Growth Marketing Glossary

CTDPA (Connecticut Data Privacy Act)

C·T·D·P·Anoun (law)

Connecticut's entry in the state privacy wave — the familiar rights, plus opt-in sensitive-data rules and universal opt-out signals with teeth.

Connecticutaccess · correct · deleteopt out of targeted ads + saleopt-in for sensitive datathe fifth state privacy law, effective July 1, 2023
Schematic — Connecticut's consumer privacy rights
Term
CTDPA (Connecticut Data Privacy Act)
Is
Connecticut Data Privacy Act
Signed
May 10, 2022; effective July 1, 2023
Notable
Opt-in for sensitive data; GPC honored

Forms & parts of speech

CTDPA · noun
Connecticut's privacy law.
"Under the CTDPA, precise location is sensitive data - opt-in before collection, not opt-out after."

Definition in plain terms

The CTDPA — Connecticut Data Privacy Act — is Connecticut's comprehensive consumer privacy law, signed May 10, 2022 and effective July 1, 2023, making Connecticut the fifth US state with a full privacy regime (after California, Virginia, Colorado, and Utah). It follows the Virginia-style template — rights to access, correct, delete, and port data, plus opt-outs from targeted advertising, sale, and significant profiling — with a few notably consumer-friendly settings, including opt-in consent for sensitive data and mandatory recognition of universal opt-out signals.

The mechanics

The law applies to businesses over processing thresholds serving Connecticut residents, with the state Attorney General holding exclusive enforcement (no private lawsuits) and an initial cure-period runway that ended after 2024. The marketing-relevant provisions cluster in three places. Targeted advertising: consumers can opt out of cross-context behavioral advertising, and — like Colorado, unlike weaker templates — the CTDPA requires honoring universal opt-out preference signals such as Global Privacy Control, so the browser-level signal must actually gate the pixels. Sensitive data: precise geolocation, health, race, religion, sexual orientation, and children's data require opt-in consent BEFORE processing — a consent posture stricter than the CCPA's default — which catches location-based targeting and health-adjacent audience segments many marketers forget they run. Dark patterns: consent obtained through manipulative interface design is invalid by statute. Connecticut has since amended the law to expand its scope and tighten obligations (changes phasing in from 2026), part of the state-by-state drift toward stricter defaults. For multistate marketers the CTDPA mostly reinforces the compliance architecture the CCPA/CPRA already demanded — working opt-outs wired to the tag manager, GPC honored, consent provenance recorded — with the sensitive-data opt-in as the provision that most often requires net-new work.

When it matters

The CTDPA matters to any business over thresholds marketing to Connecticut residents — practically, to every national program, which is why teams build to the strictest common denominator rather than per-state spaghetti. It matters most where sensitive data hides in plain sight: location-based audiences, health and wellness segments, and any personalization touching protected categories now need opt-in rails for Connecticut traffic. The discipline is the familiar one — privacy as engineered data flow — plus a sensitive-data inventory most stacks have never run. (General information, not legal advice.)

Worked example. A national wellness-app brand audits its ad stack against the CTDPA and finds the usual suspects compliant - opt-out link works, GPC gates the tags - but one audience betrays it: a 'near-gym' geofenced segment built on precise location, processed on opt-out logic. Under Connecticut's rules precise geolocation is sensitive data requiring opt-in consent before collection, and the segment also brushes health inference. The fix runs deeper than a banner: location collection moves behind an explicit in-app opt-in with plain-language purpose, Connecticut traffic without that consent is excluded from the segment at the data layer, and the audience taxonomy gains a sensitive-data flag so future segments declare themselves at creation. The campaign's reach dips 8% in one state; the consent-backed segment that remains converts better - and the brand's sensitive-data inventory, run for the first time, finds two more segments to fix before a regulator does.
Failure modes to watch. Treating sensitive data on opt-out logic when the CTDPA demands prior opt-in; geofenced and health-adjacent segments nobody inventoried as sensitive; ignoring universal opt-out signals the law explicitly requires honoring; consent flows whose dark patterns void the consent they collect; and per-state compliance spaghetti where strictest-common-denominator architecture was cheaper.

Synonyms & antonyms

Synonyms

CTDPAConnecticut Data Privacy ActConnecticut privacy law

Antonyms

CCPA (California's regime)unregulated processing

Origin & history

Connecticut's Senate Bill 6 was signed by Governor Ned Lamont on May 10, 2022, making the CTDPA the fifth comprehensive state privacy law and part of the Virginia-template wave that followed California's lead; it took effect July 1, 2023, and subsequent amendments (phasing in from 2026) have expanded its scope as states ratchet the template stricter.

Etymology: source.

Usage trends

Search interest for this term over the last five years:

View interest-over-time on Google Trends →

Common questions

What is the CTDPA?
The Connecticut Data Privacy Act — signed May 10, 2022, effective July 1, 2023 — the fifth state comprehensive privacy law, granting access, correction, deletion, portability, and opt-out rights, enforced by the state AG.
What makes the CTDPA stricter than some state laws?
Opt-in consent required before processing sensitive data (including precise geolocation), mandatory honoring of universal opt-out signals like GPC, and statutory invalidation of dark-pattern consent.
What should marketers do about the CTDPA?
Build to the strictest common denominator — working opt-outs wired to tags, GPC honored — and run the sensitive-data inventory: location, health-adjacent, and protected-category segments need opt-in rails.

Related tools & calculators

Resources & people to follow

Curated, non-competitor resources verified per term.

Related training

Disciplines

Areas of marketing where ctdpa is a core concern:

Sources

  1. trendsGoogle Trends — "state privacy law"