Connecticut Data Privacy Act (CTDPA): Complete 2026 Compliance Guide

Connecticut’s Data Privacy Act — A Major 2026 Overhaul

The Connecticut Data Privacy Act (CTDPA) was signed into law on May 10, 2022, and took effect on July 1, 2023, making Connecticut the fourth state in the nation to enact a comprehensive consumer data privacy law. While the original law closely followed the Virginia model, Connecticut has since charted its own path with SB 1295 — one of the most significant amendments to any state privacy law — set to take effect on July 1, 2026.

If your business operates in Connecticut or serves Connecticut residents, use our Privacy Law Calculator to determine your compliance obligations across all state privacy laws.

Who Must Comply with the CTDPA?

The CTDPA applies to entities that conduct business in Connecticut or produce products or services targeted to Connecticut residents. Starting July 1, 2026 (SB 1295), the applicability thresholds are significantly lowered:

• Process personal data of 35,000 or more Connecticut consumers (lowered from 100,000), excluding data processed solely for payment transactions, OR
• Process personal data of 25,000 or more Connecticut consumers AND derive more than 25% of gross revenue from the sale of personal data

Critical change: SB 1295 removes processing thresholds entirely for controllers that process sensitive data or sell personal data. Any controller handling sensitive data or selling any consumer data automatically falls within scope, regardless of the number of consumers.

Exemptions

The CTDPA provides both entity-level and data-level exemptions:

• Entity exemptions: Government bodies, nonprofits, institutions of higher education
• Data exemptions: Data governed by HIPAA, FCRA, FERPA, DPPA, and COPPA
• Major SB 1295 change: The blanket entity-level GLBA exemption for financial institutions has been eliminated. It is replaced with a narrower data-level exemption — GLBA-regulated data remains exempt, but the entity as a whole must comply with the CTDPA for non-GLBA data. Specific entity-level exemptions remain for insurers, banks, and certain investment agents.

Consumer Rights Under the CTDPA

The CTDPA grants Connecticut residents a comprehensive set of privacy rights — expanded further by SB 1295:

• Right to access — Confirm whether a controller is processing personal data and access that data
• Right to correction — Request correction of inaccurate personal data
• Right to deletion — Request deletion of personal data
• Right to data portability — Obtain a copy of personal data in a portable format
• Right to opt out of data sale — Opt out of the sale of personal data
• Right to opt out of targeted advertising — Opt out of processing for targeted advertising
• Right to opt out of profiling — Opt out of profiling with legal or similarly significant effects
• Right to limit sensitive data — Require opt-in consent for sensitive data processing
• Right to appeal — Appeal a controller’s refusal to act on a request
• NEW: Right to contest profiling — SB 1295 adds the right to contest profiling results, request the reasoning and input data behind decisions, and (for housing-related decisions) correct data and request re-evaluation

Controllers must respond to consumer rights requests within 45 days, with one 45-day extension if reasonably necessary.

Universal Opt-Out Mechanism (GPC) Requirement

Connecticut was among the first states to mandate universal opt-out mechanism recognition. Since January 1, 2025, businesses must honor Global Privacy Control (GPC) and similar mechanisms as valid opt-out requests for both data sales and targeted advertising.

This places Connecticut alongside California, Colorado, Texas, Montana, Delaware, Oregon, and Maryland in requiring universal opt-out recognition. Check your GPC obligations with our GPC Compliance Checker.

SB 1295: The Major 2026 Overhaul

Signed on June 24, 2025 and taking effect on July 1, 2026, SB 1295 is one of the most significant amendments to any state privacy law. Here are the key changes:

Lowered Applicability Thresholds

The base threshold drops from 100,000 to 35,000 consumers (excluding payment-only transactions). Processing thresholds for sensitive data and data sales are removed entirely — meaning even small-scale processing triggers compliance obligations if it involves sensitive data or selling data.

AI and LLM Transparency Requirement

Controllers must now disclose in their privacy notices whether personal data is collected, used, or sold for training large language models (LLMs). This is one of the first state-level AI transparency requirements in the US and reflects Connecticut’s leadership in addressing AI-related privacy concerns.

GLBA Exemption Restructured

The blanket entity-level exemption for GLBA-regulated financial institutions is eliminated. Financial institutions must now comply with the CTDPA for all non-GLBA data, meaning banks, credit unions, and other financial services companies that collected consumer data outside of financial transactions must apply CTDPA protections to that data.

Expanded Sensitive Data Categories

SB 1295 adds four new categories to the sensitive data definition:

• Neural data — Data generated by a person’s brain activity (e.g., from brain-computer interfaces)
• Transgender or nonbinary status
• Financial account credentials
• Government-issued identification numbers

Profiling Impact Assessments

New impact assessment requirements apply to profiling that produces legal or similarly significant effects on consumers. Assessments must document the purpose, risks, input and output data, performance metrics, and safeguards.

Strengthened Minor Protections

SB 1295 bans targeted advertising and data sale for minors with no consent exception. It also applies a strict necessity standard for geolocation collection from minors and prohibits system design features intended to significantly increase a minor’s usage of services.

Enforcement and Penalties

The CTDPA is enforced by the Connecticut Attorney General under the Connecticut Unfair Trade Practices Act (CUTPA). There is no private right of action.

• Penalties: Up to $5,000 per violation
• Cure period: None (sunsetted on December 31, 2024)
• Enforcement posture: The AG has full enforcement discretion without first offering a cure opportunity

While the per-violation penalty is lower than some states, the elimination of the cure period and the broad scope of SB 1295 significantly increase enforcement risk. View all enforcement actions on our Enforcement Tracker.

How Connecticut Compares to Other State Privacy Laws

• SB 1295 makes the CTDPA one of the strictest: The combination of lowered thresholds, removed thresholds for sensitive data, and AI transparency requirements puts Connecticut in the top tier alongside California and Maryland
• AI transparency pioneer: Connecticut is one of the first states to require disclosure of personal data use for LLM training
• Financial institution impact: The elimination of the entity-level GLBA exemption is unique among state privacy laws and will affect many financial services companies
• Sensitive data breadth: With 11 categories including neural data and transgender status, Connecticut has one of the broadest sensitive data definitions
• Early GPC adopter: GPC requirement effective since January 1, 2025
• No cure period: Joins California, Colorado, Oregon, and Maryland in this strict approach

Use our State Comparison Tool to see how Connecticut stacks up against all 20+ state privacy laws.

7-Step CTDPA Compliance Plan

1. Reassess applicability — SB 1295 lowers the threshold to 35,000 consumers and removes thresholds for sensitive data and data sales. Many businesses that were previously exempt will now be in scope. Use the Privacy Law Calculator.
2. Evaluate GLBA exemption status — If you’re a financial institution, the entity-level GLBA exemption no longer applies. Determine whether the narrower data-level exemption covers your processing activities.
3. Implement GPC recognition — Ensure your website and apps honor Global Privacy Control signals for both data sales and targeted advertising opt-outs.
4. Update privacy notices — Include all required disclosures, especially whether personal data is collected, used, or sold for training large language models (new SB 1295 requirement).
5. Build consumer rights processes — Implement intake, verification, and fulfillment workflows for all consumer rights including the new profiling contest mechanism. Configure 45-day response timelines.
6. Audit sensitive data practices — Obtain opt-in consent for all 11 sensitive data categories including the four new ones (neural data, transgender/nonbinary status, financial credentials, government IDs).
7. Conduct impact assessments — Perform and document data protection assessments for all high-risk processing, including the new profiling assessment requirements under SB 1295.

For a detailed walkthrough, visit our Connecticut Compliance Checklist.

This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 29, 2026.