its closest peers by effective date, useful when tracking how this law influenced or was influenced by neighboring legislation: