RatedWithAI

RatedWithAI

Accessibility scanner

Privacy LawJuly 13, 2026

Connecticut Data Privacy Act (CTDPA) AI Compliance 2026: What Businesses Must Do

CTDPA was the first state privacy law to add specific, named AI profiling protections after its 2023 amendment. If your product scores, ranks, or makes automated decisions about Connecticut consumers, here's what you're required to build and disclose.

100,000
CT consumers processed triggers CTDPA — or 25,000 with 25%+ revenue from data sales
Dec 2024
General cure period expired — most AI profiling violations get no notice before enforcement
GPC
Global Privacy Control signals must be honored as valid universal opt-out requests

Does CTDPA Apply to Your AI Product?

CTDPA applies to persons that conduct business in Connecticut or produce products/services targeted to Connecticut residents, and that during the calendar year:

  • Controlled or processed the personal data of 100,000 or more Connecticut consumers, excluding data controlled solely for completing a payment transaction, OR
  • Controlled or processed personal data of 25,000 or more consumers and derived more than 25% of gross revenue from the sale of personal data

Unlike CCPA, CTDPA has no revenue-only threshold — small AI startups with a large free-tier user base can trip the 100,000-consumer count well before they have meaningful revenue. Nonprofits and higher-education institutions are exempt; most for-profit AI SaaS is not.

The AI Profiling Opt-Out Requirement

CTDPA gives consumers the right to opt out of profiling in furtherance of decisions that produce a legal or similarly significant effect — defined to include decisions about:

Access to credit or financial services
Employment opportunities and terms
Housing eligibility or terms
Healthcare services access
Insurance underwriting, pricing, or claims
Access to basic necessities (food, water, utilities)
Criminal justice-related outcomes
Access to education enrollment or opportunity

If your AI system does any scoring, ranking, filtering, or recommendation that touches one of these categories, you must offer a clear opt-out mechanism, and you must honor browser-level universal opt-out signals like Global Privacy Control — you cannot require a manual, per-site opt-out only.

CTDPA Compliance Checklist for AI Companies

1. Threshold and Applicability
  • Count Connecticut consumers in your user base against the 100,000 threshold
  • Calculate whether you cross 25,000 consumers + 25% revenue from data sales
  • Confirm whether any nonprofit or higher-ed exemption applies to your entity
2. Profiling Opt-Out Infrastructure
  • Identify every AI decision producing legal or similarly significant effects
  • Build a clear, conspicuous opt-out link for profiling used in those decisions
  • Implement Global Privacy Control (GPC) signal detection and honor it automatically
  • Process opt-out requests within 15 business days, with 45 days for verified consumer requests generally
3. Data Protection Assessments (DPAs)
  • Conduct a DPA before deploying any profiling with reasonably foreseeable risk of unfair/deceptive treatment, disparate impact, or injury
  • Document the assessment: purpose, categories of data, safeguards, and benefits vs. risks
  • Retain DPAs — the Attorney General can compel disclosure during an investigation
  • Reassess when the nature of processing materially changes (e.g., new model, new data sources)
4. Sensitive Data and Minors
  • Obtain opt-in consent before processing sensitive data (health, biometric, precise geolocation, etc.) through AI systems
  • Apply heightened consent standards for known minors under 18 in targeted advertising and sale contexts
  • Do not use dark patterns to obtain consent — CTDPA explicitly voids consent obtained that way
5. Vendor and Processor Contracts
  • Ensure AI API vendors are bound by a data processing agreement meeting CTDPA processor obligations
  • Restrict AI vendors from using your users' data for unrelated purposes, including model training, absent consent
  • Confirm subprocessor flow-down obligations are documented

Enforcement: Why the Cure Period Change Matters

Connecticut's original 60-day cure period — the window a business had to fix a violation before facing enforcement — expired for most violations on December 31, 2024. A narrower cure right survives through 2026, but only for notice-and-opt-out failures tied to the sale of data and targeted advertising.

That means AI profiling violations — the opt-out and DPA requirements covered above — generally fall outside the surviving cure right. The Connecticut Attorney General can pursue enforcement without giving your company a chance to fix the problem first, with penalties up to $5,000 per willful violation under the state's UDAP framework.

Frequently Asked Questions

How is CTDPA different from CCPA for AI companies?

CTDPA has no minimum-revenue threshold, so smaller AI companies with large free-tier user bases can be covered even at low revenue. CTDPA also requires mandatory Data Protection Assessments for profiling that presents heightened risk, is more explicit about honoring Global Privacy Control as a universal opt-out, and (after Dec 2024) has a narrower cure period than CCPA-style laws, making early compliance more important.

Do we need consent or just an opt-out for AI profiling under CTDPA?

For most AI profiling producing legal or similarly significant effects, CTDPA uses an opt-out model — consumers must be given the ability to say no, but you don't need affirmative opt-in consent up front. The exception is sensitive data (health, biometric, geolocation, etc.): processing sensitive data through AI systems requires opt-in consent, not just an opt-out.

We're a small AI startup — do we really need a formal Data Protection Assessment?

If your AI processing meets the 100,000/25,000-consumer thresholds and involves profiling with foreseeable risk of unfair treatment, disparate impact, or harm, yes — size of the company doesn't exempt you once you cross the consumer thresholds. A DPA doesn't need outside counsel; it needs a documented internal analysis of purpose, data categories, safeguards, and risk versus benefit that you can produce if the Attorney General asks.

Treat CTDPA as the Compliance Floor, Not the Ceiling

If you already built CCPA or Virginia VCDPA compliance infrastructure, most of the CTDPA pieces — opt-out mechanisms, sensitive data consent, processor contracts — will already be in place. The gap most AI companies miss is the mandatory Data Protection Assessment and Global Privacy Control support.

Build the profiling opt-out and GPC support once, apply it to every state that requires it, and document your DPA process so it's ready before the Attorney General asks for it — not after.