CTDPA

Connecticut Data Privacy Act

Flag of US
Connecticut, United StatesOpt-outState
Back to Regulations Guide

Key Facts

Effective Date
July 1, 2023
Enacted
May 10, 2022
Enforcing Authority
Connecticut Attorney General
Consent Model
Opt-out
Fulfillment Time
45 days
Applies To
Controllers in CT or targeting CT residents: 100,000+ consumers OR 25,000+ consumers and 25%+ revenue from selling PI

Overview

The CTDPA features two unique elements among US state privacy laws: a consent revocation mechanism for sensitive data, and a prohibition on selling children's data or using it for targeted advertising even with consent (2025 amendment). The cure period was eliminated January 2025.

What This Means for Your Website

  • GPC signals must be honored since January 2025
  • Sensitive data requires opt-in consent with a unique revocation mechanism
  • Sale of data from minors under 18 is prohibited even with consent
  • Children under 13 require parental consent
  • No cure period — the AG can take immediate enforcement action
  • An age-appropriate design code for children's online services takes effect in 2026

Key Requirements

The Connecticut AG enforces the CTDPA with penalties up to $5,000 per willful violation, plus potential actual and punitive damages. Consumer requests must be fulfilled within 45 days. The 2025 amendments significantly strengthened protections for children's data, with active investigations targeting messaging, gaming, and chatbot platforms.

How ConsentStack Handles This

ConsentStack applies the CTDPA's opt-out model for Connecticut visitors with opt-in for sensitive data and enhanced protections for minors, including blocking data sales for under-18 visitors.

Penalties

Up to $5,000 per willful violation; courts may also award actual and punitive damages.

Maximum Fine
$5,000 per violation

Key Requirements

  • Honor GPC/universal opt-out signals since January 2025
  • Opt-in consent for sensitive data with revocation mechanism
  • Privacy notice with categories, purposes, and third parties
  • Consumer rights: access, correct, delete, port, opt-out
  • Data protection assessments for high-risk processing

Notable Provisions

  • Cure period eliminated January 2025
  • Unique consent revocation mechanism for sensitive data
  • Children data sale/advertising prohibited even with consent (2025)
  • Age-appropriate design code coming 2026

US State Specifics

Private Right of Action
No
Global Opt-out Required
Yes
Sensitive Data Opt-in
Yes
Children Provisions
Under 18: sale and targeted advertising prohibited even with consent (2025). Under 13: parental consent required.

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
CCPACalifornia, United States
The CCPA was the first comprehensive consumer privacy law in the United States, giving California residents the right to know what personal information businesses collect and to opt out of its sale. It established the opt-out consent model that most subsequent US state privacy laws adopted.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.

Frequently Asked Questions

What is unique about Connecticut's privacy law?

The CTDPA has a unique consent revocation mechanism for sensitive data and prohibits selling children's data even with consent — stronger than most US state laws.

Does Connecticut have a cure period?

No. The cure period was eliminated January 1, 2025, allowing the AG to take immediate enforcement action.

Must websites honor GPC in Connecticut?

Yes, since January 2025. ConsentStack automatically detects and honors GPC signals for Connecticut visitors.

How does Connecticut protect children's data?

Under 18: sale and targeted advertising prohibited even with consent. Under 13: parental consent required. An age-appropriate design code takes effect in 2026.

Stay compliant with CTDPA

ConsentStack helps you implement Opt-out consent for Connecticut, United States automatically.

Get started free