Under CTDPA, businesses must obtain clear, informed opt-in consent before setting cookies or other tracking technologies that collect personal or sensitive data from Connecticut residents. Do you have the right consent management tools in place to comply?
The Connecticut Data Privacy Act (CTDPA) went into effect as of July 1, 2023. It grants Connecticut residents key data rights and protections and imposes obligations on businesses and service providers processing Connecticut residents’ personal data.
Controllers/processors meeting quantitative thresholds or handling consumer health data (no thresholds apply to CHD controllers) are affected by CTDPA.
Businesses should assess whether they exceed thresholds—processing data of ≥ 100,000 Connecticut residents, or ≥ 25,000 with over 25% revenue from data sales—as well as any handling of consumer health data (CHD). If so, ensure you:
Update privacy policy:
Updating privacy policies with Delaware-specific disclosures
Implement consent management:
Implement cookie consent banners and enable consumer rights
Conduct assessments:
Prepare risk and data protection assessments
Opt-in and out support:
Use opt-in for sensitive data and bake in global opt-out support (e.g., GPC)
Implement processor agreements:
Have agreements in place to enforce CTDPA standards
Compliance with CTDPA is required for any organization that:
Exempt entities include:
State/local governments
Non-profit and higher-ed institutions
GLBA-covered financial institutions
HIPAA-covered entities
National securities associations
Connecticut residents may exercise the following rights:
Consumers can access personal data, including profiling-derived inferences
Consumers can request to correct inaccuracies
Consumers can request that their personal data be deleted
Consumers have a right to download/transmit their information
Consumers can opt out of personal data sale, targeted advertising, and profiling that produces legal/significant effect
Cookie banners and consent tools must explain what data is collected, why and how it is used, and allow users to accept or reject tracking.
Cookies that process personal or sensitive data (e.g. device IDs, biometric, health-related tracking) require explicit opt-in. Cookie notices must detail the purpose, types of cookies, and provide easy accept/reject options. Firms must record consent and support “Do Not Sell” mechanisms.
Non-compliance will lead to financial penalties. Through Dec 31, 2024, CTDPA provided for a 60-day cure period after AG notice, during which violations had to be addressed to avoid fines. After January 1, 2025, the default cure period was eliminated. The Connecticut AG is empowered to assess up to 5,000 USD per willful violation, including restitution and injunctive relief.
To check your compliance with the CTDPA, organizations should:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Check third-party contracts:
Review third-party data-sharing practices
It applies to controllers/processors doing business in CT or targeting its residents who process ≥ 100,000 consumers’ data annually, or ≥ 25,000 with > 25% revenue from data sales, plus any controller of consumer health data.
Any information linked to an identifiable individual (e.g. name, address, IDs, login credentials), excluding public information.
Subset of personal data including racial/ethnic origin, religion, health conditions, sexual orientation, biometric/genetic data, and consumer health data—processing requires opt-in.
The Connecticut Attorney General enforces CTDPA; enforcement includes notices, fines, injunctions, and restitution.
Exempt entities include governmental bodies, nonprofits, highered, GLBA covered financial institutions, HIPAA covered entities, and national securities associations.
For official guidance, visit the Connecticut Attorney General’s CTDPA page.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
