What is CTDPA?

The Connecticut Data Privacy Act (CTDPA) is a state-wide law that grants Connecticut consumers greater control over their personal data and imposes obligations on businesses operating in the state. The Act was passed on May 10, 2022, and takes effect on July 1, 2023.

Where does the CPA apply to?

The Connecticut Data Privacy Act (CTDPA) applies to businesses in Connecticut or those targeting its residents, handling personal data of at least 100,000 consumers or processing data for 25,000 consumers while earning over 25% of revenue from data sales. Personal data used solely for payment transactions is exempt.

What Are the Possible Reasons for CTDPA Penalties?

The four categories of invasion of privacy, outlined in the Restatement (Second) of Torts, include unreasonable intrusion into someone's private affairs, appropriation of someone's name or likeness, excessive publicity of someone's private life, and publicity that places someone in a false light before the public.

Who is Liable for CTDPA Penalties?

Entities or individuals that violate the CTDPA may face civil penalties, under the Connecticut Unfair Trade Practices Act. In addition to civil penalties, the Attorney General can also seek injunctive relief, restitution, and/or disgorgement.

What Are the CTDPA Penalties for
Non-Compliance?

The Connecticut Attorney General enforces the CTDPA. Businesses violating the Act can be fined up to $5,000 per willful violation. Beyond civil penalties, the Attorney General may also seek remedies like restitution and injunctive relief.

Get the CTDPA checklist for Free

Improve the effectiveness of your compliance strategy now.

Download checklist

Frequently Asked Questions

What is sensitive data under Connecticut Data Privacy Act (CTDPA)?

The Connecticut Data Privacy Act defines sensitive data as information that discloses race, sexual orientation, religious beliefs, citizenship or immigration status, genetic or biometric data, precise geolocation, and personal data from children under the age of 13.

Who is the enforcement authority for the Connecticut Data Privacy Act (CTDPA)?

The Connecticut Attorney General (AG) holds exclusive authority to enforce the CTDPA. If a violation is identified, the AG’s office will notify the business and allow 60 days to correct it. Starting January 1, 2025, this cure period will no longer be automatic and will be granted at the Attorney General’s discretion.

Who has privacy rights under the Connecticut Data Privacy Act (CTDPA)?

The CTDPA grants Connecticut residents specific rights over their personal data, but it excludes individuals acting in a commercial or employment context, as well as any personal data collected in an employment or business-to-business relationship.

How to make my business compliant with the CTDPA?

To assure CTDPA compliance for your business, start by implementing clear data protection policies and procedures. One of the easiest ways to simplify compliance is by using a Consent Management Platform (CMP) like Consentmo, which is designed specifically for Shopify stores. Our app helps you manage cookie consent, data requests, and user rights, verifying your store meets CTDPA requirements without hassle.

Is your site compliant?