Connecticut Data Privacy Act (CTDPA)

Overview

The Connecticut Data Privacy Act (CTDPA), codified at Conn. Gen. Stat. § 42-515 et seq. and enacted as SB 6 (2022), became effective July 1, 2023. Connecticut was the fifth state to pass comprehensive privacy legislation. The CTDPA is a deliberate hybrid: more protective than Virginia (it requires GPC/UOOM recognition) without the regulatory complexity of California's CPPA rulemaking machine.

CTDPA's applicability thresholds are lower than Virginia's: either (a) 100,000+ Connecticut consumers processed per year, or (b) 25,000+ consumers processed AND 25%+ of gross revenue from data sales (Virginia's secondary bar is 50%).

Exemptions track the VCDPA pattern — HIPAA entities, non-profits, higher-ed institutions, FCRA/DPPA/FERPA/COPPA-regulated data, employee and B2B data. Key scheduled change: the GLBA exemption for financial institutions is removed effective July 1, 2026, along with expanded protections for minors (13–16). Banks, insurers, and fintechs serving Connecticut residents must prepare for coverage.

Consumer Rights

• Right to confirm and access personal data
• Right to correct inaccuracies
• Right to delete
• Right to data portability (machine-readable)
• Right to opt out of sale, targeted advertising, and profiling
• Right to appeal a denial — with a 60-day response window

Sensitive data (race, religion, health diagnosis, sexual orientation, citizenship, genetic/biometric identifiers, minors under 13, precise geolocation) requires opt-in consent.

Compliance Requirements

Controllers must publish a privacy notice, honor GPC, perform DPIAs for targeted advertising, sale, profiling with risk of harm, sensitive data processing, and any high-risk activity. Processor contracts per § 42-520 are mandatory. Connecticut enforces consent revocation — the mechanism to withdraw consent must be as easy as the mechanism to grant it.

Cure Period + Enforcement

The Connecticut AG holds exclusive enforcement authority. Penalties reach $5,000 per violation under the Connecticut Unfair Trade Practices Act (CUTPA) — plus potential treble damages where CUTPA violations are found willful. The original 60-day cure period expired January 1, 2025; cure is now discretionary.

How Inori Addresses This

• Notice: src/content/legal/privacy.mdx v1.2 satisfies CTDPA disclosure requirements.
• GPC (mandatory): middleware.ts:respectGpc honors Sec-GPC: 1 — Connecticut-scoped opt-outs (sale, targeted advertising, profiling) are covered by Inori's platform-wide no-sale posture.
• DSAR: /api/dsar serves all CTDPA rights with a 30-day SLA; appeals escalate to ask@askinori.com and are answered within 60 days.
• Deletion: 90-day hard-purge cron aligns with CTDPA's deletion obligation; post-purge only a hashed audit-ledger row survives.
• Sensitive data: Not collected.
• Deferred: Minor-aware consent gates (age 13–16) and financial-institution-specific workflows required by the July 2026 GLBA carve-out removal ship before the effective date.

Related Concepts

See CCPA/CPRA, VCDPA, and Colorado Privacy Act for comparative state models; GPC for the opt-out signal; DSAR for the request pipeline. See also MCDPA and OCPA for laws that adopt similar hybrid designs.