Connecticut Health Data Privacy: CTDPA Rules, Rights, and Compliance

Overview of CTDPA Applicability

Who is covered and when

The Connecticut Data Privacy Act (CTDPA) has applied since July 1, 2023 to entities doing business in Connecticut or targeting residents and meeting certain thresholds. Through June 30, 2026, coverage generally attaches if you processed personal data of at least 100,000 consumers (excluding payment-only data) or 25,000 consumers and derived over 25% of gross revenue from selling personal data. Beginning July 1, 2026, the law expands: coverage applies if you processed data of 35,000+ consumers, or you control/process sensitive data (with a payment-only exception), or you offer consumers’ personal data for sale in trade or commerce. ([portal.ct.gov](https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act/))

Consumer Health Data Controllers are always in scope regardless of thresholds; the nonprofit exemption does not apply to them. If you determine the purposes and means of processing consumer health data, you are a Consumer Health Data Controller under the CTDPA. ([portal.ct.gov](https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act/))

Key exemptions

Typical entity-level exemptions include state and local government, higher education institutions, GLBA-covered financial institutions, HIPAA-covered entities and business associates, tribal nation government organizations, and certain air carriers, alongside specific data-level carve-outs. ([prdext2.cga.ct.gov](https://prdext2.cga.ct.gov/2026/sup/chap_743jj.htm))

Resident Data Privacy Rights

Individual rights you must honor

Connecticut residents can exercise: access, correction, deletion, and portability rights; plus a Targeted Advertising Opt-Out, a sale opt-out, and an opt-out of profiling used for decisions with legal or similarly significant effects. If profiling produced such an effect, residents may question results, obtain reasons, review data used, and seek reevaluation where appropriate. ([prdext2.cga.ct.gov](https://prdext2.cga.ct.gov/2026/sup/chap_743jj.htm))

How requests work and deadlines

You must respond to verifiable requests without undue delay and within 45 days; you may extend once by 45 days when reasonably necessary, with notice. If you deny a request, you must tell the consumer how to appeal. ([prdext2.cga.ct.gov](https://prdext2.cga.ct.gov/2026/sup/chap_743jj.htm))

Universal and agent-driven opt-outs

As of January 1, 2025, covered businesses must honor universal opt-out preference signals (for example, Global Privacy Control) submitted by Connecticut residents for targeted advertising and sales. Residents may also use authorized agents to submit opt-out requests. ([portal.ct.gov](https://portal.ct.gov/AG/Sections/Privacy/The-Connecticut-Data-Privacy-Act?utm_source=openai))

Compliance Requirements for Controllers

Baseline duties

Controllers must practice data minimization, use purpose limitation, and implement reasonable security measures appropriate to the volume and nature of data. They must provide an easy way to revoke consent and stop processing promptly, avoid processing in violation of anti-discrimination laws, and ensure processor contracts cover confidentiality, deletion/return, audits or assessments, and subcontractor flow-down terms. ([prdext2.cga.ct.gov](https://prdext2.cga.ct.gov/2026/sup/chap_743jj.htm))

Sensitive Data Processing

Sensitive data—such as health data, biometric/genetic data, precise geolocation, children’s data, and other enumerated categories—requires opt-in consent before processing. Starting July 1, 2026, “sensitive data” expressly includes additional categories like neural data and financial/government IDs, tightening Sensitive Data Processing standards. ([prdext2.cga.ct.gov](https://prdext2.cga.ct.gov/2026/sup/chap_743jj.htm))

Targeted advertising and sales involving teens

Current rule: do not sell personal data or process it for targeted advertising of consumers aged 13–15 without consent. Effective July 1, 2026, this prohibition extends to consumers aged 13–17, further restricting youth-targeted advertising and data sales. ([prdext2.cga.ct.gov](https://prdext2.cga.ct.gov/2026/sup/chap_743jj.htm))

Protections for Minors

Minors Data Safeguards for online services

If you offer an online service, product, or feature and have actual knowledge or willfully disregard that users are minors, you must use reasonable care to avoid a heightened risk of harm to minors. Obligations include consent requirements for precise geolocation, limits on profiling-based automated decisions with significant effects without youth or parental consent, default safeguards restricting unsolicited adult-to-minor direct messages, and avoiding manipulative design features that significantly increase minors’ use. ([prdext2.cga.ct.gov](https://prdext2.cga.ct.gov/2026/sup/chap_743jj.htm))

Age-based advertising and sales limits

For advertising and data sales, Connecticut strengthens teen protections. The CTDPA already restricts targeted advertising and the sale of personal data for consumers aged 13–15 without consent; on July 1, 2026, the protected range expands to minors aged 13–17. ([prdext2.cga.ct.gov](https://prdext2.cga.ct.gov/2026/sup/chap_743jj.htm))

Enforcement and Penalties

Who enforces and cure periods

The Attorney General (AG) exclusively enforces the CTDPA; there is no private right of action. From July 1, 2023 through December 31, 2024, the AG provided a 60‑day opportunity to cure alleged violations under the core CTDPA provisions (and from October 1, 2023 through December 31, 2024 for consumer health data). Beginning January 1, 2025, cure is discretionary based on factors like number of violations, scale, and data sensitivity. For the minors’ online protections, a similar cure window ran October 1, 2024 through December 31, 2025, with discretionary cure beginning January 1, 2026. ([cga.ct.gov](https://www.cga.ct.gov/current/pub/chap_743jj.htm))

Penalties under the Connecticut Unfair Trade Practices Act

A CTDPA violation is an unfair trade practice under the Connecticut Unfair Trade Practices Act (CUTPA). The AG may seek civil penalties—up to $5,000 per willful violation—and injunctive relief, among other remedies, under CUTPA’s enforcement scheme. ([cga.ct.gov](https://www.cga.ct.gov/current/pub/chap_743jj.htm))

Data Protection Assessments

When a Data Protection Assessment is required

You must conduct and document a Data Protection Assessment (DPA) for processing that presents a heightened risk of harm, including targeted advertising, sale of personal data, sensitive data processing, and certain profiling. DPAs must weigh benefits against risks and account for de-identification, consumer expectations, processing context, and the controller–consumer relationship. ([prdext2.cga.ct.gov](https://prdext2.cga.ct.gov/2026/sup/chap_743jj.htm))

Impact assessments and AG access

Starting July 1, 2026, controllers engaged in profiling that makes decisions producing legal or similarly significant effects must complete a profiling impact assessment. The AG can require access to DPAs and impact assessments during investigations; these materials are confidential and FOIA‑exempt, and disclosure does not waive privilege. Impact‑assessment obligations apply to processing created or generated on or after August 1, 2026. ([prdext2.cga.ct.gov](https://prdext2.cga.ct.gov/2026/sup/chap_743jj.htm))

Consent and Notice Obligations

What counts as valid consent

Consent must be a clear, affirmative, freely given, specific, informed, and unambiguous act. Dark patterns, pre-ticked boxes, or acceptance of broad terms of use do not constitute valid consent. For Sensitive Data Processing, opt‑in consent is mandatory; for known children’s data, comply with COPPA’s verifiable parental consent. ([prdext2.cga.ct.gov](https://prdext2.cga.ct.gov/2026/sup/chap_743jj.htm))

Privacy notices and opt-out mechanisms

Your privacy notice must be accessible, clear, and meaningful. It must describe categories of personal data processed, purposes, how to exercise rights and appeal, categories of data shared/sold, categories of third parties, and contact information. You must provide easy Targeted Advertising Opt-Out and sale opt-out mechanisms and, as of January 1, 2025, honor universal opt-out preference signals. Effective July 1, 2026, notices must also disclose whether you collect, use, or sell personal data for training large language models and include the most recent month and year the notice was updated. ([prdext2.cga.ct.gov](https://prdext2.cga.ct.gov/2026/sup/chap_743jj.htm))

Conclusion

The CTDPA sets a comprehensive, evolving framework to protect Connecticut residents’ personal and health data. Confirm your applicability, build rights-response and Targeted Advertising Opt-Out workflows, obtain opt‑in for Sensitive Data Processing, complete a robust Data Protection Assessment program, and update privacy notices to reflect 2026 changes—all while maintaining strong Minors Data Safeguards.

FAQs

What rights do Connecticut residents have under CTDPA?

Residents can access, correct, delete, and port their personal data, and opt out of targeted advertising, sale of personal data, and certain profiling. Controllers must respond within 45 days (extendable once by 45 days with notice) and provide an appeals process for denials. Universal opt‑out signals must be honored as of January 1, 2025. ([prdext2.cga.ct.gov](https://prdext2.cga.ct.gov/2026/sup/chap_743jj.htm))

How does CTDPA protect consumer health data?

Consumer Health Data Controllers are covered regardless of size and face specific duties: confidentiality requirements for access, written processor contracts, a prohibition on geofencing around mental, reproductive, or sexual health facilities for health-data purposes, and a consent requirement before selling consumer health data. ([portal.ct.gov](https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act/))

What are the compliance obligations for businesses under CTDPA?

Core obligations include data minimization, purpose specification, reasonable security, opt‑in consent for Sensitive Data Processing, honoring consumer rights and Targeted Advertising Opt-Out requests (including universal signals), and executing controller–processor contracts. From July 1, 2026, expanded notice disclosures (including LLM training), broader teen protections, and added impact assessments for certain profiling apply. ([prdext2.cga.ct.gov](https://prdext2.cga.ct.gov/2026/sup/chap_743jj.htm))

What penalties apply for CTDPA violations?

The Attorney General exclusively enforces the CTDPA. A violation constitutes an unfair trade practice under the Connecticut Unfair Trade Practices Act, enabling injunctive relief and civil penalties—up to $5,000 per willful violation—among other remedies. Cure periods were time-limited and are now discretionary in many cases. ([cga.ct.gov](https://www.cga.ct.gov/current/pub/chap_743jj.htm))