Connecticut CTDPA

United States

18 domains

33 controls

Connecticut Data Privacy Act (Conn. Gen. Stat. § 42-515 et seq., effective 1 Jul 2023) plus PA 23-56 consumer health data amendments.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (18)

AI Governance

1 controls

Controls in the AI Governance domain of Connecticut CTDPA — 1 controls
Code	Title	Description
CTDPA-AI-PROFILING	Profiling and Automated Decision-Making Governance	Profiling that produces legal/significant effects requires opt-out right, DPA, and (for under 16) consent. 'Solely autom...

Accountability

1 controls

Controls in the Accountability domain of Connecticut CTDPA — 1 controls
Code	Title	Description
CTDPA-RECORDKEEPING	Recordkeeping and Audit Trail	Although CTDPA does not specify retention period for compliance records, controllers should maintain DPAs, consent recor...

Children's Data

1 controls

Controls in the Children's Data domain of Connecticut CTDPA — 1 controls
Code	Title	Description
CTDPA-42-520-CHILDREN	Children's Data: Under 13 and Under 16	Under 13: COPPA-compliant parental consent required. Under 16 (distinct CTDPA provision): controllers must not process p...

Consent

1 controls

Controls in the Consent domain of Connecticut CTDPA — 1 controls
Code	Title	Description
CTDPA-42-520-CONSENTREVOKE	Consent Revocation	Consent must be as easy to revoke as to give. Upon revocation, controller must stop processing within 15 days.

Consumer Health Data

2 controls

Controls in the Consumer Health Data domain of Connecticut CTDPA — 2 controls
Code	Title	Description
CTDPA-42-525-CHD	Consumer Health Data (PA 23-56 Amendment)	PA 23-56 added consumer health data provisions effective 1 Oct 2023. Lower applicability threshold (no 100K/25K threshol...
CTDPA-42-525-GEOFENCE	Geofencing Prohibition Around Healthcare Facilities	PA 23-56 prohibits use of geofence (1750-foot radius) around mental health facility or reproductive/sexual health facili...

Consumer Rights

9 controls

Controls in the Consumer Rights domain of Connecticut CTDPA — 9 controls
Code	Title	Description
CTDPA-42-517	Consumer Rights Overview	Consumers have rights to access, correct, delete, port (in usable format), and opt out of sale, targeted advertising, an...
CTDPA-42-518-ACCESS	Right to Access and Confirm Processing	Consumers may confirm whether a controller is processing their personal data and access such data, unless confirmation/a...
CTDPA-42-518-AUTHAGENT	Authorized Agents	Consumers may use an authorized agent to exercise opt-out rights (sale, targeted advertising, profiling). UOOM may serve...
CTDPA-42-518-CORRECT	Right to Correct	Consumers may correct inaccuracies in personal data, taking into account the nature of the data and purposes of processi...
CTDPA-42-518-DELETE	Right to Delete	Consumers may delete personal data provided by or obtained about the consumer (broader than CCPA in covering data obtain...
CTDPA-42-518-OPTOUT	Right to Opt Out of Sale, Targeted Advertising, Profiling	Consumers may opt out of (i) sale of personal data, (ii) targeted advertising, and (iii) profiling in furtherance of sol...
CTDPA-42-518-PORT	Right to Data Portability	Consumers may obtain a copy of personal data previously provided to the controller in a portable and readily usable form...
CTDPA-42-518-RESPONSE	Response Timeline and Appeal Process	Controllers must respond to rights requests within 45 days (one 45-day extension allowed). Must provide free appeal proc...
CTDPA-42-518-UOOM	Universal Opt-Out Mechanism (UOOM) Requirement	Effective 1 Jan 2025, controllers must recognise universal opt-out mechanisms (e.g., Global Privacy Control browser sign...

Controller Duties

2 controls

Controls in the Controller Duties domain of Connecticut CTDPA — 2 controls
Code	Title	Description
CTDPA-42-520-NONDISCRIM	Non-Discrimination	Controllers must not process personal data in violation of state/federal anti-discrimination laws, nor discriminate agai...
CTDPA-42-520-PURPLIMIT	Purpose Specification and Data Minimization	Controllers must limit collection of personal data to what is adequate, relevant and reasonably necessary for the disclo...

Data Treatment

1 controls

Controls in the Data Treatment domain of Connecticut CTDPA — 1 controls
Code	Title	Description
CTDPA-42-521-DEIDENT	Deidentified and Pseudonymous Data	Deidentified data exempt from rights if controller (i) takes reasonable measures to prevent reidentification, (ii) publi...

Enforcement

3 controls

Controls in the Enforcement domain of Connecticut CTDPA — 3 controls
Code	Title	Description
CTDPA-42-524-AGENFORCE	Exclusive AG Enforcement	Connecticut Attorney General has exclusive enforcement authority. No private right of action. Violations enforced under...
CTDPA-42-524-CURE	60-Day Cure Period (Sunset 31 Dec 2024)	AG had to provide 60-day cure notice before enforcement, but this cure period sunset on 31 December 2024. As of 1 Januar...
CTDPA-AG-REPORT-2024	CT AG First Enforcement Report Lessons	CT AG's February 2024 enforcement report highlighted common violations: inadequate privacy notices, missing sensitive da...

Incident Response

1 controls

Controls in the Incident Response domain of Connecticut CTDPA — 1 controls
Code	Title	Description
CTDPA-BREACH-INTERPLAY	Interplay with CT Breach Notification Law	CTDPA does not impose new breach notification duties. CT data breach law (Conn. Gen. Stat. Sec. 36a-701b) continues to a...

Multistate Compliance

1 controls

Controls in the Multistate Compliance domain of Connecticut CTDPA — 1 controls
Code	Title	Description
CTDPA-CROSS-CCPA	Interoperability with CCPA/VCDPA/CPA	CTDPA largely tracks VCDPA/CPA model. Single multistate privacy program is feasible with state-specific overlays for: UO...

Processor Governance

1 controls

Controls in the Processor Governance domain of Connecticut CTDPA — 1 controls
Code	Title	Description
CTDPA-42-521-PROCESSOR	Processor Obligations and Contracts	Processors must assist controllers in meeting obligations (security, breach notification, DPAs, rights requests). Contra...

Program Governance

1 controls

Controls in the Program Governance domain of Connecticut CTDPA — 1 controls
Code	Title	Description
CTDPA-TRAINING	Workforce Training and Awareness	While not explicitly mandated, reasonable security and accountability principles imply staff handling personal data must...

Risk Assessment

1 controls

Controls in the Risk Assessment domain of Connecticut CTDPA — 1 controls
Code	Title	Description
CTDPA-42-520-DPA	Data Protection Assessments (DPAs)	Controllers must conduct DPAs for processing presenting heightened risk: targeted advertising, sale, sensitive data proc...

Scope

3 controls

Controls in the Scope domain of Connecticut CTDPA — 3 controls
Code	Title	Description
CTDPA-42-515	Definitions and Scope	CTDPA defines controller, processor, consumer, sale, sensitive data, targeted advertising, profiling. Consumer means a C...
CTDPA-42-516	Applicability Thresholds	Applies to controllers that conduct business in CT or target CT residents and either (a) process personal data of 100,00...
CTDPA-42-516-EXEMPT	Entity and Data Exemptions	Exempts state entities, nonprofits, higher education, financial institutions/data under GLBA, covered entities/business...

Security

1 controls

Controls in the Security domain of Connecticut CTDPA — 1 controls
Code	Title	Description
CTDPA-42-520-SECURITY	Reasonable Security Practices	Controllers must establish, implement and maintain reasonable administrative, technical and physical data security pract...

Sensitive Data

1 controls

Controls in the Sensitive Data domain of Connecticut CTDPA — 1 controls
Code	Title	Description
CTDPA-42-520-SENSITIVE	Sensitive Data Opt-In Consent	Controllers must not process sensitive data without obtaining the consumer's prior opt-in consent (or for children under...

Transparency

2 controls

Controls in the Transparency domain of Connecticut CTDPA — 2 controls
Code	Title	Description
CTDPA-42-520-PRIVNOTICE	Privacy Notice Requirements	Controllers must provide a reasonably accessible, clear and meaningful privacy notice stating: categories of personal da...
CTDPA-42-520-SALEDISC	Sale and Targeted Ad Disclosure	If controller sells personal data or processes for targeted advertising, the privacy notice must clearly and conspicuous...

Frequently Asked Questions

What is Connecticut CTDPA?

Connecticut CTDPA is a compliance framework from United States with 18 domains and 33 controls. Connecticut Data Privacy Act (Conn. Gen. Stat. § 42-515 et seq., effective 1 Jul 2023) plus PA 23-56 consumer health data amendments. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Connecticut CTDPA have?

Connecticut CTDPA has 33 controls organised across 18 domains. The largest domains are Consumer Rights (9 controls), Enforcement (3 controls), Scope (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Connecticut CTDPA map to?

Connecticut CTDPA does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with Connecticut CTDPA compliance?

Start your Connecticut CTDPA compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Connecticut CTDPA requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 33 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required