This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
header image


Connecticut Data Privacy Act (CTDPA)

Passed May 10, 2022
Effective Date July 1, 2023
Who it applies to

Businesses (1) that control or process personal data of 100,000 or more Connecticut consumers (excluding solely for completing a payment transaction); or (2) control or process personal data of at least 25,000 consumers and derive more than 25% of their gross revenue from the sale of personal data. Exempt entities include nonprofits, government agencies, higher education institutions, and financial institutions subject to the Gramm-Leach-Bliley Act (GLBA).

Penalties Up to $5,000 per violation

What’s notable about it:

Connecticut has already amended CTDPA, introducing new rules on health and children’s privacy that arguably make it the strictest privacy law in the US for companies that amount of “consumer health data”. Unlike other states, It doesn’t have a revenue threshold: if a company processes a single person’s consumer health data, they are subject to Connecticut’s law. Assuming a business doesn’t control or process more than 100K CT residents’ personal data, nor process any consumer health data, they are not affected by the law.

“Consumer health data” means “any personal data that a controller uses to identify a consumer's physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data.”

The Strict Spectrum

Less Strict