Last updated: December 2025

Please note this is a highlighted overview and not a complete overview of privacy laws for this state. If you would like a complete review of this state's privacy laws or a multi-state privacy compliance cheat sheet on specific topics, please contact Vivien Peaden at vpeaden@bakerdonelson.com.

Disclaimer: These materials do not constitute legal advice and should not be substituted for the advice of legal counsel.

The Connecticut Consumer Privacy Act

Effective Date: July 1, 2023, as amended by Senate Bill 3 in June 2023, and further amended by Senate Bill 1295, which will take effect on July 1, 2026.

• The 2023 amendment provided new requirements around consumer health data and children's data protection. Most of these amended provisions (apart from most of the children's online safety provisions) went into effect on the same date as the original act.
• The 2025 amendment lowers the applicability thresholds and adds additional business obligations with respect to Profiling. The amendment also includes a new “impact assessment” requirement for controllers engaged in Profiling with respect to any processing activities created or generated on or after August 1, 2026.

• Under the amended CTCPA, “Profiling” means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

1. Applicability Thresholds:

Subject to certain entity-level and data-level exemptions, this law applies to any individual or legal entity doing business in the State of Connecticut or producing products or services targeted to Connecticut residents (consumer), that during the preceding calendar year, meets one of the below three criteria:

• Control or process 35,000+ Connecticut consumers' personal data (excluding payment transaction data);
• Control or process any consumers' sensitive data, excluding payment transaction data; or
• offer consumers' personal data for sale in trade or commerce.

2. Key Definitions:

Sales of Personal Data: Similar to California, "sales of personal data" is broadly defined as "the exchange of personal data for monetary or other valuable consideration by a Controller to a third party." The 2025 amendment to the CTDPA expanded the definition of “Publicly available information” to include information that has been lawfully made available to the general public from public media and expressly excludes biometric data that can be associated with a specific consumer and was collected without the consumer’s consent.

3. Business Obligations for Processing Activities Presenting Heightened Risks to Consumers:

The CTDPA imposes additional obligations on persons who, alone or jointly with others, determine the purposes and means of processing personal data (Controller):

Heightened Protection for Minors Under the Age of 18:

• The CTDPA defines "Minor" as any consumer under 18 years of age.
• Effective October 1, 2024, any Controller offering online services, products, or features to Minors shall:
  • use reasonable care to avoid a heightened risk of harm;
  • be prohibited from processing such Minor's personal data for targeted advertising, sales of personal data, or Profiling for any automated decision regardless of whether it obtains consent;
  • be prohibited from collecting such Minor's precise geolocation data subject to certain exceptions;
  • be prohibited from processing any Minor’s personal data for certain Profiling activities that produce any legal or significant effect, without prior consent from the Minor, or legal guardian for children under the age of 13;
  • Conduct data protection assessments of its services to address any "heightened risk of harm" to Minors that is a reasonably foreseeable result of offering such online service, product, or feature; and
  • Conduct a detailed impact assessment if such online service, product, or feature engages in any Profiling based on such Minor’s personal data.

Enhanced Protection for Consumer Health Data: The CTDPA amendment, passed in June 2023, expanded the scope of "sensitive data" to include "consumer health data."

• The CTDPA amendment prohibits: (1) providing consumer health data to employees or contractors unless they are subject to a contractual or statutory duty of confidentiality; (2) using geofences near mental, reproductive, and sexual health facilities for "identifying, tracking, collecting data from or sending any notification to a consumer regarding the consumer's consumer health data"; and (3) selling consumer health data without consent.

4. Additional Controller Obligations:

In addition to responding to various Consumer rights, a Controller must comply with the following responsibilities:

• Data Processing Agreement (DPA): Processing activities by a supplier (Processor) shall be governed by a DPA between the Controller and Processor.
• Data Protection Assessment. Yes, where processing activities present a heightened risk of harm to Consumers (including Minors), including targeted advertising, sales of personal data, and Profiling, among others. In addition, a Controller that engages in any Profiling for making a decision that produces any legal or similarly significant effect shall conduct an impact assessment that analyzes any foreseeable heightened risk of harm to a consumer.
• Privacy Notice: A Controller must provide consumers with a privacy notice. In addition, a Controller must clearly and conspicuously disclose the sale of consumer data or the use of data for targeted advertising. According to the 2025 Amendment (SB 1295), the privacy policy must also disclose whether a controller collects, uses, or sells personal data for training large language models (LLMs). Whenever a controller makes any retroactive material changes to its privacy notice or practices, it shall notify the consumers (via electronic measures) and provide a reasonable opportunity for the consumers to withdraw consent.
• Universal Opt-out Mechanism: Beginning January 1, 2025, Controllers must allow consumers to opt out of any processing of consumer personal data for the purposes of targeted advertising and/or sale. This mechanism requires Controllers to recognize an opt-out preference signal sent by a platform, technology, or mechanism on behalf of the consumer for this purpose.

5. Consumer Rights:

Subject to certain exceptions, a Connecticut consumer has the right to:

• Confirm whether or not a Controller is processing its personal data, and access the categories of data being processed (including inferences about the consumer derived from such personal data and whether personal data is processed for the purpose of Profiling);
• Correct inaccuracies in the consumer's personal data;
• Delete personal data provided by, or obtained about, the consumer;
• Obtain a copy of their personal data processed by the Controller (known as Data Portability);
• Opt out of data processing for targeted advertising, sales of personal data, and Profiling for any automated decisions producing legal or similarly significant effects; and
• Question the result of the Profiling and obtain information about the decision.

6. Enforcement and Penalties:

Private Right of Action: None

Penalties: Up to $5,000 per violation in accordance with the Connecticut Unfair Trade Practices Act.

Cure Period: Beginning January 1, 2025, the Connecticut attorney general may grant a cure period after issuing a notice of violation, taking into consideration factors such as the number of violations, the size and complexity of the violations, the sensitivity of the data, the substantial likelihood of injury to the public, and other factors.