U.S. Consumer Data Privacy Law Guide: Connecticut

Professionals

Name / Keyword Office Practice Industry Language Show All
Practices

Antitrust and Competition Law

Business and Corporate

Construction

Cross-Border Business

Data Protection, Privacy and Cybersecurity

Emerging Companies

Environment, Social and Governance (ESG)

Environmental, Sustainability, and Product Stewardship

Financial Services

Government Enforcement and Investigations

Government Relations and Public Policy

Health Law

Hospitality

Immigration

Intellectual Property

Labor & Employment

Litigation

Mergers and Acquisitions

Product Liability, Class Action and Mass Tort

Real Estate

Securities

Tax

Technology

Transportation and Logistics
Industries

Automotive

Aviation

Construction

Disaster Recovery and Government Services

Drug, Device and Life Sciences

Education

Energy

Financial Services

Food and Beverage

Gaming

Governmental Entities

Health Care

Hospitality

Manufacturing

Real Estate

Retail

Seniors Housing and Long Term Care

Technology

Telecommunications

Transportation and Logistics
Experience

Featured Case Study
Community Healthcare Trust Incorporated Community Healthcare Trust Incorporated More Case Studies

Search Experience
Keywords Practice Industry
News & Events

Professionals
Practices
Industries
Experience
News & Events
Other Pages

Quick Results

View More Results

U.S. Consumer Data Privacy Law Guide: Connecticut

This state-specific guide covers data privacy law, rules, and regulations that professionals and clients often encounter or have questions about in Connecticut.

Last updated: January 2025

Please note this is a highlighted overview and not a complete overview of privacy laws for this state. If you would like a complete review of this state's privacy laws or a multi-state privacy compliance cheat sheet on specific topics, please contact Vivien Peaden at vpeaden@bakerdonelson.com.

Disclaimer: These materials do not constitute legal advice and should not be substituted for the advice of legal counsel.

The Connecticut Consumer Privacy Act

Effective Date: July 1, 2023, further amended by Senate Bill 3 in June 2023.

1. Applicability Thresholds:

Subject to certain entity-level and data-level exemptions, this law applies to any individual or legal entity doing business in the State of Connecticut or producing products or services targeted to Connecticut residents (consumer), that during the preceding calendar year, controlled or processed either:

100,000+ Connecticut consumers' personal data (excluding payment transaction data); or
25,000+ Connecticut consumers' personal data and derive more than 25 percent of its revenue from the sale of personal data.

2. Key Definitions:

Sales of Personal Data: Similar to California, "sales of personal data" is broadly defined as "the exchange of personal data for monetary or other valuable consideration by a Controller to a third party."

3. Business Obligations for Processing Activities Presenting Heightened Risks to Consumers:

The CTDPA imposes additional obligations on persons who, alone or jointly with others, determine the purposes and means of processing personal data (Controller):

Heightened Protection for Minors Under the Age of 18:

The CTDPA defines "Minor" as any consumer under 18 years of age.
Effective October 1, 2024, any Controller offering online services, products, or features to Minors shall:
- use reasonable care to avoid a heightened risk of harm;

Enhanced Protection for Consumer Health Data: The CTDPA amendment passed in June 2023 expanded the scope of "sensitive data" to include "consumer health data".

The CTDPA amendment prohibits: (1) providing consumer health data to employees or contractors unless they are subject to a contractual or statutory duty of confidentiality; (2) using geofences near mental, reproductive, and sexual health facilities for "identifying, tracking, collecting data from or sending any notification to a consumer regarding the consumer's consumer health data"; and (3) selling consumer health data without consent.

4. Additional Controller Obligations:

In addition to responding to various Consumer rights, a Controller must comply with the following responsibilities:

Data Processing Agreement (DPA): Processing activities by a supplier (Processor) shall be governed by a DPA between the Controller and Processor.
Data Protection Assessment. Yes, where processing activities present a heightened risk of harm to Consumers (including Minors), including targeted advertising, sales of personal data, and profiling among others.
Privacy Notice: A Controller must provide consumers with a privacy notice. In addition, a Controller must clearly and conspicuously disclose the sale of consumer data or the use of data for targeted advertising.
Universal Opt-out Mechanism: Beginning January 1, 2025, Controllers must allow consumers to opt out of any processing of consumer personal data for the purposes of targeted advertising and/or sale.

5. Consumer Rights:

Subject to certain exceptions, a Connecticut consumer has the right to:

Confirm whether or not a Controller is processing its personal data, and access the categories of data being processed;
Correct inaccuracies in the consumer's personal data;
Delete personal data provided by, or obtained about, the consumer;
Obtain a copy of their personal data processed by the Controller (known as Data Portability); and
Opt-out of data processing for targeted advertising, sales of personal data, and profiling for solely automated decisions producing legal or similarly significant effects.

6. Enforcement and Penalties:

Private Right of Action: None

Penalties: Up to $5,000 per violation in accordance with the Connecticut Unfair Trade Practices Act.

Cure Period: 60-day cure period. Beginning January 1, 2025, the Connecticut attorney general may grant a cure period after issuing a notice of violation, taking into consideration factors such as the number of violations, the size and complexity of the violations, the sensitivity of the data, the substantial likelihood of injury to the public, and other factors.

U.S. Consumer Data Privacy Law Guides

Key Contact

Vivien F. Peaden, AIGP, CIPP/US, CIPP/E, CIPM, PLS

T: 678.406.8722

Email Professional

Related Practices

Resources

Download PDF version

Have Questions?
Let's Talk!

To contact a Baker Donelson Privacy Professional, click above to email us.

Search By Last Name

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Baker Donelson is a national law firm with more than 650 attorneys and public policy advisors representing more than 30 practice areas to serve a wide range of legal needs. Clients receive knowledgeable guidance from experienced, multi-disciplined industry and client service teams, all seamlessly connected across 24 offices in Alabama, Florida, Georgia, Louisiana, Maryland, Mississippi, North Carolina, South Carolina, Tennessee, Texas, Virginia, and Washington, D.C.