← Back to Blog

CTDPA Explained: Connecticut's Privacy Law for Online Businesses

The Connecticut Data Privacy Act requires GPC support and covers nonprofits too. Here's what e-commerce businesses need to know.

2026-03-03

The Connecticut Data Privacy Act (CTDPA) took effect on July 1, 2023. It's closely modeled on Virginia's VCDPA but has a few important differences — including a requirement to honor Global Privacy Control (GPC) signals and broader applicability that includes some nonprofits.

Who Does the CTDPA Apply To?

The CTDPA applies to businesses that conduct business in Connecticut or target Connecticut residents and meet either threshold:

  • Control or process personal data of at least 100,000 Connecticut consumers (excluding data processed solely for payment transactions), OR
  • Control or process personal data of at least 25,000 Connecticut consumers and derive more than 25% of gross revenue from selling personal data

Unlike most other state privacy laws, the CTDPA can also apply to nonprofits — though certain categories (like 501(c)(3) organizations) have limited exemptions.

Key Requirements

Privacy Policy

Your privacy policy must disclose:

  • Categories of personal data processed
  • Purposes for processing
  • How consumers can exercise their rights and appeal decisions
  • Categories of third parties you share data with
  • Whether you sell data or use it for targeted advertising

Consumer Rights

Connecticut consumers have the right to:

  • Access their personal data
  • Correct inaccurate data
  • Delete their personal data
  • Data portability — obtain a copy
  • Opt out of sale, targeted advertising, and profiling
  • Appeal a denied rights request

The appeal right is notable — if you deny a consumer's request, you must provide a mechanism for them to appeal, and you must respond to the appeal within 60 days.

Universal Opt-Out

As of January 1, 2025, the CTDPA requires businesses to honor universal opt-out signals like GPC. This means:

  • Your website must detect GPC signals from browsers
  • A GPC signal must be treated as a valid opt-out of sale and targeted advertising
  • You cannot require additional steps from the consumer

Sensitive Data

Explicit opt-in consent is required before processing sensitive data, including:

  • Racial or ethnic origin
  • Religious beliefs
  • Health data
  • Sexual orientation
  • Citizenship or immigration status
  • Biometric or genetic data
  • Children's data (under 13)
  • Precise geolocation data

Data Protection Assessments

Required for:

  • Targeted advertising
  • Selling personal data
  • Profiling with risk of harm
  • Processing sensitive data

Enforcement and Penalties

The CTDPA is enforced by the Connecticut Attorney General. There is no private right of action. The original 60-day cure period expired on December 31, 2024 — meaning the AG can now pursue enforcement without offering businesses a chance to fix violations first.

Penalties can reach $5,000 per violation under the Connecticut Unfair Trade Practices Act.

CTDPA Compliance Checklist

  • Privacy policy with all required disclosures
  • GPC support — detect and honor Global Privacy Control signals
  • Cookie consent banner with opt-out capabilities
  • Appeal process for denied consumer requests
  • Sensitive data consent — opt-in before processing
  • Data protection assessments for targeted advertising and data sales
  • 45-day response window for consumer requests

Check Your Compliance

ClearConsent scans your site against all 19 US state privacy laws including the CTDPA. It checks for GPC support, tracker detection, cookie consent, privacy policy presence, and more.

Scan your site free — no signup required.

Ready to check your site's compliance?

ClearConsent scans your website against 21 privacy laws in under 60 seconds.

Scan Your Site Free