Connecticut Data Privacy Law (CTDPA) for Healthcare: Requirements, HIPAA Overlap, and 2024 Compliance Guide

Product Pricing
Ready to get started? Book a demo with our team
Talk to an expert

Connecticut Data Privacy Law (CTDPA) for Healthcare: Requirements, HIPAA Overlap, and 2024 Compliance Guide

Kevin Henry

Data Privacy

October 30, 2025

6 minutes read
Share this article
Connecticut Data Privacy Law (CTDPA) for Healthcare: Requirements, HIPAA Overlap, and 2024 Compliance Guide

The Connecticut Data Privacy Act (CTDPA) reshaped privacy obligations for organizations handling consumer information, including health-related data outside classic medical settings. This guide explains when CTDPA applies, how it interacts with HIPAA, and the concrete steps healthcare leaders should take to stay compliant in 2024 and beyond, with a focus on Consumer Health Data Controllers and Universal Opt-Out Preference signals. ([portal.ct.gov](https://portal.ct.gov/AG/Sections/Privacy-/The-Connecticut-Data-Privacy-Act))

CTDPA Applicability Criteria

CTDPA covers entities doing business in Connecticut or targeting Connecticut residents that, in the prior calendar year, controlled or processed personal data of at least 100,000 consumers (excluding data handled solely to complete a payment transaction) or 25,000 consumers while deriving over 25% of gross revenue from the sale of personal data. ([cga.ct.gov](https://www.cga.ct.gov/current/pub/chap_743jj.htm))

Separately, Consumer Health Data Controllers are in scope regardless of revenue or volume thresholds when they conduct business in Connecticut or target its residents. Processors that handle personal data on behalf of covered controllers are also subject to obligations through contracts. ([portal.ct.gov](https://portal.ct.gov/AG/Sections/Privacy-/The-Connecticut-Data-Privacy-Act))

Exemptions and Special Data Categories

Entity exemptions include state and local government bodies, nonprofit organizations, higher education institutions, GLBA-regulated financial institutions, national securities associations, and entities subject to HIPAA. Note that the nonprofit exemption does not apply to Consumer Health Data Controllers. ([portal.ct.gov](https://portal.ct.gov/AG/Sections/Privacy-/The-Connecticut-Data-Privacy-Act))

CTDPA also exempts specific types of healthcare-related data, notably: Protected Health Information; substance use disorder records protected under 42 U.S.C. § 290dd-2; identifiable private information used in research conducted under 45 C.F.R. Part 46; certain FDA-governed research; patient safety work product; and data de-identified according to HIPAA. FERPA, FCRA, DPPA, and certain employment and emergency contact data are also excluded. ([cga.ct.gov](https://www.cga.ct.gov/current/pub/chap_743jj.htm))

Overlap Between CTDPA and HIPAA

HIPAA-covered entities and business associates are broadly exempt from CTDPA, including the consumer health data provisions. However, organizations outside HIPAA’s scope—such as wellness apps, digital health marketplaces, or analytics firms not acting as covered entities or business associates—may qualify as controllers under CTDPA, including as Consumer Health Data Controllers. ([cga.ct.gov](https://www.cga.ct.gov/current/pub/chap_743jj.htm))

Even where HIPAA applies, understand the boundaries: CTDPA expressly excludes Protected Health Information, 42 U.S.C. § 290dd-2 records, and research regulated under 45 C.F.R. Part 46. If your non-HIPAA affiliates or vendors touch consumer health data, CTDPA obligations may still attach to them. ([cga.ct.gov](https://www.cga.ct.gov/current/pub/chap_743jj.htm))

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Compliance Requirements for Healthcare Entities

Core controller duties

  • Publish a clear privacy notice describing data categories, purposes, sharing, and how consumers can exercise rights and opt out. Provide an easily accessible website link to opt out of targeted advertising or sale. ([portal.ct.gov](https://portal.ct.gov/AG/Sections/Privacy-/The-Connecticut-Data-Privacy-Act))
  • Follow data minimization and security standards appropriate to the volume and nature of data. Obtain consent before processing sensitive data, which includes Consumer Health Data and precise geolocation. Respond to consumer requests within 45 days. ([portal.ct.gov](https://portal.ct.gov/AG/Sections/Privacy-/The-Connecticut-Data-Privacy-Act))
  • Conduct and document Data Protection Assessments for high-risk activities (targeted advertising, sale, sensitive data, and certain profiling). Be prepared to provide assessments to the Connecticut Attorney General upon request. ([cga.ct.gov](https://www.cga.ct.gov/current/pub/chap_743jj.htm))
  • For teens, obtain opt-in consent before selling personal data or using it for targeted advertising when the consumer is under 16. ([portal.ct.gov](https://portal.ct.gov/AG/Sections/Privacy-/The-Connecticut-Data-Privacy-Act))

Obligations specific to Consumer Health Data Controllers

  • Restrict employee and contractor access to consumer health data to those bound by confidentiality duties and ensure processor contracts meet statutory requirements. ([cga.ct.gov](https://www.cga.ct.gov/current/pub/chap_743jj.htm))
  • Do not sell consumer health data without prior consumer consent. ([cga.ct.gov](https://www.cga.ct.gov/current/pub/chap_743jj.htm))
  • Avoid using geofences within 1,750 feet of mental health or reproductive/sexual health facilities to identify, track, collect, or send notifications regarding a consumer’s health data. ([cga.ct.gov](https://www.cga.ct.gov/current/pub/chap_743jj.htm))

Enforcement and Reporting by Connecticut Attorney General

Connecticut Attorney General Enforcement is exclusive under CTDPA; there is no private right of action. Civil penalties can reach up to $5,000 per violation under the Connecticut Unfair Trade Practices Act, and the Attorney General may also seek injunctive relief, restitution, and disgorgement. ([portal.ct.gov](https://portal.ct.gov/AG/Sections/Privacy-/The-Connecticut-Data-Privacy-Act))

From July 1, 2023 through December 31, 2024, the Attorney General provided a 60‑day right to cure when feasible. As of January 1, 2025, any cure opportunity is discretionary and based on factors such as the number of violations, data sensitivity, and risk of public harm. ([cga.ct.gov](https://www.cga.ct.gov/current/pub/chap_743jj.htm))

The Attorney General issues public CTDPA enforcement reports highlighting inquiries, notices of violation, and priorities, and was required to report to the General Assembly on notices and cures beginning in 2024. Recent reports emphasize privacy notices, Data Protection Assessments, and universal opt-out compliance. ([portal.ct.gov](https://portal.ct.gov/AG/Sections/Privacy-/The-Connecticut-Data-Privacy-Act))

Timeline and Key Effective Dates

  • May 10, 2022: CTDPA signed into law. ([portal.ct.gov](https://portal.ct.gov/AG/Sections/Privacy-/The-Connecticut-Data-Privacy-Act))
  • July 1, 2023: CTDPA takes effect; controller duties, consumer rights, and DPA obligations begin. ([portal.ct.gov](https://portal.ct.gov/AG/Sections/Privacy-/The-Connecticut-Data-Privacy-Act))
  • October 1, 2024: Amendments expanding minors’ online protections take effect. ([portal.ct.gov](https://portal.ct.gov/-/media/ag/press_releases/ctdpa-report-%28002%29.pdf?rev=b7f0dfe621ba4f9dbd960001e6e18670))
  • December 31, 2024: Mandatory 60-day cure period sunsets. ([portal.ct.gov](https://portal.ct.gov/AG/Sections/Privacy-/The-Connecticut-Data-Privacy-Act))
  • January 1, 2025: Universal Opt-Out Preference signals must be honored by all covered controllers. ([portal.ct.gov](https://portal.ct.gov/ag/press-releases/2024-press-releases/tong-advises-connecticut-consumers-and-businesses-of-opt-out-rights-and-requirements?utm_source=openai))

Universal Opt-Out Provisions

Starting January 1, 2025, controllers must treat recognized Universal Opt-Out Preference signals (for example, Global Privacy Control) as consumers’ requests to opt out of targeted advertising and the sale of personal data. The Attorney General has flagged this as an active enforcement area, emphasizing that signals should propagate across a consumer’s account and devices, not just cookie-based tracking. ([portal.ct.gov](https://portal.ct.gov/AG/Sections/Privacy-/The-Connecticut-Data-Privacy-Act))

Practical implementation for healthcare teams

  • Detect and honor recognized browser-based signals for Connecticut residents and ensure the opt‑out state persists across web and mobile sessions. ([portal.ct.gov](https://portal.ct.gov/-/media/ag/press_releases/ctdpa-report-%28002%29.pdf?rev=b7f0dfe621ba4f9dbd960001e6e18670))
  • Maintain a prominent, easily accessible on-site opt‑out mechanism and avoid dark patterns that frustrate consumer choices. ([portal.ct.gov](https://portal.ct.gov/AG/Sections/Privacy-/The-Connecticut-Data-Privacy-Act))
  • Verify consent flows for any processing of sensitive data, including Consumer Health Data, and document Data Protection Assessments for high‑risk uses. ([cga.ct.gov](https://www.cga.ct.gov/current/pub/chap_743jj.htm))

Conclusion

Summing up: confirm whether HIPAA exempts your entity; if not, determine if you are a Consumer Health Data Controller; update notices and opt‑out links; recognize Universal Opt-Out Preference signals; and complete Data Protection Assessments for high‑risk processing. Align operations with Connecticut Attorney General Enforcement priorities to reduce risk. ([portal.ct.gov](https://portal.ct.gov/AG/Sections/Privacy-/The-Connecticut-Data-Privacy-Act))

FAQs

What types of healthcare data are exempt from CTDPA?

Protected Health Information, records protected by 42 U.S.C. § 290dd‑2, identifiable private information used in research under 45 C.F.R. Part 46, certain FDA-regulated research data, patient safety work product, and HIPAA‑de‑identified data are exempt. Additional exclusions cover FERPA, FCRA, DPPA data, and some employment and emergency contact information. ([cga.ct.gov](https://www.cga.ct.gov/current/pub/chap_743jj.htm))

How does CTDPA compliance differ from HIPAA requirements?

HIPAA governs PHI handled by covered entities and business associates, which are exempt from CTDPA. CTDPA, however, applies to non‑HIPAA health services and tools—imposing consumer rights, opt‑out controls (including Universal Opt-Out Preference), consent for sensitive data, and Data Protection Assessments for high‑risk processing. ([portal.ct.gov](https://portal.ct.gov/AG/Sections/Privacy-/The-Connecticut-Data-Privacy-Act))

When did the CTDPA take effect and what are key upcoming dates?

CTDPA took effect on July 1, 2023. Notable dates include October 1, 2024 (minors’ online protections), December 31, 2024 (end of the mandatory cure period), and January 1, 2025 (Universal Opt-Out signals required). As of June 5, 2026, no new statutory dates have been scheduled, but enforcement continues to evolve. ([portal.ct.gov](https://portal.ct.gov/AG/Sections/Privacy-/The-Connecticut-Data-Privacy-Act))

What are the enforcement mechanisms under CTDPA for healthcare entities?

The Connecticut Attorney General exclusively enforces CTDPA and can seek civil penalties up to $5,000 per violation under CUTPA, along with injunctive relief, restitution, and disgorgement. The mandatory 60‑day cure period ended on December 31, 2024; any cure opportunity after January 1, 2025 is discretionary. ([portal.ct.gov](https://portal.ct.gov/AG/Sections/Privacy-/The-Connecticut-Data-Privacy-Act))

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles