Who does the CTDPA apply to?

The CTDPA applies to entities conducting business in Connecticut or targeting Connecticut residents that process data of 35,000+ consumers (lowered from 100,000 by SB 1295, effective July 1, 2026), or 25,000+ consumers while deriving 25%+ of revenue from data sales. SB 1295 also removes thresholds entirely for sensitive data processing and data sales — any controller handling sensitive data or selling any consumer data falls within scope.

Does Connecticut require GPC recognition?

Yes. Starting January 1, 2025, businesses must honor universal opt-out mechanisms like GPC for opt-out of sale and targeted advertising.

What changed with Connecticut SB 1295?

SB 1295 (signed June 24, 2025, effective July 1, 2026) is the most significant overhaul of the CTDPA. Key changes include: lowering the base threshold from 100,000 to 35,000 consumers; eliminating the entity-level GLBA exemption for financial institutions; requiring disclosure of personal data use for training large language models; adding a consumer right to contest profiling results; expanding sensitive data to include neural data, transgender/nonbinary status, financial credentials, and government IDs; adding impact assessment requirements for profiling; and strengthening minor protections with a ban on targeted advertising and data sale for minors with no consent exception.

Are financial institutions still exempt from the CTDPA?

Not fully. SB 1295 eliminates the blanket entity-level GLBA exemption that previously exempted financial institutions regulated under the Gramm-Leach-Bliley Act. It is replaced with a narrower data-level exemption, meaning GLBA-regulated data is still exempt but the entity as a whole must comply with the CTDPA for non-GLBA data. Specific entity-level exemptions remain for insurers, banks, and certain investment agents under federal or state law.

Connecticut Privacy Law

Connecticut Data Privacy Act

Effective: July 1, 2023Active

Overview

The Connecticut Data Privacy Act (CTDPA) was signed into law on May 10, 2022, and became effective on July 1, 2023. Connecticut took a consumer-friendly approach, incorporating some of the strongest provisions found across state privacy laws, including a universal opt-out mechanism requirement and broad consumer rights. The CTDPA grants Connecticut residents rights to access, correct, delete, and port their personal data, as well as opt out of the sale of personal data, targeted advertising, and profiling. Connecticut was among the first states to require businesses to honor universal opt-out mechanisms like GPC, with this requirement taking effect on January 1, 2025. The law also includes a robust appeals process for denied consumer requests. The law was significantly overhauled by SB 1295 (signed June 24, 2025, effective July 1, 2026). Key changes include: lowering the base applicability threshold from 100,000 to 35,000 consumers (excluding payment transactions); removing processing thresholds entirely for sensitive data and data sales — meaning controllers handling any amount of sensitive data or selling any data fall within scope; eliminating the entity-level GLBA exemption (replaced with a narrower data-level exemption for specific financial institutions); requiring controllers to disclose whether personal data is used to train large language models; adding new consumer rights to contest profiling results and request human review; expanding the definition of sensitive data to include neural data, transgender/nonbinary status, financial account credentials, and government-issued ID numbers; adding impact assessment requirements for profiling producing legal or similarly significant effects; and prohibiting system design features intended to increase a minor's usage. Violations can result in penalties of up to $5,000 per violation under the Connecticut Unfair Trade Practices Act.

Applicability Thresholds

Conditions are joined by OR — meeting ANY one triggers applicability.

35,000+

Connecticut consumers' data processed

25,000+ consumers

AND 25%+ revenue from data sales

Consumer Rights

Right to Access

Right to Delete

Right to Correct

Data Portability

Opt-Out of Sale

Opt-Out of Targeted Ads

Opt-Out of Profiling

Limit Sensitive Data Use

Right to Appeal

Private Right of Action

Key Changes in 2025-2026

SB 1295 major amendments take effect July 1, 2026 — one of the most significant state privacy law overhauls since the CCPA
Base applicability threshold lowered from 100,000 to 35,000 consumers (excluding payment transactions)
Processing thresholds for sensitive data and data sales removed — any controller handling sensitive data or selling any data falls in scope
Entity-level GLBA exemption eliminated — replaced with narrower data-level exemption for specific financial institutions (banks, insurers, investment agents)
New AI/LLM transparency requirement: controllers must disclose in privacy notices whether personal data is collected, used, or sold for training large language models
New consumer right to contest profiling results, request reasoning and input data, and (for housing decisions) correct data and request re-evaluation
Sensitive data definition expanded: neural data, transgender/nonbinary status, financial account credentials, and government-issued ID numbers now included
New impact assessment requirements for profiling producing legal or similarly significant effects on consumers
Strengthened minor protections: ban on targeted advertising and data sale for minors with no consent exception, strict necessity standard for geolocation collection
Cure period already sunsetted — AG has full enforcement discretion

Enforcement Details

Enforced By

Connecticut Attorney General

Penalty Per Violation

$5,000

Cure Period

None — immediate enforcement

Private Right of Action

No — AG enforcement only

Sensitive Data Categories

Consent model: opt-in

Racial or ethnic originReligious beliefsMental or physical health condition, disability, or treatmentSex life or sexual orientationCitizenship or immigration statusBiometric data for identificationGenetic dataNeural dataTransgender or nonbinary statusFinancial account credentialsGovernment-issued identification numbers

Universal Opt-Out / GPC Requirements

GPC / Universal Opt-Out Required

Businesses must recognize and honor universal opt-out mechanisms such as Global Privacy Control (GPC) starting January 1, 2025. This applies to opt-out requests for data sales and targeted advertising.

Effective: January 1, 2025

Minor / Child Protections

The CTDPA requires opt-in consent for processing personal data of known children under 13, consistent with COPPA. For consumers aged 13-15, businesses must obtain consent before processing data for targeted advertising or data sales. SB 1295 (effective July 1, 2026) further prohibits processing minors' data for targeted advertising or sale with no consent exception, limits data processing to what is reasonably necessary for service delivery, requires that precise geolocation collection be strictly necessary with active collection signaling, and prohibits system design features intended to significantly increase, sustain, or extend a minor's use of services.

Compliance Checklist

1Reassess applicability — SB 1295 lowers the threshold to 35,000 consumers and removes thresholds for sensitive data and data sales (effective July 1, 2026)
2Evaluate GLBA exemption status — entity-level exemption removed; confirm whether narrower data-level exemption applies
3Implement universal opt-out signal recognition (GPC and similar mechanisms)
4Update privacy notices to include all CTDPA-required disclosures, including whether personal data is collected, used, or sold for training large language models
5Build consumer request intake and response processes within the 45-day response window, including new profiling contest mechanism
6Obtain opt-in consent before processing all sensitive data categories, including newly added neural data and transgender/nonbinary status
7Prohibit sale of sensitive personal data without explicit consumer opt-in
8Conduct and document data protection assessments for high-risk processing
9Perform impact assessments for profiling that produces legal or similarly significant effects — document purpose, risks, input/output data, performance metrics, and safeguards
10Audit system design features for compliance with minor protection provisions — ensure no targeted advertising or data sale for minors, apply strict necessity test for geolocation

Connecticut Privacy Law FAQ

Official Resources

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.