Connecticut Data Privacy Law

Connecticut Becomes Fifth State to Enact a Comprehensive Data Privacy Law

On May 10, 2022, Connecticut, following Utah, California, Virginia, and Colorado, became the fifth state to adopt a comprehensive consumer data privacy law.

On May 10, 2022, Connecticut Governor Ned Lamot signed "An Act Concerning Personal Data Privacy and Online Monitoring," also known as the Connecticut Data Privacy Act ("CTDPA"), making Connecticut the fifth state to enact a comprehensive data privacy law. The CTDPA will take effect on July 1, 2023. 

The CTDPA will apply to entities that: (i) conduct business or target consumers in Connecticut; (ii) generate $25 million or more in annual revenue; and (iii) either process or control: (a) the personal data of at least 100,000 Connecticut consumers, or (b) the personal data of at least 25,000 Connecticut consumers and derive at least 25% of their gross revenue from selling personal data. The CTDPA does not apply to individuals acting in a commercial or employment context. 

Under the CTDPA, controllers have obligations to, among other things:  

  • Obtain consumer consent before processing consumers' sensitive data, including biometric and geolocation data;
  • Provide consumers with a right to opt out of the use or processing of their personal data for purposes of: (i) targeted advertising; (ii) the sale of their personal data; and (iii) profiling in furtherance of solely automated decisions with effects concerning the consumer;
  • Comply with requests from consumers to exercise their rights to access, correct, obtain a copy of, confirm whether a controller processes, or delete their personal data; and
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices. 

Additional consumer-friendly provisions in the CTDPA are similar to those under California's laws. Notably, the CTDPA incorporates a broad definition of the "sale of personal data," including the exchange of personal data for both monetary value and "other valuable consideration." The CTDPA also does not require opt-out requests be authenticated. 

The CTDPA does not create a private right of action, and it grants exclusive enforcement authority to the Attorney General. If businesses do not cure violations within 60 days of its notice, the Attorney General can collect statutory damages up to $5,000 per violation, plus actual and punitive damages, and attorneys' fees and costs.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.