Connecticut
Code/Regulations
- Connecticut Data Privacy Act (CTDPA)
- Code: Conn. Gen. Stat. §§ 42-515 to –525 (2022)
- Amended by SB 1295
Amended Effective Date: July 1, 2026
Details
Threshold
For-profit entities that conduct business in Connecticut or produce products and services that are intentionally targeted to Connecticut residents ("consumers") and that during the preceding calendar year fall into one of the following categories:
(1) Control or process the personal data of at least 35,000 consumers (excluding personal data processed solely to complete a payment transaction); OR
(2) Control or process consumers' sensitive data, (excluding personal data processed solely to complete a payment transaction); OR
(3) Offer consumers' personal data for sale in trade or commerce.
Definition of "Personal Data"
Any information that is linked or reasonably linkable to an identified or identifiable individual. Does not include de-identified data or publicly available information. Personal data does not include data from people acting in an employment or commercial context.
Definition of "Sensitive Data"
As with all state general privacy laws, includes the following Personal Data:
- Race or ethnic origin;
- Religious beliefs;
- Citizenship or immigration status;
- Genetic data;
- Biometric data;
- Physical or mental health diagnosis, disability or treatment; and
- Sexual orientation, or status as nonbinary or transgender.
In addition, Connecticut's definition also includes:
- Consumer Health Data
- Sex life;
- Precise geolocation
- Personal data collected from a known child or, willfully disregards , is a child
- Status as a victim of crime
- Precise geolocation data
- Neural data
- Consumer's financial account number, financial account log-in information or credit card or debit card number that, in combination with any required access or security code, and
- Government-issued identification number, state identification card number or driver's license number, that applicable law does not require to be public
Definition of "Sale"
Exchange of personal data for monetary or other valuable consideration by the controller to a third party
Data-Protection Assessments
Required for processing activities with a heightened risk of harm to a consumer including targeted advertising, sale of personal data, processing of sensitive data, and certain profiling
Opt-In Consent Required for Processing Sensitive Data
Yes
Consumer Rights to Confirm Processing, Request Access, Correction, Deletion & Portability
Yes
Consumer Right to Opt Out of Sale
Yes
Consumer Right to Opt Out of Targeted Ads
Yes
Consumer Right to Opt Out of Profiling
Yes
Pseudonymous Data Exempt from Consumer Requests
Yes
Appeal Rights
Yes
Universal Opt-Out Mechanism Required
Yes
Data of Minors
Process sensitive data of a known child in accordance with COPPA
Consent to sell personal data of minors 13 to 16 or process their personal data for targeted advertising
GLBA Exemption
Yes (data-level)
HIPAA Exemption
Yes (entity-level)
Applies/Does Not Apply to Personal Information in a Commercial or Employment Context
Does not apply to commercial or employment context; applies in an individual or household context
Nonprofit Exemption
Yes
Private Right of Action
No
Cure Period
60 Days
Enforcement Authority/Damages
Attorney General/up to $5,000 per violation
Current as of December 11, 2025
Disclaimer: States may periodically amend their laws and regulations and such amendments may affect or modify certain legal requirements or compliance obligations. There is no guarantee that this research is up to date as laws and regulations in the state consumer data privacy space continue to evolve. You should consult an attorney to assess the applicability of any existing, new, or proposed state consumer data privacy laws. By accessing this site, you acknowledge your understanding that the underlying content is not a replacement for legal counsel and does not constitute legal advice.