ConsentPixel – Privacy · Verified

US State Privacy Law
⚠ Strong Children's Data Protections

Connecticut Data
Privacy Act
(CTDPA)

Connecticut's data privacy law has been in effect since July 1, 2023 — and it goes further than most US state laws on two fronts. It was among the first to mandate technical honouring of the Global Privacy Control browser signal, and it contains some of the most protective children's data provisions in any US state privacy law. If your site reaches Connecticut residents, here is what you need to know.

Effective July 1, 2023
Connecticut AG enforcement
Updated 2026
$5,000
Max civil penalty per violation
100K
Consumer records threshold per year
Jan 2025
GPC signal honouring became mandatory
60 days
Consumer rights response window

What Is the Connecticut Data Privacy Act?

The Connecticut Data Privacy Act is Connecticut's comprehensive consumer data privacy law, signed by Governor Ned Lamont on May 10, 2022 and effective July 1, 2023. It was the fifth US state to enact a comprehensive privacy law, following California, Virginia, Colorado, and Utah — and it draws from both the VCDPA's controller/processor framework and the CPA's more progressive provisions on sensitive data and opt-out mechanisms.

Connecticut's law is often described as a VCDPA-plus — it keeps Virginia's clean, business-friendly structure while adding stronger provisions in several areas. Most notably, the CTDPA contains some of the most protective children's data rules in any US state privacy law outside of COPPA, creating consent obligations for targeted advertising directed at teenagers aged 13 to 15 that go beyond what most other state laws require.

The Connecticut Attorney General also has rule-making authority — enabling the state to issue more detailed implementing guidance over time, similar to Colorado's detailed AG rules — which makes the CTDPA one of the more adaptable frameworks among US state privacy laws.

💡
Connecticut closely mirrors Virginia's VCDPA in structure — but with key additions. If you are already VCDPA-compliant, your core framework transfers directly to Connecticut. The meaningful additional obligations are: GPC signal honouring (mandatory from January 2025), stricter children's data rules for minors aged 13–15, a formal 60-day appeal process for denied rights requests, and opt-in consent required for processing sensitive data — not just a notice obligation.

Who Does the CTDPA Apply To?

The CTDPA applies to controllers that conduct business in Connecticut or produce products or services targeted to Connecticut residents, and that during a calendar year meet at least one of the following thresholds:

👥
100,000+
Connecticut consumers whose personal data you control or process per calendar year
Includes website visitors tracked by analytics or advertising pixels
💰
25,000+
Connecticut consumers processed, and revenue or discounts derived from selling personal data
Any data broker relationship or ad revenue model can trigger this threshold

Like the VCDPA and CPA, the CTDPA has no revenue threshold. A small business with significant web traffic but modest revenue can be covered if it meets the consumer volume thresholds. The 100,000 consumer count includes website visitors whose data is processed by third-party tools — Google Analytics, Meta Pixel, session-replay tools — not only registered users or paying customers.

⚠️
Connecticut has a high population of high-income households with national buying power. Connecticut consistently ranks among the top five US states by median household income. The density of financial services, pharmaceutical, insurance, and professional services businesses — as well as their employees' spending patterns — means many national eCommerce and B2B sites reach Connecticut consumers in meaningful numbers without realising it. A site that assumes it does not reach the threshold may benefit from checking its analytics data.

Consumer Rights Under the CTDPA

Connecticut consumers have five statutory rights under the CTDPA, closely mirroring Virginia's VCDPA. Covered businesses must respond to verifiable consumer requests within 45 days, extendable by a further 45 days (90 days total) with written notice. Unlike many other state laws, the CTDPA explicitly requires a documented 60-day appeal process for denied requests — one of the most specific procedural requirements in any US state privacy law.

Right 1

Right to Access

Consumers can confirm whether you are processing their personal data and obtain a copy. You may charge a reasonable fee for manifestly unfounded or excessive requests but must respond free of charge to the first request per 12-month period.

Right 2

Right to Correction

Consumers can request correction of inaccurate personal data, taking into account the nature of the data and its processing purposes. You must consider requests in good faith and respond within the standard window.

Right 3

Right to Deletion

Consumers can request deletion of personal data you collected about them, including data obtained from third parties. Exceptions apply for legal obligations, fraud prevention, public interest research, and free speech purposes.

Right 4

Right to Data Portability

Consumers can receive a copy of their personal data in a portable, readily usable format enabling transmission to another controller. Applies to data processed through automated means where technically feasible.

Right 5

Right to Opt Out

Consumers can opt out of processing for targeted advertising, sale of personal data, and profiling that produces legal or similarly significant effects. Since January 1, 2025, opt-out must also be honoured automatically via Universal Opt-Out Mechanisms including the Global Privacy Control browser signal.

The appeal process — what makes Connecticut different

When you deny a consumer rights request — in full or in part — the CTDPA requires that you inform the consumer of the reason and provide a mechanism to appeal the decision within 60 days. You must then respond to the appeal within 60 days, explain the basis for your decision, and inform the consumer that they may submit a complaint to the Connecticut Attorney General if the appeal is denied.

This creates a four-stage process unique among US state laws: initial request → response → appeal → final AG complaint pathway. Your data subject request infrastructure must support all four stages, including documented communication templates for each step.

Global Privacy Control — Connecticut's Mandatory Signal

Since January 1, 2025, the CTDPA requires businesses subject to the law to technically honour Universal Opt-Out Mechanisms (UOOMs) — including the Global Privacy Control (GPC) browser signal — as a legally valid opt-out from targeted advertising and data sale.

📡
GPC signal honouring is mandatory — not optional — from January 1, 2025 When a Connecticut consumer visits your website with GPC enabled in their browser, your consent management platform must automatically detect the signal and suppress all targeted advertising and data-sale scripts without requiring the consumer to manually interact with an opt-out link. A cookie banner that a GPC user still needs to click to opt out does not satisfy this requirement. Your CMP must read the Sec-GPC: 1 HTTP header or the navigator.globalPrivacyControl JavaScript property and respond in real time.

Connecticut's GPC mandate places it alongside California (CCPA), Colorado (CPA), and Virginia (VCDPA) as states where automatic browser signal honouring is a legal requirement. For multi-state operations, the practical implication is that GPC honouring should be implemented as a default for all US visitors — the states that require it represent the largest populations and highest traffic volumes in most US site analytics.

Children's Data — Connecticut Goes Further Than Most

The CTDPA contains some of the most protective children's data provisions of any US state privacy law outside of COPPA. These provisions are particularly relevant for any website that may attract audiences including minors — consumer products, gaming, education, entertainment, social platforms, and any brand with a broad general audience.

⚠ Children's Data Stricter consent rules for minors under Connecticut law

Connecticut's CTDPA creates a tiered protection framework for minors that goes beyond what most other US state privacy laws require. Understanding which tier applies to your audience is critical for site operators in any consumer-facing category.

👶 Under 13 (COPPA aligned)

Processing sensitive data about known minors under 13 requires verifiable parental consent. Sensitive data includes precise geolocation, health data, biometrics, racial or ethnic origin, and sexual orientation. Aligns with and reinforces COPPA obligations.

🧒 Ages 13–15 (Connecticut's key addition)

Processing personal data of consumers known to be aged 13 to 15 for targeted advertising purposes requires affirmative opt-in consent — not opt-out. This is a meaningful departure from the standard US opt-out model and creates obligations for any site with teen-skewing audiences.

📊 Data sale to minors

Controllers cannot sell personal data of known minors under 18 without their consent — or parental consent for those under 13. This applies regardless of whether the minor is the subject of the sale or the buyer.

🎯 Targeted advertising to teens

Any site running behavioural advertising that may reach Connecticut residents aged 13–15 must have an opt-in consent mechanism in place — not merely an opt-out — for that age cohort to be included in targeting.

CTDPA vs. CCPA vs. CPA vs. VCDPA vs. GDPR

Feature CTDPA (Connecticut) CCPA/CPRA (California) CPA (Colorado) VCDPA (Virginia) GDPR (EU)
Effective date Jul 1, 2023 Jan 1, 2020/2023 Jul 1, 2023 Jan 1, 2023 May 25, 2018
Revenue threshold None $25M gross revenue None None None
Consumer volume threshold 100K/year 100K/year 100K/year 100K/year None
Opt-in consent for tracking? No — opt-out No — opt-out No — opt-out No — opt-out Yes — opt-in
GPC/UOOM mandatory? Yes (Jan 2025) Yes Yes (Jul 2024) Yes (Jan 2025) Recommended
Children 13–15 opt-in for ads? Yes — unique Opt-out only Not specified Not specified Yes — parental consent
Formal appeal process required? Yes — 60 days No Yes — 45 days Yes — 60 days Complaint to DPA
Data protection assessments Required (high-risk) Not required Required (broad) Required (high-risk) Required (DPIAs)
Private right of action No Limited (breaches) No No Yes
Max civil penalty $5,000/violation $7,500/intentional $20K/violation; $500K/action $7,500/violation €20M or 4% revenue

Is your site honouring GPC for Connecticut visitors?

ConsentPixel — Privacy · Verified automatically detects GPC signals, suppresses targeted advertising scripts, and logs every opt-out event — satisfying Connecticut's January 2025 UOOM mandate.

Run Free Site Scan →

How ConsentPixel — Privacy · Verified Handles CTDPA

📡

Automatic GPC signal detection

ConsentPixel reads the Global Privacy Control signal on every page load — both the HTTP header and the JavaScript property. Connecticut visitors with GPC enabled have targeted advertising and data-sale scripts suppressed automatically. Compliant with Connecticut's January 2025 UOOM mandate.

🚫

Script blocking before opt-out

All targeted advertising and analytics scripts are held at page load until the visitor's opt-out status is confirmed. For GPC-active visitors, suppression is immediate. For all others, the opt-out mechanism is presented before data is transmitted.

📬

Consumer rights portal with appeal workflow

An embeddable DSAR form handles all five CTDPA consumer rights. Requests are routed to your portal with 45-day deadline tracking, identity verification prompts, and a documented appeal workflow for denied requests — satisfying Connecticut's formal 60-day appeal requirement.

📋

Consent and opt-out audit log

Every consent decision and opt-out event — including GPC-triggered opt-outs — is timestamped and stored. The log records banner version shown, consumer choices, and signal source. Exportable on demand for Connecticut AG investigations.

🔍

Continuous tracker scanning

ConsentPixel scans your site continuously and alerts you when new trackers appear — including those silently added by plugin or app updates. Your data inventory stays current, supporting CTDPA data protection assessment requirements.

🌐

Geo-targeted consent rules

ConsentPixel applies different consent rules per jurisdiction — opt-in for GDPR visitors, opt-out for US state law visitors, with GPC auto-detection for all Connecticut, California, Colorado, and Virginia traffic. One pixel handles all simultaneously.

Connecticut CTDPA Compliance Checklist

Use this checklist to assess your CTDPA compliance posture. Click each item to mark it complete.

📋 Connecticut CTDPA Compliance Checklist — 2026 12 items
Confirm CTDPA thresholds apply to your business100K+ Connecticut consumer records/year, or 25K+ records with revenue or discounts derived from selling personal data
Deploy a consent solution that technically blocks scripts — not just displays a noticeScript blocking before opt-out is established is the technical baseline for meaningful US state law compliance
Implement GPC / Universal Opt-Out Mechanism detectionMandatory since January 1, 2025 — must auto-suppress targeted advertising scripts when GPC signal is present
Provide a clear opt-out for targeted advertising and data saleProminently placed link or banner mechanism — functionally blocking, not cosmetic
Assess children's data obligations if site may reach minorsUnder 13: parental consent for sensitive data. Ages 13–15: opt-in consent required for targeted advertising specifically
Set up a consumer rights request processAccess, correction, deletion, portability, and opt-out — all five must be supported with 45-day response window
Build a documented 60-day appeal workflow for denied requestsConnecticut uniquely requires a formal appeal process — with written explanation of denial and AG complaint pathway disclosed
Obtain opt-in consent before processing sensitive data categoriesSensitive data requires affirmative consent under CTDPA — not just an opt-out mechanism or privacy policy disclosure
Conduct data protection assessments for required activitiesRequired for targeted advertising, data sale, profiling with significant effects, and sensitive data processing
Update privacy policy with CTDPA-required disclosuresCategories of data collected, purposes, third-party sharing, how to exercise rights, and the appeal process
Review processor contracts for CTDPA data processing languageAll data processors must have contracts specifying instructions, confidentiality, and deletion obligations
Maintain consent and opt-out logs for audit purposesTimestamped records of every consumer choice including GPC-triggered automatic opt-outs — exportable for AG investigations

Frequently Asked Questions

The Connecticut Data Privacy Act (CTDPA) is Connecticut's comprehensive consumer privacy law, effective July 1, 2023. It grants Connecticut residents five rights over their personal data — access, correction, deletion, portability, and opt-out from targeted advertising and data sale — and imposes obligations on businesses that process that data. It was the fifth US state comprehensive privacy law and is sometimes described as a VCDPA-plus, adding stronger provisions on children's data, GPC signal honouring, and a formal appeal process for denied rights requests.
The CTDPA applies to controllers conducting business in Connecticut or targeting Connecticut residents that process personal data of 100,000 or more Connecticut consumers per year, or 25,000 or more consumers while deriving revenue or discounts from selling personal data. There is no revenue threshold — only volume-based triggers. The consumer count includes website visitors tracked by analytics or advertising tools. Small businesses not meeting these thresholds are not covered.
Three things distinguish Connecticut's CTDPA. First, it requires technical honouring of Universal Opt-Out Mechanisms including GPC, mandatory from January 2025. Second, it requires opt-in consent — not just opt-out — for processing personal data of consumers known to be aged 13 to 15 for targeted advertising purposes. This goes beyond any other US state law in protecting teenagers from behavioural advertising. Third, it explicitly requires a documented 60-day appeal process for denied consumer rights requests, one of the most specific procedural requirements in US state privacy law.
The Connecticut Attorney General has exclusive enforcement authority. Civil penalties can reach $5,000 per violation. The CTDPA originally included a 60-day cure period, which became discretionary after December 31, 2024 — regulators may or may not provide an opportunity to remedy violations before imposing penalties. There is no private right of action, meaning consumers cannot sue businesses directly under the CTDPA.
The CTDPA uses an opt-out model — not GDPR-style opt-in — for general processing. However, it requires a clear opt-out mechanism for targeted advertising and data sale, and since January 2025 mandates automatic GPC browser signal recognition. Sensitive data processing and targeted advertising to known 13–15 year olds require opt-in consent. A consent management platform that blocks scripts, detects GPC, and presents compliant opt-out options handles all of these requirements simultaneously.
Connecticut has some of the most protective children's data rules in US state privacy law. Processing sensitive data of known minors under 13 requires verifiable parental consent. Critically, processing personal data of consumers known to be aged 13 to 15 for targeted advertising requires affirmative opt-in consent — not opt-out. This means sites with teen audiences cannot use behavioural advertising targeting without prior consent from that age group. Selling personal data of known minors under 18 requires consent at any age.
Connecticut CTDPA Compliance — Automated

GPC detection. Appeal workflow.
One pixel. Sorted.

ConsentPixel — Privacy · Verified automatically detects GPC signals, suppresses targeted advertising scripts, provides a consumer rights portal with documented appeal workflow, and logs every opt-out event — covering every Connecticut CTDPA obligation automatically.

Start Free 14-Day Trial Scan My Site First →
Scroll to Top