The Connecticut Data Privacy Act (CTDPA), which took effect on July 1, 2023, grants Connecticut residents control over their personal data. This applies to businesses that meet a certain threshold of data processing and gives consumers several rights.
Basically, under the CTDPA, residents can access, correct, or delete their data, opt-out of data sales and targeted advertising, and opt-in for sensitive data processing (like health information). They also have the right to opt-out of automated decision-making that significantly impacts them.
For businesses, you will want to be transparent about data collection and the purpose for collecting data. Non-compliance with the CTDPA can lead to fines of up to $5,000 per violation. Compared to California's law (CCPA), Connecticut requires explicit consent for sensitive data processing.
Why It Matters
The CTDPA's requirement to honor universal opt-out mechanisms for data sales kicks in by July 1, 2025. That may feel like far into the future, but it really isn’t. Businesses will want to take steps now to understand how a universal opt-out mechanism would be employed with its current systems and processes and what the implementation timeline will be, so you are ready by July 1, 2025.