AuditXYZ

Compliance Framework

Connecticut Data Privacy Act (Public Act No. 22-15)

The CTDPA is Connecticut's comprehensive data privacy law, closely modeled on the VCDPA and CPA, with additional provisions for universal opt-out mechanisms and loyalty program disclosures.

$5,000–$70,0002–5 months2022 (enforced July 1, 2023)
Request a ConsultationSee process
Issuing BodyConnecticut General Assembly
First Published2022-05-10
Latest Version2022 (enforced July 1, 2023)
Typical Cost$5,000–$70,000
Typical Timeline2–5 months
Audit RequiredNo
Audit FrequencyNo mandatory external audit. Data protection assessments required for targeted advertising, profiling, sale of personal data, and sensitive data processing.
Geographyus-connecticut

CTDPA: The Complete Guide

The Connecticut Data Privacy Act, signed into law in May 2022 and effective July 1, 2023, represents Connecticut's entry into the growing landscape of US state privacy legislation. The CTDPA draws heavily from the Virginia and Colorado privacy laws while incorporating several consumer-friendly provisions.

What the CTDPA Covers

The CTDPA grants Connecticut consumers the right to access, correct, delete, and obtain a portable copy of their personal data. Consumers may opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects.

Like the Colorado Privacy Act, the CTDPA requires controllers to recognize universal opt-out mechanisms beginning January 1, 2025. This means businesses must detect and honor signals such as the Global Privacy Control without requiring consumers to submit individual requests.

Processing of sensitive data — including racial or ethnic origin, religious beliefs, health information, biometric data, precise geolocation, and data concerning children — requires opt-in consent. The CTDPA also includes specific transparency requirements for loyalty and rewards programs.

Who Needs to Comply

The CTDPA applies to entities that conduct business in Connecticut or produce products or services targeted to Connecticut residents and that, during the prior calendar year, either controlled or processed personal data of at least 100,000 consumers (excluding payment transaction data), or controlled or processed data of at least 25,000 consumers while deriving more than 25% of gross revenue from the sale of personal data.

Entities and data covered by HIPAA, GLBA, FERPA, and certain other federal laws are exempt.

Enforcement

The Connecticut Attorney General holds exclusive enforcement authority. An initial 60-day cure period applied until December 31, 2024. Civil penalties are assessed under the Connecticut Unfair Trade Practices Act, reaching up to $5,000 per willful violation.

Practical Compliance Steps

  1. Applicability assessment — Evaluate processing thresholds against Connecticut consumer data
  2. Universal opt-out — Implement GPC and similar signal recognition
  3. Sensitive data consent — Deploy opt-in consent flows for sensitive personal data categories
  4. Rights fulfillment — Establish 45-day response processes for consumer requests with a 45-day extension if needed
  5. Loyalty programs — Ensure transparency in how personal data is used in rewards and loyalty programs
  6. Vendor contracts — Update processor agreements to include CTDPA-required provisions

Get the CTDPA starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

vcdpacpaccpacpragdpr

Get matched with a CTDPA auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

CCPA
Framework
The CCPA is California's landmark consumer privacy law granting residents the right to know, delete, and opt out of the sale of their personal information. This guide covers applicability thresholds, consumer rights, and practical compliance steps.
View
CPA
Framework
The Colorado Privacy Act grants residents rights over personal data and requires businesses to honor universal opt-out mechanisms, conduct data protection assessments, and obtain consent for sensitive data processing.
View
CPRA
Framework
The CPRA amends and expands the CCPA, introducing new consumer rights, the concept of sensitive personal information, the California Privacy Protection Agency, and mandatory cybersecurity audits for high-risk businesses.
View
GDPR
Framework
The GDPR is the world's most influential data protection law, setting the standard for how organizations collect, process, and protect personal data of individuals in the EU and EEA. This guide covers lawful bases, data subject rights, breach notification, and practical compliance steps.
View
VCDPA
Framework
The VCDPA is Virginia's comprehensive consumer data protection law, granting residents rights over their personal data and imposing obligations on businesses regarding data processing, consent, and protection assessments.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View