Connecticut's CTDPA closely tracks the Virginia and Colorado privacy laws but adds stronger sensitive-data opt-in and explicit Global Privacy Control honouring.
Last reviewed 2026-06-19 · Risk rating rationale: Lower threshold (25,000 residents if 25%+ revenue from data sale) catches mid-market businesses that don't trigger VCDPA.
Find out in 10 seconds whether your site meets Connecticut's requirements
Scantra runs a free, no-account, 9-check audit of your homepage covering privacy policy, contact info, CCPA-style opt-out, security headers, accessibility, and SEO basics. Most Connecticut sites we scan fail at least three.
No credit card · Email required so we can send you the full results.
Key Connecticut laws affecting websites
The statutes most likely to apply to a commercial website serving Connecticut residents. Click a citation to read the official text where available.
CTDPA
— Connecticut Data Privacy Act· Effective 2023
Applies to: Entities conducting business in Connecticut that (a) control or process data of 100,000+ Connecticut consumers (excluding data used solely to complete payment transactions), or (b) derive 25%+ of gross revenue from data sale AND process data of 25,000+ consumers.
What your website must do
Privacy notice with the categories of data, purposes, sharing, and how to exercise rights
Honour Global Privacy Control as a valid opt-out signal
Opt-in consent for processing of sensitive data including precise geolocation, genetic, biometric, mental/physical health, sexual orientation, citizenship/immigration status, and children's data
Free annual data access + portability requests
Data protection assessments for high-risk processing
What your site has to disclose, ask consent for, and allow consumers to do with their personal information.
CTDPA gives Connecticut consumers rights to access, correct, delete, port, and opt out of sale, targeted ads, and profiling for significant decisions.
Practical requirements for your website
Privacy notice with required categories list + reasonable means to exercise rights
Respond to rights requests within 45 days (one 45-day extension allowed)
Free annual response (you may charge for additional requests in the same 12 months)
Honour an authorized agent submitting opt-out requests on behalf of a consumer
Cookies and tracking
Federal law applies
When you need consent, opt-outs, or universal-signal honor for cookies and analytics scripts.
No cookie-consent mandate, but tracking cookies used for targeted ads trigger CTDPA opt-out rights and GPC signal must be honoured.
Practical requirements for your website
Honour Global Privacy Control on every page where targeted advertising cookies are set
Visible privacy choices link in the footer
Accessibility (ADA + state)
Federal law applies
WCAG conformance expectations and how the state's accessibility cases tend to be litigated.
Federal ADA Title III applies. No Connecticut-specific WCAG mandate.
Practical requirements for your website
Conform to WCAG 2.1 AA
Provide a contact path for accessibility accommodations
Cybersecurity and breach response
Federal law applies
What 'reasonable security' looks like under state law and how fast you have to notify after a breach.
Federal FTC Act + Connecticut Unfair Trade Practices Act govern advertising disclosures.
Practical requirements for your website
Material connection disclosures
Honest pricing and availability
Email and SMS marketing
Federal law applies
How federal CAN-SPAM and TCPA interact with state-level marketing rules in this jurisdiction.
Federal CAN-SPAM governs commercial email.
Practical requirements for your website
Accurate header information
Functional unsubscribe processed within 10 business days
Physical postal address
AI regulation
Federal law applies
Which AI uses the state has chosen to regulate, who's covered, and what the website has to disclose.
CTDPA covers profiling 'in furtherance of decisions that produce legal or similarly significant effects' — credit, housing, employment, education, insurance, healthcare — with opt-out rights.
Practical requirements for your website
Disclose use of profiling for significant decisions in your privacy notice
Provide opt-out from such profiling
Frequently asked questions about Connecticut website compliance
Does CTDPA require a cookie banner?
No, Connecticut does not require an interrupt-style cookie banner. But you must honour the Global Privacy Control browser signal as an opt-out of targeted advertising, and you must provide a privacy choices link in your footer.
What counts as sensitive data under CTDPA?
Racial or ethnic origin, religious beliefs, mental or physical health condition, sex life or sexual orientation, citizenship or immigration status, genetic or biometric data processed to identify an individual, personal data from a known child, and precise geolocation. All of these require opt-in consent.
Ready to check your own site against Connecticut's requirements?
The same free 9-rule scan, no signup needed. Two of the findings include drafted fixes you can copy/paste; full results (and ongoing monitoring) come with a free account.
Important: Scantra is a software tool and a non-profit publisher, not a law firm. The summaries on this page are written for general business orientation and reflect the editors' reading of the statutes as of 2026-06-19. They are not legal advice and should not be the only source you rely on for compliance decisions. For your specific situation, consult a licensed attorney in Connecticut.