What is the CTDPA?

Connecticut's extensive consumer privacy legislation is the Connecticut Data Privacy Act (CTDPA). With effect from July 1, 2023, it governs the collection, use, and disclosure of personal data, gives consumers control over their personal information, and places duties on controllers and processors that handle such data.

Consumers are granted rights under the legislation, including the opportunity to opt out of certain processing activities, access, correction, deletion, and data transfer. Additionally, it explicitly invalidates permission gained through dark patterns and mandates that covered enterprises adhere to obligations such as data reduction, purpose limitation, adequate security, and data protection assessments for higher-risk processing.

Who Does CTDPA Apply To?

CTDPA applies to businesses that do business in Connecticut or target Connecticut residents with goods or services, provided they meet the law’s data-processing thresholds. This means an out-of-state business can still be covered if it targets Connecticut residents and processes enough personal data.

The CTDPA businesses that:

  • Conduct business in Connecticut or target products or services to Connecticut residents.
  • Control or process the personal data of 100,000 or more consumers during the preceding calendar year.
  • Control or process the personal data of 25,000 or more consumers and derive more than 25% of gross revenue from the sale of personal data.

If your business presents terms, privacy notices, or consent flows to Connecticut users and meets these thresholds, the CTDPA may apply to your data practices.

CTDPA and Clickwrap Agreements

The clickwrap policy in Connecticut incorporates aspects of other state privacy laws, but it takes a more documentation-heavy enforcement posture approach. The Attorney General's office has indicated that the capacity to provide consent records upon request is a fundamental need rather than just a best practice for compliance. Even if the permission was legitimately received, a clickwrap system that registers consent without keeping retrievable, auditable records of what was provided, when, and to whom does not adhere to the CTDPA's criteria.

How the CTDPA Affects Clickwrap Design

Consent is defined as a clear affirmative act that is willingly provided, stated, informed, and unambiguous. Section 1 makes it plain that agreement achieved by dark patterns does not constitute consent. The law defines dark patterns as user interfaces designed or modified in a way that seriously hinders or subverts user autonomy, choice, or decision-making.

Sensitive data triggers an entirely separate consent obligation. Under Section 6(a)(4), controllers may not process sensitive data without first obtaining the consumer's explicit, affirmative opt-in consent. The CTDPA's definition of sensitive data includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, genetic data, biometric data processed for identification, personal data of a known child, and precise geolocation data.

The right to opt out must be accessible without friction. Section 4(a)(5) provides consumers with the right to opt out of the processing of personal data for targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. Starting January 1, 2025, controllers must also recognize universal opt-out mechanisms such as the Global Privacy Control.

According to Section 6(a)(5), consumers must have the option to revoke permission at any time using a method that is at least as accessible as the method used to provide consent in the first place. The withdrawal method cannot require the customer to explore settings menus, submit a form, or get in touch with support if the clickwrap obtains consent with just one affirmative click. Additionally, after receiving a revocation request, the CTDPA mandates that the controller cease processing within 45 days.

What Must Be Shown Under the CTDPA

A controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice under Section 42-520(b).

Before the consumer takes the consent action, the interface or linked notice must make available:

  • The categories of personal data processed by the controller.
  • The purposes for which the personal data is processed.
  • How the consumer may exercise the rights to access, correct, delete, obtain a copy of personal data, and opt out of certain processing.
  • The categories of third parties with whom the personal data is shared, if any.
  • An active email address or other online mechanism for contacting the controller. The method for appealing a controller’s refusal to take action on a consumer rights request.

Section 42-520(a)(1) also imposes a purpose limitation. A controller may not process personal data for purposes that are neither reasonably necessary to nor compatible with the purposes disclosed to the consumer, unless the controller obtains the consumer’s consent. As a result, the purposes stated in the notice must be specific enough to support the actual processing activity at issue.

What Records You Must Keep Under the CTDPA

Section 9 requires controllers to conduct data protection assessments for processing activities that present a heightened risk of harm to consumers. Those assessments must be made available to the Attorney General upon demand, and the same enforcement framework means consent records should be stored in a form that is accurate, retrievable, and readily exportable.

A comprehensive consent record under the CTDPA must capture:

  • The consumer's identity and consent event - Who consented, when, through what mechanism, and to what specific processing purpose
  • The complete version of the privacy notice and terms - Presented at the time of consent, archived in a format that permits faithful reproduction
  • Sensitive data consent, tracked independently - For each sensitive data category processed, a separate record of the consumer's opt-in action, the specific disclosure presented, and the purpose identified
  • Children's data flags - If the system identified the consumer as a known child, documentation of the age verification method used, and the sensitive data consent pathway triggered
  • Opt-out and withdrawal records - The date and scope of any opt-out request, including GPC signals detected, and the date and scope of any consent withdrawal

The CTDPA does not specify a mandatory retention period for consent records, but records should be kept long enough to cover enforcement risk. As a practical matter, organizations should retain clickwrap consent records for at least three years after the relevant processing relationship ends, and longer where the processing activity continues over multiple years.

CTDPA and Clickwrap Agreements

Key Provisions of CTDPA

Consumer
A "consumer" is defined by Connecticut law as a resident of the state, with the exception of those who engage in a commercial or employment capacity (Section 1).
Personal Data
Any information that may be reasonably linked to an identified or identifiable person is considered personal data under, with the exception of de-identified and publicly accessible data (Section 1).
Sensitive Data
According to Section 1, sensitive data includes information about race or ethnicity, religion, physical or mental health conditions, sexual orientation, citizenship or immigration status, genetic information, biometric information processed for identification, children's information, and precise geolocation.
Consent
A clear affirmative act that is freely given, precise, informed, and unambiguous is called consent. Dark patterns do not constitute consent (Section 1).
Dark Patterns
An interface created or altered to significantly impair user autonomy or decision-making is known as a "dark pattern." According to Section 1, consent gained through one is invalid.
Data Protection Assessment
Controllers are required to complete and record a data protection assessment prior to processing personal data for sensitive data handling, sales, high-risk profiling, or targeted advertising (Section 9).
Right to Delete
Customers may request that their personal data be deleted, and the controller has 45 days to comply (Section 4).

Penalties for CTDPA Non-Compliance

Violation of court order Up to $25,000 per violation
If a business violates a temporary restraining order or injunction entered in an enforcement action, the court may impose a civil penalty of up to $25,000 per violation.
Willful violations Up to $5,000 per violation
In an Attorney General enforcement action under CUTPA, the court may impose a civil penalty of up to $5,000 for each willful violation. This is the main baseline fine tied to noncompliance.
Injunctive relief and restitution Reasonable expenses
The Attorney General may seek temporary or permanent injunctions and restitution. This can halt non-compliant processing and require repayment or restoration, but the statute does not assign a set dollar figure to this category.

Frequently Asked Questions

CTDPA stands out for its explicit rule that consent obtained through dark patterns is invalid and for requiring controllers to recognize opt-out preference signals for targeted advertising and sales, such as browser-based universal opt-out signals. I would not overstate this as having uniquely “strict consent documentation requirements,” because the statute is more clearly distinctive on dark patterns and opt-out signals than on documentation.
CTDPA originally included a 60-day cure period, but that general cure period expired on December 31, 2024. After that, the Attorney General is not required to provide an opportunity to cure before enforcement.
Generally no. CTDPA applies to persons doing business in Connecticut or targeting Connecticut residents if they meet the data-processing thresholds, but it exempts state and local government entities, certain nonprofits, and higher education institutions. It also exempts certain data and entities already regulated under laws such as HIPAA and GLBA.

Related Regulations

CCPA / CPRA
California Consumer Privacy Act & Privacy Rights Act
California · Updated 2020
GDPR
General Data Protection Regulation
EU-wide · Active 2018
This entry is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for guidance specific to your situation.