CTDPA (Connecticut Data Privacy Act)
Connecticut's entry in the state privacy wave — the familiar rights, plus opt-in sensitive-data rules and universal opt-out signals with teeth.
- Term
- CTDPA (Connecticut Data Privacy Act)
- Is
- Connecticut Data Privacy Act
- Signed
- May 10, 2022; effective July 1, 2023
- Notable
- Opt-in for sensitive data; GPC honored
Forms & parts of speech
Definition in plain terms
The CTDPA — Connecticut Data Privacy Act — is Connecticut's comprehensive consumer privacy law, signed May 10, 2022 and effective July 1, 2023, making Connecticut the fifth US state with a full privacy regime (after California, Virginia, Colorado, and Utah). It follows the Virginia-style template — rights to access, correct, delete, and port data, plus opt-outs from targeted advertising, sale, and significant profiling — with a few notably consumer-friendly settings, including opt-in consent for sensitive data and mandatory recognition of universal opt-out signals.
The mechanics
The law applies to businesses over processing thresholds serving Connecticut residents, with the state Attorney General holding exclusive enforcement (no private lawsuits) and an initial cure-period runway that ended after 2024. The marketing-relevant provisions cluster in three places. Targeted advertising: consumers can opt out of cross-context behavioral advertising, and — like Colorado, unlike weaker templates — the CTDPA requires honoring universal opt-out preference signals such as Global Privacy Control, so the browser-level signal must actually gate the pixels. Sensitive data: precise geolocation, health, race, religion, sexual orientation, and children's data require opt-in consent BEFORE processing — a consent posture stricter than the CCPA's default — which catches location-based targeting and health-adjacent audience segments many marketers forget they run. Dark patterns: consent obtained through manipulative interface design is invalid by statute. Connecticut has since amended the law to expand its scope and tighten obligations (changes phasing in from 2026), part of the state-by-state drift toward stricter defaults. For multistate marketers the CTDPA mostly reinforces the compliance architecture the CCPA/CPRA already demanded — working opt-outs wired to the tag manager, GPC honored, consent provenance recorded — with the sensitive-data opt-in as the provision that most often requires net-new work.
When it matters
The CTDPA matters to any business over thresholds marketing to Connecticut residents — practically, to every national program, which is why teams build to the strictest common denominator rather than per-state spaghetti. It matters most where sensitive data hides in plain sight: location-based audiences, health and wellness segments, and any personalization touching protected categories now need opt-in rails for Connecticut traffic. The discipline is the familiar one — privacy as engineered data flow — plus a sensitive-data inventory most stacks have never run. (General information, not legal advice.)
Synonyms & antonyms
Synonyms
Antonyms
Origin & history
Connecticut's Senate Bill 6 was signed by Governor Ned Lamont on May 10, 2022, making the CTDPA the fifth comprehensive state privacy law and part of the Virginia-template wave that followed California's lead; it took effect July 1, 2023, and subsequent amendments (phasing in from 2026) have expanded its scope as states ratchet the template stricter.
Etymology: source.
Usage trends
Search interest for this term over the last five years:
Common questions
- What is the CTDPA?
- The Connecticut Data Privacy Act — signed May 10, 2022, effective July 1, 2023 — the fifth state comprehensive privacy law, granting access, correction, deletion, portability, and opt-out rights, enforced by the state AG.
- What makes the CTDPA stricter than some state laws?
- Opt-in consent required before processing sensitive data (including precise geolocation), mandatory honoring of universal opt-out signals like GPC, and statutory invalidation of dark-pattern consent.
- What should marketers do about the CTDPA?
- Build to the strictest common denominator — working opt-outs wired to tags, GPC honored — and run the sensitive-data inventory: location, health-adjacent, and protected-category segments need opt-in rails.
Related tools & calculators
- toolCAC calculator
- toolLTV:CAC calculator
Resources & people to follow
- referenceConnecticut AG — the CTDPA
- referenceOsano — CTDPA overview
- referenceRGM analysis — run the sensitive-data inventory; geofences and wellness segments are sensitive data hiding in plain sight
Curated, non-competitor resources verified per term.
Related training
- modulePerformance marketing
Disciplines
Areas of marketing where ctdpa is a core concern: