# Connecticut Privacy Law (CTDPA) Compliance Guide for Small Businesses > Connecticut CTDPA has one of the lowest thresholds in the US: 35,000 consumers, no revenue minimum, and a 25% data sale revenue trigger. _Published 2026-04-07 by Nikolas_ # Connecticut Privacy Law (CTDPA): What Small Businesses Need to Know The Connecticut Data Privacy Act (CTDPA) took effect July 1, 2023, and applies to any business processing the personal data of **35,000 or more Connecticut consumers** in a calendar year — one of the lowest consumer thresholds of any US state privacy law. There is no annual revenue threshold. A secondary trigger captures businesses processing data of 25,000 or more Connecticut consumers and deriving 25% or more of revenue from data sales — also among the lowest data sale revenue percentages in the country. The Connecticut Attorney General is the sole enforcement authority. Connecticut's combination of low thresholds and no revenue floor makes CTDPA one of the most expansive state privacy laws for mid-size and small e-commerce businesses. --- ## Does CTDPA Apply to My Business? CTDPA applies to any person that conducts business in Connecticut or produces products or services targeted to Connecticut residents AND meets one of two thresholds: - Controls or processes personal data of **35,000 or more Connecticut consumers** during a calendar year (excluding personal data processed solely for the purpose of completing a payment transaction), OR - Controls or processes personal data of **25,000 or more Connecticut consumers** AND derives **more than 25%** of gross revenue from the sale of personal data. The threshold logic is **OR** — only one needs to be met. Both 35,000 and 25,000 are dramatically lower than the 100,000 used by most state privacy laws. The 25% data sale revenue threshold is also lower than the 50% used by California, Texas, Virginia, and most other states. | Threshold | Connecticut CTDPA | CCPA/CPRA | Texas TDPSA | |-----------|-------------------|-----------|-------------| | Revenue | None | $25M+ | None | | Consumer count | **35,000** | 100,000 | 100,000 | | Data sale alternative | 25K + **25%** | 50% revenue share | 25K + 50% | | Threshold logic | OR | OR | OR | Connecticut accounts for roughly 1.1% of the US population. On a population-share basis, a national e-commerce store with approximately 3.2 million annual unique US consumers would reach 35,000 Connecticut consumers. Stores with stronger Northeast distribution can reach the threshold at significantly lower volumes. The 25,000 + 25% data sale path catches data-monetization businesses at much lower thresholds than other states. The Connecticut threshold was originally 100,000 consumers when the law was first enacted, but a 2023 amendment dropped it to 35,000 — bringing CTDPA in line with Delaware, New Hampshire, Maryland, and Rhode Island as the most expansive state privacy laws by scope. --- ## What Does CTDPA Require? CTDPA grants Connecticut consumers a comprehensive set of data rights and imposes corresponding obligations on covered businesses. The structure follows the Virginia model but with several Connecticut-specific touches. **Consumer rights you must honor.** Connecticut consumers may access the personal data you hold about them, correct inaccurate data, delete personal data, obtain a copy in a portable format, and opt out of three specific processing activities: targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects. You must respond within 45 days, with one possible 45-day extension. **Disclosures you must publish.** Your privacy notice must list categories of personal data processed, purposes of processing, how consumers can exercise their rights and appeal denials, the categories of data shared with third parties, and the categories of those third parties. Connecticut requires the notice to be reasonably accessible and clear. **Operational practices you must implement.** Covered businesses must conduct data protection assessments for high-risk processing activities (targeted advertising, sale of personal data, profiling with significant effects, sensitive data processing). You must obtain affirmative opt-in consent before processing sensitive personal data. You must establish reasonable security practices. And critically, you must **honor universal opt-out signals**, including the Global Privacy Control (GPC) browser signal, as a valid opt-out request. This is a technical requirement, not a policy update — your website must detect and respond to GPC automatically. Connecticut also requires an appeals process for denied rights requests, with a written response within 60 days. --- ## How CTDPA Affects Small Businesses CTDPA is the law that catches the most mid-size businesses by surprise, because the 35,000 consumer threshold is reachable at much lower traffic and customer volumes than most operators expect. A national Shopify store with 3 million annual unique US visitors will, on a population basis, process data from approximately 33,000 Connecticut consumers — right at the threshold. Stores with East Coast or Northeast traffic concentration can hit 35,000 with significantly fewer total US visitors. The other CTDPA dynamic worth understanding is the **25% data sale revenue threshold**. The federal definition of "sale of personal data" is broad: it includes the exchange of personal data for monetary or other valuable consideration. Many businesses inadvertently engage in "sales" under this definition through ad tech partnerships, data sharing for analytics, or affiliate arrangements. If 25% or more of your gross revenue comes from arrangements that meet the legal definition of data sale, even with just 25,000 Connecticut consumers, CTDPA applies. Connecticut's universal opt-out signal requirement is the third major operational impact. Like California and Colorado, Connecticut requires covered businesses to detect GPC signals from visitor browsers and apply opt-out preferences automatically. This is a technical implementation rather than a copy update — and many businesses do not realize they are out of compliance until an enforcement inquiry surfaces the issue. For small businesses with national distribution, the practical takeaway is straightforward: Connecticut is more likely to apply to you than California, despite having a much smaller population. Calculate your Connecticut consumer count carefully and assume CTDPA applies if you are anywhere near the threshold. --- ## Key Differences from Other State Privacy Laws Connecticut CTDPA stands out from most other state privacy laws on three dimensions: threshold, technical opt-out requirements, and amendments since enactment. Compared to **Virginia VCDPA**, the laws are structurally similar but Connecticut's thresholds are dramatically lower. Virginia uses 100,000 consumers; Connecticut uses 35,000. Virginia uses 50% data sale revenue with 25,000 consumers; Connecticut uses 25% revenue with 25,000 consumers. Both lack revenue thresholds. Both rely on the AG for enforcement. Both have appeals processes and 30-day cure periods (initially — see enforcement section). Compared to **Texas TDPSA**, Connecticut's threshold is much lower (35,000 vs 100,000), Connecticut requires honoring universal opt-out signals, and Connecticut has no SBA small business exemption. Texas's protection for SBA-defined small businesses does not exist in Connecticut. Connecticut also has a higher per-capita rate of in-scope businesses than Texas because of the lower threshold combined with the dense Northeast e-commerce market. Compared to **California CCPA/CPRA**, Connecticut grants no private right of action, has no dedicated enforcement agency, and currently requires a cure period before enforcement (with sunset provisions — see below). Connecticut and California both require honoring GPC, which sets them apart from Virginia, Texas, and most other state laws that do not. The other states with comparably low thresholds are Delaware, New Hampshire, Maryland, and Rhode Island — all 35,000 consumer thresholds with no revenue floor. Connecticut was the first state to drop to this level via amendment. --- ## How to Comply with CTDPA If CTDPA applies to your business, the following steps establish baseline compliance. 1. **Confirm scope at the lower threshold.** Calculate annual Connecticut consumer count from analytics, customer records, and email lists. Treat 35,000 — not 100,000 — as the trigger. Also evaluate whether 25% or more of gross revenue could be characterized as a "sale of personal data" under the broad statutory definition. 2. **Update your privacy notice.** Disclose categories, purposes, third-party sharing, instructions for exercising rights, and the right to appeal denials. The notice must be reasonably accessible and clearly written. 3. **Implement automatic universal opt-out signal handling.** Your website must detect the Global Privacy Control browser header and apply opt-out preferences automatically for users sending the signal. This is a JavaScript-level technical change — manual opt-outs alone are not sufficient. 4. **Add explicit opt-out mechanisms** for targeted advertising, sale of personal data, and profiling, as a backup to GPC handling. 5. **Build a consumer rights request workflow** with the 45-day response deadline tracked. 6. **Build a denial appeals process** with the 60-day response requirement and the AG complaint referral. 7. **Implement opt-in consent for sensitive data**, including precise geolocation, health, biometric, and other categories enumerated in the statute. 8. **Conduct data protection assessments** for high-risk processing activities. Document purposes, data, risks, and safeguards. Retain for AG review. 9. **Document reasonable security practices** appropriate to the volume and nature of personal data you process. --- ## CTDPA Enforcement and Penalties The Connecticut Attorney General has exclusive enforcement authority for CTDPA. There is no private right of action — Connecticut consumers cannot sue businesses directly. The AG may seek civil penalties under Connecticut's existing unfair trade practices act, which provides for civil penalties of **up to $5,000 per willful violation**. The original CTDPA included a 60-day cure period before enforcement, which the AG was required to provide before bringing an action. **That mandatory cure period sunset on December 31, 2024**. Since January 1, 2025, the AG has discretion to grant a cure opportunity but is not required to. Businesses can no longer rely on a guaranteed second chance. The Connecticut AG has been actively enforcing since 2024, with a particular focus on universal opt-out signal handling and the appeals process. Businesses that fail to honor GPC have been a primary enforcement target — Connecticut, along with California and Colorado, has made GPC compliance a stated priority. --- ## Frequently Asked Questions ### What is Connecticut's CTDPA consumer threshold? 35,000 Connecticut consumers annually — significantly lower than most state privacy laws, which use 100,000. There is no revenue threshold under either of CTDPA's two qualifying paths. The data sale revenue threshold is 25% (lower than the 50% used by most other states) when combined with 25,000+ Connecticut consumers. ### When did Connecticut CTDPA take effect? Connecticut CTDPA took effect July 1, 2023. The mandatory 60-day cure period sunset on December 31, 2024, so since January 1, 2025, the Connecticut Attorney General has discretion to grant cure opportunities but is not required to. ### Does CTDPA require honoring the Global Privacy Control signal? Yes. CTDPA requires covered businesses to honor universal opt-out mechanisms, including the Global Privacy Control browser signal. This is a technical requirement: your website must detect the GPC header and apply opt-out preferences automatically. Manual opt-outs alone are not sufficient. ### What rights does CTDPA give Connecticut consumers? Connecticut consumers may access their personal data, correct inaccurate data, delete personal data, obtain a copy in a portable format, and opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects. Consumers also have the right to appeal denied rights requests. ### What are the penalties for CTDPA violations? CTDPA violations are enforced under the Connecticut Unfair Trade Practices Act, with civil penalties of up to $5,000 per willful violation. There is no private right of action. The mandatory cure period sunset at the end of 2024. ### Is CTDPA more expansive than CCPA? In some ways, yes. CTDPA's 35,000 consumer threshold is dramatically lower than California's 100,000, and CTDPA has no revenue threshold. This means CTDPA can apply to mid-size businesses that fall well below California's reach. However, CCPA grants more consumer rights and includes a private right of action for breaches, which CTDPA does not. --- **Check if CTDPA applies to your business →** [Take the free 5-minute quiz](https://app.getpurview.com/quiz) *This guide is for informational purposes only and does not constitute legal advice. Last updated: April 2026.* ---