Does the Connecticut Data Privacy Act apply to your business?
It depends on consumer volume, not revenue. The CTDPA applies to persons that do business in Connecticut or target its residents and, in the preceding year, controlled or processed the personal data of 100,000 or more consumers, or 25,000 or more while deriving more than 25% of gross revenue from selling personal data .
Like Colorado, Connecticut sets no dollar revenue floor — the trigger is a consumer-count plus a Connecticut nexus, and the 100,000-consumer count excludes data processed solely to complete a payment transaction. Unlike Colorado, Connecticut exempts nonprofit organizations, along with the usual entity- and data-level carve-outs for state agencies and GLBA-, HIPAA-, and FCRA-regulated data. A consumer is a Connecticut resident acting in an individual or household context, not an employee or business contact.
Sources for this answer
Primary law
A.1 Conn. Gen. Stat. § 42-516The CTDPA applies to persons doing business in Connecticut or targeting its residents that controlled or processed the data of 100,000+ consumers, or 25,000+ while deriving over 25% of gross revenue from selling personal data.
apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and that during the preceding calendar year: (1) Controlled or processed the personal data of not less than one hundred thousand consumers
See Conn. Gen. Stat. § 42-516.
What must your Connecticut privacy policy contain?
A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purpose for processing, how consumers exercise their rights, the categories of personal data shared with third parties, and the categories of those third parties .
For a template privacy policy, treat section 42-520 as the content checklist. Connecticut also requires data minimization (collection limited to what is adequate, relevant, and reasonably necessary) and consent before processing sensitive data, so the practices the notice describes must line up with the consents actually collected. If you sell personal data or process it for targeted advertising, the policy must clearly disclose that and how to opt out.
Sources for this answer
Primary law
B.1 Conn. Gen. Stat. § 42-520A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purpose for processing, how consumers may exercise and appeal their rights, the categories of personal data shared with third parties, and the categories of those third parties.
reasonably accessible, clear and meaningful privacy notice that includes: (1) The categories of personal data processed by the controller; (2) the purpose for processing personal data; (3) how consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision with regard to the consumer's request; (4) the categories of personal data that the controller shares with third parties, if any; (5) the categories of third parties, if any, with which the controller shares personal data;
See Conn. Gen. Stat. § 42-520(c).
What must your contracts with processors say?
A contract between a controller and a processor must govern the processor's data processing on the controller's behalf — making a data processing agreement a statutory requirement, not a best practice .
Section 42-521 then specifies the required terms: processing instructions, the nature and purpose of processing, the type of data and duration, a duty of confidentiality, deletion or return of data at the controller's direction, the information needed to demonstrate compliance, cooperation with assessments, and a requirement to bind subcontractors by written contract to the same obligations . A compliant template DPA tracks each of these.
Sources for this answer
Primary law
C.1 Conn. Gen. Stat. § 42-521The controller-processor contract must be binding and set forth processing instructions, the nature and purpose of processing, the type of data and duration, and the parties' rights and obligations, and must require the processor to maintain confidentiality, delete or return data at the controller's direction, make available information needed to demonstrate compliance, bind subcontractors by written contract to the same obligations, and cooperate with reasonable assessments (or arrange an independent assessment).
A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: (1) Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; (2) at the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; (3) upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in sections 42-515 to 42-525 , inclusive; (4) after providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and (5) allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations under sections 42-515 to 42-525 , inclusive, using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request.
See Conn. Gen. Stat. § 42-521(c).
Must you honor a universal opt-out signal?
Yes. Since January 1, 2025, a controller must let consumers opt out of targeted advertising and the sale of their personal data through an opt-out preference signal — a browser- or device-level mechanism such as the Global Privacy Control — not just a website link .
This puts Connecticut among the states (with California and Colorado) that require honoring universal opt-out signals. A template privacy program should wire opt-out-preference-signal handling into its consent and preference logic. The opt-out is part of a fuller set of consumer rights — access, correction, deletion, portability, and opt-out of targeted advertising, sale, and certain profiling — to which a controller must respond within 45 days.
Sources for this answer
Primary law
D.1 Conn. Gen. Stat. § 42-520By January 1, 2025, a controller must allow consumers to opt out of targeted advertising and the sale of personal data through an opt-out preference signal sent by a platform, technology, or mechanism.
Not later than January 1, 2025, allowing a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer's consent, by a platform, technology or mechanism to the controller indicating such consumer's intent to opt out of any such processing or sale.
See Conn. Gen. Stat. § 42-520(e).
Can a consumer sue your business under the CTDPA?
No. The CTDPA states that nothing in it provides a basis for a private right of action, so consumers cannot sue under it . Enforcement belongs to the Connecticut Attorney General, who treats violations as unfair trade practices.
There is an important timing wrinkle: the CTDPA's mandatory right-to-cure ran only from July 1, 2023 through December 31, 2024 . Since the start of 2025, a cure is discretionary, not guaranteed — the Attorney General may, but need not, offer one. The compliance posture is to build the privacy notice, opt-out, and contracting controls up front rather than counting on a cure window that has lapsed.
Sources for this answer
Primary law
E.1 Conn. Gen. Stat. § 42-525The CTDPA bars any private right of action for its violation.
Nothing in sections 42-515 to 42-524 , inclusive, or section 42-526 , shall be construed as providing the basis for, or be subject to, a private right of action for violations of said sections or any other law.
See Conn. Gen. Stat. § 42-525(d).
Primary law
E.2 Conn. Gen. Stat. § 42-525The CTDPA's mandatory notice-and-cure period ran only from July 1, 2023 through December 31, 2024.
During the period beginning on July 1, 2023, and ending on December 31, 2024, the Attorney General shall, prior to initiating any action for a violation of any provision of sections 42-515 to 42-524 , inclusive, issue a notice of violation to the controller if the Attorney General determines that a cure is possible.
See Conn. Gen. Stat. § 42-525(b).