Connecticut Data Privacy Act (CTDPA)
Connecticut's privacy framework effective July 1, 2023, aligning closely with Virginia and Colorado while adding specific children's data safeguards.
The Connecticut Data Privacy Act (CTDPA), Public Act 22-15, codified at Conn. Gen. Stat. § 42-515 et seq., took effect July 1, 2023. Applicability thresholds mirror the VCDPA: 100,000 consumers processed annually, or 25,000 consumers where the controller derives revenue or discounts from data sales. Connecticut grants consumers the five standard rights — access, correction, deletion, portability, and opt-out of targeted advertising, data sales, and certain profiling — and requires controllers to respond to verified requests within 45 days, with one 45-day extension available. The CTDPA follows the VCDPA/CPA model of AG-only enforcement with a 60-day cure period, though the cure period sunsets January 1, 2025, after which the AG may bring actions without cure opportunity.
The CTDPA's most engineering-significant addition is its treatment of children's data (§ 42-520). Controllers may not process personal data of consumers known to be under 16 for targeted advertising, data sales, or profiling without consent — raising the age threshold above COPPA's 13 to 16, creating a distinct compliance tier. This requires age-screening and consent management logic capable of tracking a "16-and-under" classification distinct from COPPA's under-13 tier. Like Colorado, Connecticut requires UOOM recognition from October 1, 2024: controllers must honor technically compliant opt-out signals including GPC. Data Protection Assessments are mandatory for sensitive data processing, targeted advertising, data sales, and high-risk profiling, with a requirement to produce them to the AG within 30 days of request.
Sensitive data under the CTDPA includes data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship status, genetic data, biometric data used for identification, and children's data. The CTDPA includes an explicit provision that controllers cannot discriminate against consumers for exercising their rights — meaning pricing, service quality, and feature access must not be conditioned on consent to data sale or targeted advertising, subject to a loyalty program exception. Engineers building consent flows must ensure downstream systems do not degrade user experience based on consent state, which requires decoupling of consent signals from personalization engines that influence UX quality.
We implement CTDPA compliance with age-tiered consent flows — COPPA under-13, CTDPA under-16, adult — wired to separate consent management buckets with appropriate parental consent workflows. Our GPC/UOOM interception layer was extended to cover Connecticut's October 2024 effective date alongside Colorado, using shared edge middleware. Assessment documentation captures the under-16 profiling risk tier specifically.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.