Manage opt-outs easily for Connecticut Data Privacy Act
The #1 cookie consent solution, trusted by 1.4 Million+ websites
The Connecticut Data Privacy Act or CTDPA is a state-wide data privacy that gives consumers in Connecticut enhanced rights over their personal data and places obligations on organisations in the state. The Act was passed on May 10, 2022, and will go into force on July 1, 2023.
CTDPA Compliance Checklist for Websites
- Implement opt-out for targeted advertising and the sale of personal data
- Create a mechanism for data subject access requests
- Enable universal opt-out mechanism by January 1, 2025
Prepare for CTDPA Compliance with
Implement opt-out requests
Under the CTDPA, businesses are required to provide a clear and conspicuous link that allows consumers to opt out of the processing of data for targeted advertising, sale, and profiling based on automated decision-making.
With CookieYes you can
Automate consent management
Ensure that websites set third-party cookies only based on user preferences and establish continuous compliance with Connecticut Data Privacy Act.
With CookieYes you can
With CookieYes you can
Start your compliance with
Connecticut Data Privacy Act
Learn more about CTDPA and take the next
step towards compliance
What is Connecticut Data Privacy Act?
An Act Concerning Personal Data Privacy and Online Monitoring, also known as the Connecticut Data Privacy Act (CTDPA) is a new data privacy law that was passed in May 2022. It is the fifth comprehensive state-level privacy law in the US. Similar to its predecessor laws in California, Virginia, Utah and Colorado, the Act aims to protect the privacy of Connecticut residents and gives them rights and control over their personal data.
CTDPA will go into force on July 1, 2023, and places obligations on businesses collecting and processing the personal data of Connecticut residents.
Who does CTDPA apply to?
The Connecticut Data Privacy Act (CTDPA) applies to entities that conduct business in Connecticut or provide goods or services targeted at Connecticut consumers who during the preceding calendar year either:
- Controlled or processed personal data of at least 100,000 Connecticut consumers
- Process personal data for 25,000 or more consumers and receive over 25% of annual gross revenue from selling personal data.
A notable exemption from CTDPA includes personal data controlled or processed to exclusively complete a payment transaction.
What are consumer rights under CTDPA?
Right to access
The right to access the personal data a business has collected about them.
Right to correct
The right to correct any inaccuracy in their personal data.
Right to delete
The right to delete personal information that a business has collected from them.
Right to opt-out
The right to opt out of the processing of personal data for targeted advertising and the sale to third parties.
Right to data portability
The right to obtain a copy of their personal data in a portable format.
What is the penalty for non-compliance?
The Connecticut Attorney General has the enforcement authority in CTDPA. Any business that violates the Act can face fines of up to $5000 per willful violation. In addition to civil penalties, the Attorney General can also seek equitable remedies, such as restitution and injunctive relief.
FAQ on CTDPA Compliance
The Connecticut Data Privacy Act (CTDPA) defines personal data as any information that can be reasonably used to identify an individual. This can include data such as name, email address, phone number, financial account number, and login credentials.
Deidentified data, aggregated data, or publicly available information is not considered personal data.
The Connecticut Data Privacy Act categorises sensitive data as data that reveals race, sexual orientation, religious belief, citizenship or citizenship status genetic or biometric data, precise geolocation data and personal data from a child under the age of 13.
The CTDPA defines the sale of personal data as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.”
Notably, the CTDPA includes the exchange of personal data for “other valuable consideration” as sale, aligning with Colorado’s and California’s privacy laws’ definition. This is different from Utah’s and Virginia’s laws which only extend the definition of “sale” to monetary consideration.
Six types of organizations are exempt from Connecticut Data Privacy Act or CTDPA. These include:
- Local and state governments
- Higher education institutions
- National security associations registered under the Securities Exchange Act of 1934
- Financial institutions subject to the Gramm-Leach-Bliley Act
- Entities covered under the HIPPA
There are sixteen categories of data-level exemptions, including information regulated by laws such as HIPAA, FERPA, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act, as well as employee and job applicant data.
Connecticut Attorney General (AG) has the sole authority to enforce the CTDPA. In the event of a potential violation, the AG’s office will notify the business and give them 60 days from receipt of the notification to correct the violation. From January 1, 2025, this cure period will no longer be available by default and will be provided at the Attorney General’s discretion.
Fast-track your CTDPA compliance in minutes
Set up a cookie consent banner in 3 simple steps and automate your compliance.