What the CTDPA Requires from Website Owners
Connecticut enacted its data privacy law, Public Act No. 22-15, in May 2022, with the core provisions taking effect on 1 July 2023. The Connecticut Data Privacy Act (CTDPA) sits alongside a growing patchwork of US state privacy frameworks, but it stands apart in several ways - most notably its early and firm requirement to honour Global Privacy Control (GPC) signals.
Attorney General William Tong holds exclusive enforcement authority. There is no private right of action, meaning consumers cannot sue businesses directly for violations. The AG's office has already demonstrated its willingness to act, issuing dozens of cure notices and settling its first enforcement action under the CTDPA in 2025.
If your website collects personal data from Connecticut residents - through analytics cookies, advertising pixels, or contact forms - you need to understand what this law demands.
Who Falls Under the CTDPA's Scope
The original CTDPA applied to businesses conducting business in Connecticut or producing products and services targeted at Connecticut residents, provided they met one of two thresholds: controlling or processing the personal data of at least 100,000 consumers (excluding payment-only data), or processing data of at least 25,000 consumers while deriving more than 25% of gross revenue from data sales.
Senate Bill 1295, effective 1 July 2026, dramatically lowers these bars. The new thresholds are:
- Control or process personal data of 35,000 or more consumers
- Control or process any amount of sensitive data (regardless of volume)
- Offer any consumer personal data for sale in trade or commerce (regardless of volume)
The removal of volume thresholds for sensitive data and data sales means that even small businesses handling sensitive categories or selling any personal data will fall within scope from mid-2026.
Consumer Rights Under the CTDPA
Connecticut consumers hold six core rights under the CTDPA. The 2026 amendments expand several of these, particularly around profiling and automated decision-making.
| Consumer Right | Description | 2026 Amendment Changes |
|---|---|---|
| Right to access | Confirm whether data is being processed and obtain a copy | Now explicitly includes the right to know about inferences drawn from personal data |
| Right to correct | Request correction of inaccurate personal data | Extended to data used in profiling decisions |
| Right to delete | Request deletion of personal data | No significant change |
| Right to portability | Obtain personal data in a portable, usable format | No significant change |
| Right to opt out | Opt out of targeted advertising, data sales, and profiling | Profiling scope expanded beyond "solely" automated decisions |
| Right to non-discrimination | Exercise rights without discriminatory treatment | No significant change |
The profiling amendments are significant. Before the 2026 changes, the opt-out right for profiling covered only decisions made "solely" through automated means. The amended law removes that word, capturing any profiling that produces legal or similarly significant effects on a consumer.
Consumers can now also request details about what inferences are being drawn, how profiling affects them, and can challenge automated decisions that carry significant consequences.
GPC and Opt-Out Preference Signals
Since 1 January 2025, all controllers subject to the CTDPA must honour opt-out preference signals sent by consumers. This includes the Global Privacy Control signal, which users can enable through privacy-focused browsers or browser extensions.
The signal must come from a platform or mechanism that allows the controller to reasonably determine whether the consumer is a Connecticut resident. When a GPC signal conflicts with a consumer's prior consent choices - or even their voluntary participation in a loyalty or discount programme - the controller must still comply with the opt-out signal. The signal takes priority.
This has direct implications for your cookie banner. If a visitor sends a GPC signal, your site must suppress marketing cookies and any data processing tied to targeted advertising or sales, regardless of whether the visitor has previously accepted cookies through your banner.
The requirement mirrors similar provisions in the Colorado Privacy Act and California's CCPA/CPRA. Businesses already honouring GPC for California visitors can extend that logic to Connecticut.
Sensitive Data and Consent Requirements
The CTDPA defines sensitive data as personal data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship or immigration status, genetic or biometric data, children's data, and precise geolocation.
Processing sensitive data requires the consumer's prior consent - an opt-in model, not opt-out. Your privacy notice must clearly identify which categories of sensitive data you collect and the purposes for processing.
From 1 July 2026, the CTDPA introduces an outright ban on processing minors' personal data for targeted advertising or sale. This is a categorical prohibition. Unlike other provisions, consent does not override it. If a visitor is under 18, you cannot use their data for advertising purposes, full stop.
Enforcement: What the AG's Office Has Done So Far
The Connecticut Attorney General's 2025 enforcement report provides a clear picture of enforcement priorities. The office received 70 CTDPA-specific complaints and more than 1,830 data breach notifications during the year.
Key enforcement actions and patterns include:
- TicketNetwork was fined $85,000 for CTDPA violations - the first enforcement action under the statute
- Over two dozen cure notices were issued for inadequate privacy notices
- Active investigations into dark patterns in cookie banners and consent interfaces
- Focus on businesses failing to honour GPC and similar opt-out signals
- Multiple data breach settlements, including PharMerica ($200,000) and WebTPA Employer Services ($200,000)
The most common consumer complaint was difficulty getting companies to delete personal data - with reports of companies ignoring requests, creating unnecessarily complicated processes, or claiming exemptions that may not apply.
A critical enforcement change took effect on 1 January 2025: the cure period was eliminated. Previously, the AG had to give businesses 60 days to fix violations before taking action. That grace period no longer exists. The AG can now pursue enforcement immediately upon discovering a violation.
Privacy Notice and Disclosure Requirements
Your website's privacy notice must disclose specific information under the CTDPA. This includes the categories of personal data processed, the purposes of processing, how consumers can exercise their rights, the categories of third parties with whom data is shared, and the categories of data shared with third parties.
The 2026 amendments add new disclosure obligations. If you use personal data to train artificial intelligence systems or large language models, you must state this in your privacy notice from 1 July 2026. Data protection impact assessments become mandatory from 1 August 2026 for processing activities involving profiling that produces legal or similarly significant effects.
The AG's enforcement report flagged privacy notices as a top area of non-compliance. Common failures include omitting required categories of information, using vague or overly broad descriptions, and failing to provide clear instructions for exercising opt-out rights.
How the CTDPA Compares to Other State Laws
Connecticut's law follows the opt-out model established by Virginia's VCDPA, but with several distinguishing features. The table below highlights differences relevant to website owners.
| Feature | CTDPA (Connecticut) | VCDPA (Virginia) | CCPA/CPRA (California) |
|---|---|---|---|
| GPC recognition | Mandatory from Jan 2025 | Not required | Mandatory |
| Cure period | Eliminated (Jan 2025) | 30 days (permanent) | Eliminated |
| Minor data ban | Under 18, effective Jul 2026 | Under 18, opt-in consent | Under 16, opt-in consent |
| AI training disclosure | Required from Jul 2026 | Not required | Not currently required |
| Enforcement | AG exclusive | AG exclusive | AG + CPPA + private right |
| Applicability threshold | 35,000 consumers (from Jul 2026) | 100,000 consumers | Revenue or volume based |
For a broader view of how all active US state privacy laws compare, including threshold details and GPC requirements, consult the full comparison.
Practical Steps for Website Compliance
Start by auditing what your website collects. Run a cookie scan to identify every cookie and tracking technology active on your site. Many website owners discover third-party scripts setting cookies they did not know about - from embedded videos to chat widgets to social sharing buttons.
Ensure your consent mechanism respects GPC signals. When a Sec-GPC: 1 header is present, your site should automatically suppress non-essential cookies tied to targeted advertising or data sales. This should happen server-side or through your consent management platform before any tracking scripts fire.
Update your privacy notice to include all CTDPA-required disclosures. If you use data for AI training, add that disclosure before 1 July 2026. Review your data subject request process - the AG's report shows that deletion requests are the most common complaint area.
If you process data from visitors across multiple US states, consider building a unified compliance approach. The relationship between GPC and cookie banners applies across Connecticut, Colorado, California, and a growing number of states requiring universal opt-out recognition.
Frequently Asked Questions
Does the CTDPA apply to small businesses?
From 1 July 2026, the CTDPA applies to any business that processes sensitive data or sells personal data in any amount, regardless of size. The general threshold drops to 35,000 consumers. Small businesses handling sensitive data or selling any personal data will be covered.
Do I need to honour Global Privacy Control signals under Connecticut law?
Yes. Since 1 January 2025, all controllers subject to the CTDPA must honour opt-out preference signals such as GPC for targeted advertising and data sales. The signal overrides any prior consent the consumer may have given.
What happens if I do not comply with the CTDPA?
The Attorney General can pursue enforcement under the Connecticut Unfair Trade Practices Act, which carries civil penalties of up to $5,000 per wilful violation. There is no cure period - the AG can take immediate action.
Can I still use targeted advertising cookies for visitors under 18?
No. From 1 July 2026, the CTDPA categorically bans processing of minors' personal data for targeted advertising or sale. This applies regardless of whether consent has been obtained.
Does the CTDPA require opt-in consent for all cookies?
No. The CTDPA uses an opt-out model for most data processing. Opt-in consent is only required for sensitive data categories such as health data, biometric data, and precise geolocation. Standard analytics and functional cookies fall under the opt-out framework.
How is the CTDPA different from the CCPA?
Both require GPC recognition, but the CTDPA is enforced exclusively by the Attorney General with no private right of action. The CTDPA also introduces a categorical ban on minors' data for advertising from mid-2026, while California uses an opt-in consent model for under-16s.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
