Connecticut’s Privacy Law: Does It Apply to Your Business?

By Phillip Walters/ Published on November 10, 2022

As 2023 approaches and a new round of data privacy laws are slated to take effect, business leaders are scrambling to determine which laws apply to their companies and how to juggle multi-state compliance. The Connecticut Data Privacy Act (CDPA) is one of those laws, going into effect on July 1, 2023.

To anyone familiar with Virginia’s Consumer Data Protection Act, the criteria for determining whether the CDPA applies should look familiar as they are more or less identical. Here’s a quick rundown on how to figure out if the Connecticut Data Privacy Act applies to your business.

The CDPA’s Criteria

As with the Virginia privacy law, most of the CDPA’s rules apply to “controllers”—i.e., for-profit businesses that “determine the purpose and means of processing personal data.” 

Basically, if it’s your website (or store), you are the controller of any data that is processed in connection with that site.

Any controller that has a physical presence in Connecticut, or sells its products or services online to state residents, must comply with the CDPA if at least one of the following applies:

  1. Control the personal data of at least 100,000 state residents in a calendar year, OR
  2. Control the personal data of at least 25,000 state residents in a calendar year AND derive more than 25% of gross annual revenue from the sale of personal data

For most businesses, it will be the 100,000-consumer threshold that applies to them. If your business has a website, it is controlling the personal data (e.g., IP addresses, cookies, etc.) of each one of its visitors. If you are getting just 8,400 unique visitors from Connecticut per month, that puts you over the 100,000 mark.


The CTDPA also contains a number of exemptions at the entity level, and for specific types of personal data. These exemptions include: 

  • Nonprofit organizations
  • Government agencies
  • Financial institutions
  • Institutions of higher education
  • Data regulated by the Health Insurance Portability and Accountability Act (HIPAA)
  • Data regulated by the Fair Credit Reporting Act (FCRA)

Multi-State Compliance Made Simple

Navigating the complexities of multiple privacy laws at once can be difficult for any business, but it’s even harder for businesses that don’t have in-house privacy experts or legal departments. TrueVault US simplifies multi-state privacy compliance, allowing businesses of any size to handle it on their own.

Designed by attorneys, TrueVault US is an all-in-one privacy software that helps you get your business fully compliant with laws like the CDPA and California’s CCPA even if you’re starting from scratch. From onboarding vendors to processing privacy requests, TrueVault provides guidance at every step.

Contact our team to learn more and view a demo.

Latest Posts

Should Utah's Privacy Law Be on Your Radar?

A Cookie Banner Isn't Enough for CCPA Compliance

Why CCPA Compliance Matters to HR

Mailing List