Overview
The Connecticut Data Privacy Act (CTDPA) closely follows the Virginia model but adds important consumer protections, including requirements for consent mechanisms and special provisions for loyalty programs.
Full Name and Description
Connecticut Data Privacy Act (CTDPA): Also known as "An Act Concerning Personal Data Privacy and Online Monitoring," the CTDPA was signed into law on May 10, 2022, and became effective July 1, 2023. It provides Connecticut residents with data protection rights and establishes business obligations for personal data processing.
Enforcement Date
- Effective Date: July 1, 2023
- Cure Period Ends: December 31, 2024 (cure period phases out)
Governing Body
- Connecticut Attorney General: Exclusive enforcement authority
- No Private Right of Action: Consumers cannot sue directly for violations
Primary Purpose
The CTDPA aims to:
- Grant Connecticut consumers rights over their personal data
- Require transparency in data collection and processing
- Establish consent requirements for sensitive data
- Create uniform standards for data protection across industries
Applicability
Who Needs to Comply?
The CTDPA applies to persons that conduct business in Connecticut or produce products/services targeted to Connecticut residents AND during the preceding calendar year either:
- Controlled or processed personal data of 100,000+ Connecticut consumers (excluding data processed solely for payment transactions), OR
- Controlled or processed personal data of 25,000+ Connecticut consumers AND derived more than 25% of gross revenue from the sale of personal data
Notable Threshold Difference
Connecticut's revenue threshold is 25% (compared to 50% in Virginia and Colorado), making it potentially applicable to more businesses that derive even modest revenue from data sales.
Key Exemptions
Entity-Level Exemptions:
- State and political subdivisions
- Nonprofit organizations
- Higher education institutions
- National securities associations registered under 15 U.S.C. § 78o-3
- Financial institutions subject to GLBA
- HIPAA-covered entities and business associates
Data-Level Exemptions:
- Employment-related data
- B2B contact information
- Data governed by HIPAA, GLBA, FCRA, FERPA, COPPA, DPPA
- Publicly available information
What the CTDPA Governs
Types of Data Covered
Personal Data - Any information linked or reasonably linkable to an identified or identifiable individual. Excludes de-identified data and publicly available information.
Sensitive Data (requires opt-in consent):
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health condition or diagnosis
- Sex life or sexual orientation
- Citizenship or immigration status
- Genetic data
- Biometric data processed for identification purposes
- Personal data of a known child
- Precise geolocation data
Consumer Rights Under CTDPA
Connecticut residents have five core rights:
- Right to Access: Confirm processing and access personal data
- Right to Correct: Request correction of inaccurate data
- Right to Delete: Request deletion of personal data
- Right to Portability: Obtain data in a portable, readily usable format
- Right to Opt-Out: Decline:
- Sale of personal data
- Targeted advertising
- Profiling for decisions with legal or similarly significant effects
Consent Requirements
The CTDPA requires specific, informed consent that is:
- Freely given
- Specific to the processing purpose
- Informed (consumer knows what they're agreeing to)
- Unambiguous (clear affirmative action)
Consent Cannot Be Obtained Through:
- Acceptance of general terms of use
- Hovering over, muting, pausing, or closing content
- Agreement obtained through dark patterns
Compliance Requirements
Key Obligations for Controllers
1. Privacy Notice Requirements
Provide reasonably accessible privacy notices that include:
- Categories of personal data processed
- Purpose of processing
- How to exercise consumer rights (including appeals)
- Categories of data shared with third parties
- Categories of third parties receiving data
- Active email address or other mechanism for contacting the controller
2. Purpose Limitation and Data Minimization
- Collect only data adequate, relevant, and reasonably necessary for disclosed purposes
- Process data only for disclosed purposes unless consumer provides consent
3. Security Obligations
- Establish, implement, and maintain reasonable security practices
- Security measures must be appropriate to volume and sensitivity of data
4. Consumer Request Handling
| Requirement | Timeframe |
|---|---|
| Initial Response | 45 days |
| Extension (with notice) | Additional 45 days |
| Appeal Response | 60 days |
| Inform of AG Contact | With appeal denial |
5. Appeals Process
Controllers must:
- Establish an internal process for appeals
- Inform consumers how to submit an appeal
- Respond to appeals within 60 days
- Provide written explanation for appeal denials
- Inform consumers of right to contact Attorney General
Data Protection Assessments
Required for processing activities that present heightened risk of harm:
- Targeted advertising
- Sale of personal data
- Profiling with risk of unfair treatment, injury, or intrusion
- Sensitive data processing
- Any processing with heightened harm risk
Assessments must:
- Identify and weigh benefits vs. risks
- Consider use of de-identification
- Factor in consumer expectations
- Be made available to AG upon request
Loyalty Program Provisions
The CTDPA includes specific provisions for loyalty and rewards programs:
- Consumers who opt-out of sale or targeted advertising cannot be denied loyalty program participation
- Bona fide loyalty programs may offer different terms/prices if reasonably related to consumer data value
- Must disclose material terms of loyalty programs in privacy notices
Consequences of Non-Compliance
Enforcement Process
- Notice of Violation: AG provides written notice of alleged violation
- Cure Period: 60 days to cure (until December 31, 2024)
- Post-Cure Period: No cure opportunity after December 31, 2024
- Enforcement: Civil action if violation persists
Penalties and Fines
- Up to $5,000 per violation (under Connecticut Unfair Trade Practices Act)
- Actual damages to consumers
- Injunctive relief
- Attorney fees and costs
Business Impact
- Reputational damage from public enforcement
- Operational costs for remediation
- Potential loss of consumer trust
- Scrutiny in other jurisdictions
Why the CTDPA Exists
Historical Background
- April 2022: Connecticut legislature passes SB 6
- May 10, 2022: Governor Lamont signs CTDPA into law
- July 1, 2023: CTDPA takes effect
- December 31, 2024: Cure period expires
Distinctive Features
Connecticut's CTDPA is notable for:
- Lower revenue threshold (25%): More businesses may qualify than under 50% threshold laws
- Loyalty program protections: Explicit rules for rewards programs
- Extended appeal response time: 60 days vs. 45 days in other states
- Dark patterns prohibition: Explicit prohibition on using dark patterns for consent
- Phase-out cure period: Cure period ends after first year
Comparison with Other State Laws
| Feature | CTDPA | VCDPA | CPA |
|---|---|---|---|
| Revenue Threshold | 25% | 50% | Any |
| Appeal Response Time | 60 days | 45 days | 45 days |
| Universal Opt-Out | Not required | Not required | Required |
| Cure Period | Until 12/31/24 | Until 1/1/25 | Until 1/1/25 |
| Loyalty Program Rules | Yes | No | No |
Implementation & Best Practices
How to Become Compliant
Step 1: Threshold Analysis
- Count Connecticut consumers in your databases
- Calculate percentage of revenue from personal data sales
- Document exemption status if applicable
Step 2: Data Inventory
- Map all personal data from Connecticut residents
- Identify sensitive data categories
- Document processing purposes for each data type
- Track third-party data sharing
Step 3: Privacy Notice Updates
- Ensure all required disclosures are included
- Provide clear instructions for exercising rights
- Include appeals process information
- Disclose loyalty program terms if applicable
Step 4: Consent Mechanism Implementation
- Build opt-in consent for sensitive data
- Ensure consent is freely given, specific, and unambiguous
- Avoid dark patterns in consent interfaces
- Maintain consent records
Step 5: Consumer Rights Infrastructure
- Create request intake channels
- Implement 45-day response workflows
- Build 60-day appeal response process
- Train staff on handling procedures
Step 6: Loyalty Program Review
- Assess if opt-out consumers are treated fairly
- Document value exchange for differential treatment
- Update program terms and disclosures
Avoiding Dark Patterns
The CTDPA explicitly prohibits dark patterns for obtaining consent. Avoid:
- Making opt-out harder to find or complete than opt-in
- Using confusing language to manipulate choices
- Requiring excessive steps for privacy-protective choices
- Pre-selecting consent options
- Using visual manipulation (color, size) to push preferred choices
Example of Compliant vs. Non-Compliant Design:
NON-COMPLIANT:
[ ] I agree to receive targeted ads (pre-checked)
[tiny gray link: manage preferences]
COMPLIANT:
Would you like to receive personalized advertising?
[ ] Yes, show me targeted ads
[ ] No, show me general ads
[Equally prominent manage preferences button]
Ongoing Compliance Maintenance
- Quarterly Consent Audits: Verify consent mechanisms work correctly
- Annual DPA Reviews: Update data protection assessments
- Consumer Request Tracking: Monitor response times and outcomes
- Privacy Notice Updates: Reflect any processing changes
- Staff Training Refreshers: Keep team current on requirements
Additional Resources
Official Documentation
Industry Guidance
- IAPP Connecticut Privacy Law Analysis
- State Privacy Law Comparison Charts
- Dark Patterns Avoidance Guidelines
Related Regulations
- CCPA/CPRA Compliance Guide - California's privacy framework
- Virginia VCDPA Compliance - Virginia's privacy law
- Colorado CPA Compliance - Colorado's privacy framework
- Utah UCPA Compliance - Utah's privacy law
- GDPR Compliance Guide - EU data protection
Conclusion
The Connecticut Data Privacy Act follows the Virginia model while adding consumer-friendly provisions around loyalty programs and dark patterns. The lower 25% revenue threshold from data sales means more businesses may need to comply compared to states with 50% thresholds.
Organizations should pay particular attention to the explicit prohibition on dark patterns for consent, the 60-day appeal response requirement, and the phase-out of the cure period at the end of 2024.