Connecticut enacts privacy law: what you need to know

Elena Morin, Director of Marketing
May 13, 2022

Connecticut is the latest state to join California, Virginia, Colorado, and Utah in enacting comprehensive privacy laws which will take effect in 2023.

What’s going on with Connecticut’s new privacy law? 

Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring was passed by the state Senate and House in late April and signed by the Governoron May 10, making Connecticut the 5th U.S. state to enact a comprehensive privacy law after California, Virginia, Colorado and Utah. 

When does the Connecticut law go into effect? 

It will go into effect the same day as Colorado’s privacy law, on July 1, 2023. 

How is it similar to the California, Virginia, Colorado, and Utah privacy laws? 

Like the existing US privacy laws, including the California Consumer Privacy Act (CCPA), it is primarily an opt-out law, with the processing of sensitive data requiring consent. However, the Act borrows an additional requirement from the GDPR to offer a mechanism to revoke consent that is at least as easy as the mechanism to provide it.

For a more comprehensive compare and contrast of the current US state privacy laws, take a look at our always-up-to-date comparison chart

Will Connecticut require opt-outs for targeted advertising?

Yes, it requires data controllers to clearly disclose whether they sell personal data to third parties or process personal data for targeted advertising, and to provide a means for consumers to request the opt out of processing for those purposes. 

How does Connecticut define targeted advertising? 

It defines targeted advertising as displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across non-affiliated Internet web sites or online applications to predict such consumer’s preferences or interests. 

The definition is subject to various exceptions, including advertisements based on activities within a controller’s own Internet web sites or online applications.

Does Connecticut have a provision that requires recognition of global opt-outs? 

Yes. Connecticut joins Colorado as the only state laws to explicitly require the recognition of global opt-outs. Businesses will be required to honor preference signals starting Jan 1, 2025. 

How is the Connecticut privacy law going to impact the advertising industry? 

Connecticut is the latest in a quick succession of recently passed privacy laws, reinforcing the need for comprehensive compliance management. As new laws are adopted, these complexities force companies to choose between adopting separate processes for each jurisdiction or a single process that folds in the requirements of each new law.

How will the Connecticut data privacy law be enforced? What do the penalties look like? 

It will be enforced by the Office of the Attorney General of Connecticut. Violations may result in civil fines of up to $5000 each. Violators must be given notice of violation and a 60-day period to cure until Dec 31, 2024. After that, the right to cure sunsets and the Attorney General has discretion over providing opportunities to cure. 

What types of businesses does Connecticut law apply to?

The law applies to entities that: 

Conduct business in Connecticut or produce products or services targeted to Connecticut residents and that during the preceding calendar year, either:

a. Controlled or processed the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing payment transactions; OR

b. Controlled or processed the personal data of at least 25,000 consumers and derived over 25% of their gross revenue from the sale of personal data. 

How will Sourcepoint and its clients need to adapt to comply with the Utah law?

Compliance with the Connecticut law should be covered by the same mechanisms as needed for the California laws, namely an explicit method to opt-out such as a link on the website. The law will also require the honoring of global opt-out signals beginning in 2025. 

Additionally, businesses looking to be compliant with the Virginia and Colorado laws will already be thinking about how to ensure that opt-in consent is collected before processing sensitive information. 

The Sourcepoint blog is provided for general, informational purposes only, does not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Meta settles with DOJ re Algorithmic Discrimination

June 27, 2022

The U.S. Department of Justice announced a $115,054 settlement...

UK government responds to data reform consultation

June 20, 2022

The consultation, which ran for 10 weeks ending in...

Ad industry says draft federal privacy legislation falls short

June 13, 2022

Privacy for America, a coalition that includes several ad...

Latest White Papers

Ebook: A Publisher’s Guide to Vendor List Curation

August 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

    First name *

    Last name *

    Email address *

    Company *

    Message *

    * indicates required fields

    This site is registered on as a development site.