Skip to main content

WEBINARNavigating Consent Mode V2: How Should I Prepare?

|

30 April, 2024

3 pm CET (8 am CT)

Register now

Manage opt-outs easily for Connecticut Data Privacy Act

Implement an opt-out mechanism and generate a privacy policy to get started on your compliance with the Connecticut Data Privacy Act.

Become CTDPA Compliant

14-day free trial Cancel anytime

connecticut data privacy act op-out notice

The #1 cookie consent solution, trusted by 1.5 Million+ websites

Brand logos of global companies that are CookieYes customers.
Forbes
Decathlon
Dominos
Heineken
Toyota
Renault
KFC

Check your CTDPA Compliance

CookieYes will scan your website and keep you informed on the personal data your website collects through cookies.

CTDPA effective date

The Connecticut Data Privacy Act or CTDPA is a state-wide data privacy that gives consumers in Connecticut enhanced rights over their personal data and places obligations on organisations in the state. The Act was passed on May 10, 2022, and will go into force on July 1, 2023.

CTDPA Compliance Checklist for Websites

  • Implement opt-out for targeted advertising and the sale of personal data
  • Review and update your privacy policy and cookie policy
  • Create a mechanism for data subject access requests
  • Enable universal opt-out mechanism by January 1, 2025

Prepare for CTDPA Compliance with
CookieYes

Implement opt-out requests

Under the CTDPA, businesses are required to provide a clear and conspicuous link that allows consumers to opt out of the processing of data for targeted advertising, sale, and profiling based on automated decision-making.

With CookieYes you can

  • Display a clear and conspicuous opt-out notice on your website
  • Target the opt-out notice for US visitors alone.
  • Respect Global Privacy Control (GPC) signals from browsers

Automate consent management

Ensure that websites set third-party cookies only based on user preferences and establish continuous compliance with Connecticut Data Privacy Act.

With CookieYes you can

  • Scan your website for cookies against a 100,000+ cookie database
  • Schedule cookie scanning for up-to-date information on cookies
  • Record consent logs for proof of consent during audits

Generate a compliant privacy policy

Under the CTDPA, businesses should implement an accessible and clear privacy policy with disclosure on the data collected, the purpose of collection, how to exercise user rights and more.

With CookieYes you can

  • Use our pre-built, legally-compliant policy templates
  • Generate your privacy policy and cookie policy in minutes
  • Simply copy-paste the legal policies to your website

Start your compliance with 
Connecticut Data Privacy Act

Get started with CTDPA compliance

14-day free trial Cancel anytime

Learn more about CTDPA and take the next
step towards compliance

What is Connecticut Data Privacy Act?

An Act Concerning Personal Data Privacy and Online Monitoring, also known as the Connecticut Data Privacy Act (CTDPA) is a new data privacy law that was passed in May 2022. It is the fifth comprehensive state-level privacy law in the US. Similar to its predecessor laws in California, Virginia, Utah and Colorado, the Act aims to protect the privacy of Connecticut residents and gives them rights and control over their personal data. 

CTDPA will go into force on July 1, 2023, and places obligations on businesses collecting and processing the personal data of Connecticut residents.

Who does CTDPA apply to?

The Connecticut Data Privacy Act (CTDPA) applies to entities that conduct business in Connecticut or provide goods or services targeted at Connecticut consumers who during the preceding calendar year either:

  • Controlled or processed personal data of at least 100,000 Connecticut consumers
  • Process personal data for 25,000 or more consumers and receive over 25% of annual gross revenue from selling personal data.

A notable exemption from CTDPA includes personal data controlled or processed to exclusively complete a payment transaction.

What are consumer rights under CTDPA?

Right to access

The right to access the personal data a business has collected about them.

Right to correct

The right to correct any inaccuracy in their personal data.

Right to delete

The right to delete personal information that a business has collected from them.

Right to opt-out

The right to opt out of the processing of personal data for targeted advertising and the sale to third parties.

Right to data portability

The right to obtain a copy of their personal data in a portable format.

What is the penalty for non-compliance?

The Connecticut Attorney General has the enforcement authority in CTDPA. Any business that violates the Act can face fines of up to $5000 per willful violation. In addition to civil penalties, the Attorney General can also seek equitable remedies, such as restitution and injunctive relief.

FAQ on CTDPA Compliance

The Connecticut Data Privacy Act (CTDPA) defines personal data as any information that can be reasonably used to identify an individual. This can include data such as name, email address, phone number, financial account number, and login credentials.

Deidentified data, aggregated data, or publicly available information is not considered personal data.

The Connecticut Data Privacy Act categorises sensitive data as data that reveals race, sexual orientation, religious belief, citizenship or citizenship status genetic or biometric data, precise geolocation data and personal data from a child under the age of 13.

The CTDPA defines the sale of personal data as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.”

Notably, the CTDPA includes the exchange of personal data for “other valuable consideration” as sale, aligning with Colorado’s and California’s privacy laws’ definition. This is different from Utah’s and Virginia’s laws which only extend the definition of “sale” to monetary consideration.

Six types of organizations are exempt from Connecticut Data Privacy Act or CTDPA. These include:

  • Local and state governments
  • Non-profits
  • Higher education institutions
  • National security associations registered under the Securities Exchange Act of 1934
  • Financial institutions subject to the Gramm-Leach-Bliley Act
  • Entities covered under the HIPPA

There are sixteen categories of data-level exemptions, including information regulated by laws such as HIPAA, FERPA, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act, as well as employee and job applicant data.

Connecticut Attorney General (AG) has the sole authority to enforce the CTDPA. In the event of a potential violation, the AG’s office will notify the business and give them 60 days from receipt of the notification to correct the violation. From January 1, 2025, this cure period will no longer be available by default and will be provided at the Attorney General’s discretion.

Here are some links you can refer to for additional reading:

Fast-track your CTDPA compliance in minutes

Set up a cookie consent banner in 3 simple steps and automate your compliance.

Become CTDPA Compliant

14-day free trial Cancel anytime