Connecticut Privacy Law Attorneys

CTDPA Compliance, Data Breach Response & Consumer Privacy in Connecticut

Home / States / Connecticut

Connecticut Privacy Law Overview

Connecticut's privacy law took effect July 1, 2023 and has been among the most actively expanded. Beyond core consumer rights, it adds consumer-health-data protections and duties of care for minors, and a 2025 amendment significantly broadens coverage effective July 1, 2026. The Attorney General has been an active enforcer, issuing public reports on compliance gaps.

The Connecticut Data Privacy Act (CTDPA)

The CTDPA provides comprehensive access, correction, deletion, portability and opt-out rights with opt-in consent for sensitive data. Connecticut has layered on additional protections for consumer health data and minors, and 2025 amendments (SB 1295) broaden the law's scope and lower its thresholds beginning July 1, 2026.

CTDPA: Quick Overview

  • Effective Date: July 1, 2023
  • Citation: Conn. Gen. Stat. § 42-515 et seq.
  • Enforced By: Connecticut Attorney General
  • Maximum Penalty: Up to $5,000 per willful violation (under CUTPA)
  • Private Right of Action: No (enforcement by the state only)
  • Right to Cure: 60 days (expired December 31, 2024)

Who Must Comply

The CTDPA applies to businesses that meet Connecticut's applicability thresholds:

  • Controls or processes the personal data of 100,000+ Connecticut consumers per year, or
  • Processes data of 25,000+ consumers and derives more than 25% of gross revenue from selling personal data

What makes Connecticut different: Connecticut keeps expanding its law — adding health-data and minors' protections — and 2025 amendments lower thresholds and broaden coverage starting July 1, 2026.

Consumer Rights Under the CTDPA

Connecticut residents can exercise the following rights over their personal data:

  • Right to access / confirm what data is held
  • Right to correct inaccurate data
  • Right to delete personal data
  • Right to data portability
  • Right to opt out of targeted advertising
  • Right to opt out of the sale of personal data
  • Right to opt out of profiling for significant decisions

Sensitive personal data: Businesses must obtain opt-in consent before processing sensitive data (such as health, biometric, precise-geolocation, or demographic data).

Data Breach Notification in Connecticut

Connecticut requires notice to affected residents within 60 days of discovery and to the Attorney General for breaches involving Connecticut residents.

  • Deadline to notify residents: Without unreasonable delay, no later than 60 days after discovery
  • Attorney General notice: Notify the Connecticut Attorney General for breaches affecting residents
  • Covered data: Name combined with sensitive identifiers (SSN, driver's license, financial-account or medical information, and more)

Federal Privacy Laws That Apply in Connecticut

Even where Connecticut law is silent, residents and businesses are covered by federal privacy statutes:

  • HIPAA — health information held by providers, plans and their vendors
  • GLBA — privacy and safeguards rules for financial institutions
  • FERPA — student education records
  • FCRA — consumer reporting agencies and background screening
  • COPPA — online collection of data from children under 13
  • FTC Act §5 — unfair or deceptive privacy and data-security practices

Connecticut Privacy Law FAQ

Does Connecticut protect health data beyond HIPAA?
Yes. A 2023 amendment added consumer-health-data protections, requiring opt-in consent to process such data and banning geofencing around health-care facilities to track consumers — protections that reach businesses not covered by HIPAA.
Are Connecticut's privacy obligations changing?
Yes. Amendments signed in 2025 (SB 1295) broaden the CTDPA's scope and lower its applicability thresholds effective July 1, 2026, pulling in more businesses. Companies operating in Connecticut should reassess whether they are covered.

How a Connecticut Privacy Attorney Can Help

For Businesses

  • Build and audit a privacy compliance program
  • Draft privacy policies, notices and vendor contracts
  • Respond to consumer rights requests
  • Manage data-breach response and notification
  • Defend regulatory investigations and enforcement

For Consumers

  • Enforce your privacy rights against non-compliant businesses
  • Pursue or join data-breach litigation
  • File complaints with the Connecticut Attorney General
  • Seek damages for identity theft and fraud
  • Stop unlawful data sales and unwanted marketing

Need a Connecticut Privacy Attorney?

Whether you are a business working toward compliance or a Connecticut resident whose privacy has been violated, our network of Connecticut-licensed attorneys can help.

Find a Connecticut Privacy Attorney

Other State Privacy Laws

California

CCPA/CPRA – strongest consumer privacy law in the U.S.

Colorado

CPA – comprehensive privacy law

Virginia

VCDPA – comprehensive privacy law

New Jersey

NJDPA – comprehensive privacy law

Texas

TDPSA – comprehensive privacy law

Florida

FDBR – comprehensive privacy law