Connecticut's CTDPA Requires Data Protection Assessments — Here's What to Know

If you use customer data for targeted ads, profiling, or personalization — and you have Connecticut customers — there's a law you should know about.

Connecticut passed a comprehensive data privacy law in 2022 that went into effect on July 1, 2023. It's called the Connecticut Data Privacy Act, sometimes abbreviated as the CTDPA. It was enacted as Public Act 22-15, and it's codified in Title 42, Chapter 743jj of the Connecticut General Statutes, starting at Section 42-515.

Among other things, the law requires businesses that meet certain thresholds to conduct documented data protection assessments for specific types of data processing — including profiling, targeted advertising, and handling sensitive personal data.

If you've been focused on newer laws from California, Colorado, or Illinois, this one might have flown under your radar. It's been quietly in effect for nearly three years. And unlike some of the newer laws where the enforcement agencies are still ramping up, Connecticut's Attorney General has had exclusive enforcement authority since day one, with the initial cure period having already expired.

Let's walk through what the law requires, who it applies to, and what you need to have documented.

Who the CTDPA Applies To

The law applies to businesses that conduct business in Connecticut or produce products or services targeted to Connecticut residents, and that during the preceding calendar year met either of these two thresholds. (§§ 42-515 through 42-526)

You controlled or processed the personal data of at least 100,000 Connecticut consumers, not counting data processed solely for completing a payment transaction. Or you controlled or processed the personal data of at least 25,000 Connecticut consumers and derived more than 25 percent of your gross revenue from the sale of personal data.

A "consumer" under this law means a Connecticut resident acting in an individual or household context — not in a commercial or employment role. So your business clients and employee data don't count toward the threshold.

A couple of practical notes. The 100,000 consumer threshold might sound large, but remember that website visitors, app users, email subscribers, and anyone in your marketing database whose personal data you process can count. If your business has a meaningful online presence that reaches Connecticut residents, you may be closer to that threshold than you think. And the 25,000 threshold applies even to smaller businesses if a significant portion of your revenue comes from selling personal data.

There are exemptions for state and local government bodies, nonprofits, higher education institutions, financial institutions subject to the Gramm-Leach-Bliley Act, entities covered by HIPAA, and a few other categories. (§§ 42-515 through 42-526)

What the Law Means by "Profiling"

The CTDPA defines profiling as any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to a person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. (§ 42-515)

That covers a lot of ground. If you're using an algorithm or AI system that takes in data about a person and produces some kind of evaluation or prediction about them, that's profiling under this law. The recommendation engine on your website, the segmentation logic in your email marketing platform, the predictive scoring in your CRM, the behavioral targeting in your ad platform — all of these potentially qualify.

The law gives consumers the right to opt out of profiling when it's used in furtherance of decisions that produce legal or similarly significant effects — meaning decisions that affect a person's access to things like financial services, housing, insurance, employment, education, or healthcare. (§ 42-518)

When Data Protection Assessments Are Required

Under Section 42-522, a controller must conduct and document a data protection assessment for each of its processing activities that presents a heightened risk of harm to a consumer. The law specifically identifies four categories that trigger this requirement.

Processing personal data for the purposes of targeted advertising. Selling personal data. Processing personal data for purposes of profiling, where that profiling presents a reasonably foreseeable risk of unfair or deceptive treatment, unlawful disparate impact, financial or physical or reputational injury, intrusion on privacy or seclusion that would be offensive to a reasonable person, or other substantial injury to consumers. And processing sensitive data. (§ 42-522)

Sensitive data under the CTDPA includes data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic data, biometric data, personal data from a known child, and precise geolocation data. (§ 42-515)

If your business engages in any of these activities with Connecticut consumer data, you need a documented assessment for each one.

What the Assessment Needs to Include

The statute is clear about what a data protection assessment must do. It needs to identify and weigh the benefits that may flow from the processing — to the controller, the consumer, other stakeholders, and the public — against the potential risks to the rights of the consumer, as mitigated by any safeguards the controller has in place to reduce those risks. (§ 42-522)

The assessment should also factor in: whether de-identified data could serve the same purpose, what a reasonable consumer would expect, the context of the processing, and the relationship between the controller and the consumer whose data is being processed. (§ 42-522)

In simpler terms: for each qualifying processing activity, you need a written document that honestly evaluates what you're doing, why you're doing it, who benefits, what could go wrong for the people affected, and what you're doing to prevent that. If you've done impact assessments in other contexts — environmental impact, accessibility, financial risk — the concept is similar. You're taking a step back, looking at the full picture, and documenting your analysis.

Practical Features That Make This Easier

There are a few provisions in the statute that are worth knowing about because they reduce the overall burden.

You can group similar activities. A single data protection assessment can cover a comparable set of processing operations that include similar activities. You don't need a separate document for every individual instance if the processing is essentially the same. (§ 42-522)

Assessments for other laws can count. If you've already done data protection assessments to comply with Virginia, Colorado, Oregon, or EU GDPR requirements, those assessments may satisfy Connecticut's requirements — as long as they're reasonably similar in scope and effect. (§ 42-522) This is genuinely helpful if your business operates across multiple states, because it means you're not duplicating work for each jurisdiction.

It's not retroactive. The assessment requirements apply to processing activities created or generated after July 1, 2023. Anything you were already doing before that date doesn't need a retroactive assessment, though new activities since then do. (§ 42-522)

Your assessments are confidential. If the Attorney General requests an assessment during an investigation, that disclosure doesn't waive attorney-client privilege or work product protection. The assessments are also exempt from Connecticut's Freedom of Information Act, so they won't become public records. (§ 42-522)

How Enforcement Works

The Connecticut Attorney General has exclusive authority to enforce the CTDPA. There is no private right of action — individual consumers cannot sue you directly under this law. (§ 42-525)

The enforcement approach has evolved over time. During the first 18 months of the law (July 1, 2023 through December 31, 2024), the Attorney General was required to issue a notice of violation and give the controller 60 days to cure before taking action. That mandatory cure period has now ended. (§ 42-525)

Beginning January 1, 2025, the Attorney General has discretion on whether to grant a cure opportunity. In deciding, the AG can consider seven factors: the number of violations, the size and complexity of the business, the nature and extent of the processing activities, the likelihood of public injury, the safety of persons or property, whether the violation was caused by human or technical error, and the sensitivity of the data involved. (§ 42-525)

A violation of the CTDPA constitutes an unfair trade practice under Connecticut's general consumer protection statute (Section 42-110b), which means it's enforced through the same framework the AG uses for other consumer protection violations. (§ 42-525)

The shift from a mandatory cure period to discretionary enforcement is significant. It means the AG now has more flexibility in how to respond to violations, and businesses can't count on getting a second chance to fix things. Having your documentation in order before there's a problem is considerably more important now than it was during the first year of the law.

Why This Law Matters

The Connecticut Data Privacy Act was one of the first comprehensive state privacy laws in the country, following Virginia and preceding Colorado, Oregon, and several others. Its data protection assessment framework has become something of a template — many of the state privacy laws that followed use similar language and similar structures.

The purpose of the assessment requirement is practical. When businesses process personal data in ways that could affect people — through profiling, targeted advertising, or handling sensitive information — the law wants them to think carefully about the impact before they proceed. Not to stop them from doing it, but to make sure they've considered the consequences and put safeguards in place.

That's a reasonable approach to privacy regulation. It doesn't ban data processing. It asks businesses to be thoughtful and transparent about it. And it creates a record of that thoughtfulness that protects both the consumer and the business — because a well-documented assessment demonstrates that you took the process seriously.

Where to Start

If your business falls within the CTDPA's scope and you haven't completed data protection assessments, here's how to approach it.

Make a list of every way you process Connecticut consumer data that falls into one of the four categories: targeted advertising, data sales, profiling with foreseeable risk of harm, and sensitive data processing. For most businesses, targeted advertising and some form of profiling will be the primary triggers.

For each activity, write an assessment. Document what you're doing, who benefits, what the risks are to consumers, and what safeguards you have in place. Weigh the benefits against the risks. Be honest — the assessment is most valuable when it's genuine, not when it's written to look good. Our data mapping and inventory template is a useful starting point for identifying which of your processing activities trigger the assessment requirement.

Check whether assessments you've done for other jurisdictions can apply. If you've done similar work for Virginia, Colorado, or the GDPR, review Connecticut's specific requirements and see if they overlap. You may be able to adapt rather than start from scratch. Our multi-state profiling assessment package is designed to satisfy multiple state requirements — including Connecticut's — from a single set of documents.

Keep them updated and accessible. If your processing activities change — new tools, new data sources, new purposes — update the relevant assessment. And make sure you can produce them if the Attorney General requests them.

The CTDPA has been in effect for nearly three years. The mandatory cure period is over. If you're in scope and you don't have assessments documented, the best time to start was 2023. The next best time is now.