Connecticut Data Privacy Act Privacy Notice
CONNECTICUT DATA PRIVACY ACT (CTDPA) PRIVACY NOTICE
Effective Date: [DATE]
Last Updated: [DATE]
NOTICE TO CONNECTICUT RESIDENTS
This Privacy Notice is provided pursuant to the Connecticut Data Privacy Act, codified at Connecticut General Statutes Section 42-515 et seq., as amended by SB 1295 (effective July 1, 2026).
1. SCOPE AND APPLICABILITY
1.1 Who This Notice Applies To
This Notice applies to Connecticut residents acting in an individual or household context ("consumers"). It does not apply to individuals acting in a commercial or employment context.
1.2 Applicability Thresholds
Pursuant to Conn. Gen. Stat. Section 42-516, this Notice applies because [COMPANY NAME] meets one or more of the following thresholds:
Prior to July 1, 2026:
☐ During the preceding calendar year, controlled or processed personal data of at least 100,000 Connecticut consumers (excluding data processed solely for payment transactions)
☐ Controlled or processed personal data of at least 25,000 Connecticut consumers AND derived more than 25% of gross revenue from the sale of personal data
Effective July 1, 2026 (SB 1295 Amendments):
☐ Controls or processes personal data of at least 35,000 Connecticut consumers
☐ Controls or processes consumers' sensitive data (excluding data processed solely for payment transactions)
☐ Offers consumers' personal data for sale in trade or commerce
1.3 Exemptions
Pursuant to Conn. Gen. Stat. Section 42-516, the following are exempt:
- State and local government bodies
- Nonprofit organizations
- Higher education institutions
- National securities associations registered under the Securities Exchange Act
- Financial institutions subject to GLBA
- Covered entities and business associates under HIPAA
- Data regulated by specific federal laws (GLBA, HIPAA, FCRA, FERPA, COPPA, DPPA)
2. DEFINITIONS
Pursuant to Conn. Gen. Stat. Section 42-515:
"Personal Data" means any information that is linked or reasonably linkable to an identified or identifiable individual, excluding de-identified data and publicly available information.
"Sensitive Data" includes:
- Personal data revealing racial or ethnic origin
- Religious beliefs
- Mental or physical health condition or diagnosis
- Sex life
- Sexual orientation
- Citizenship or immigration status
- Status as transgender or nonbinary
- Genetic or biometric data for identification purposes
- Personal data collected from a known child
- Precise geolocation data
"Sale" means the exchange of personal data for monetary or other valuable consideration.
"Targeted Advertising" means displaying advertisements based on personal data obtained from consumer's activities over time and across nonaffiliated websites/applications.
"Profiling" means any form of automated processing to evaluate, analyze, or predict aspects concerning a natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
3. CATEGORIES OF PERSONAL DATA PROCESSED
Pursuant to Conn. Gen. Stat. Section 42-520(a)(1), we process the following categories of personal data:
3.1 General Personal Data
| Category | Examples | Collected | Purpose |
|---|---|---|---|
| Identifiers | Name, email, phone number, account ID | ☐ Yes ☐ No | [PURPOSE] |
| Contact Information | Postal address, email, phone | ☐ Yes ☐ No | [PURPOSE] |
| Demographic Information | Age, gender, language preferences | ☐ Yes ☐ No | [PURPOSE] |
| Commercial Information | Purchase history, transaction records | ☐ Yes ☐ No | [PURPOSE] |
| Internet Activity | Browsing history, search history, website interactions | ☐ Yes ☐ No | [PURPOSE] |
| Geolocation Data | General location information | ☐ Yes ☐ No | [PURPOSE] |
| Professional Information | Employment, job title, work history | ☐ Yes ☐ No | [PURPOSE] |
| Education Information | Educational background | ☐ Yes ☐ No | [PURPOSE] |
| Inferences | Preferences, characteristics, behaviors | ☐ Yes ☐ No | [PURPOSE] |
3.2 Sensitive Data
Pursuant to Conn. Gen. Stat. Section 42-520(a)(4), we collect sensitive data only with your consent:
| Sensitive Category | Collected | Consent Obtained | Purpose |
|---|---|---|---|
| Racial or ethnic origin | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Religious beliefs | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Mental or physical health condition | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Sex life | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Sexual orientation | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Citizenship or immigration status | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Transgender or nonbinary status | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Genetic data | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Biometric data | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Data from known child | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Precise geolocation data | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
4. PURPOSES OF PROCESSING
Pursuant to Conn. Gen. Stat. Section 42-520(a)(2), we process personal data for:
☐ Providing and maintaining our services
☐ Processing transactions and orders
☐ Communicating with you about your account
☐ Customer support and inquiries
☐ Security and fraud prevention
☐ Legal compliance
☐ Research and analytics
☐ Marketing and promotional communications
☐ Personalization of services
☐ Targeted advertising (subject to opt-out)
☐ [ADDITIONAL PURPOSES]
5. ARTIFICIAL INTELLIGENCE AND LARGE LANGUAGE MODELS (SB 1295 - EFFECTIVE JULY 1, 2026)
5.1 AI Training Disclosure
Pursuant to SB 1295 (effective July 1, 2026), we disclose the following regarding the use of personal data for AI training:
☐ We collect, use, or sell personal data for training large language models or artificial intelligence systems
☐ We do NOT collect, use, or sell personal data for training large language models or artificial intelligence systems
5.2 AI Training Details (if applicable)
| AI/LLM Purpose | Categories of Data Used | Third Parties Involved |
|---|---|---|
| [PURPOSE] | [CATEGORIES] | [PARTIES] |
6. SALE OF PERSONAL DATA AND TARGETED ADVERTISING
6.1 Sale of Personal Data
Pursuant to Conn. Gen. Stat. Section 42-518(a)(5):
☐ We sell personal data
☐ We do not sell personal data
Categories of Data Sold:
| Category | Third Party Recipients | Purpose |
|---|---|---|
| [CATEGORY] | [RECIPIENTS] | [PURPOSE] |
6.2 Targeted Advertising
Pursuant to Conn. Gen. Stat. Section 42-518(a)(4):
☐ We process personal data for targeted advertising
☐ We do not process personal data for targeted advertising
6.3 Profiling
Pursuant to Conn. Gen. Stat. Section 42-518(a)(6):
☐ We engage in profiling that produces legal or similarly significant effects
☐ We do not engage in such profiling
7. THIRD-PARTY DISCLOSURES
Pursuant to Conn. Gen. Stat. Section 42-520(a)(3-4), we share personal data with:
| Third Party Category | Categories of Data | Purpose |
|---|---|---|
| Service Providers | [CATEGORIES] | Processing on our behalf |
| Business Partners | [CATEGORIES] | [PURPOSE] |
| Advertising Partners | [CATEGORIES] | Targeted advertising |
| Analytics Providers | [CATEGORIES] | Analytics services |
| Payment Processors | [CATEGORIES] | Transaction processing |
| Government Entities | [CATEGORIES] | Legal compliance |
8. YOUR CONNECTICUT PRIVACY RIGHTS
Pursuant to Conn. Gen. Stat. Section 42-518, Connecticut consumers have the following rights:
8.1 Right to Access (Section 42-518(a)(1))
You have the right to confirm whether we are processing your personal data and to access such data.
8.2 Right to Correct (Section 42-518(a)(2))
You have the right to correct inaccuracies in your personal data.
8.3 Right to Delete (Section 42-518(a)(3))
You have the right to delete personal data provided by or obtained about you.
8.4 Right to Data Portability (Section 42-518(a)(7))
You have the right to obtain a copy of your personal data in a portable and, to the extent technically feasible, readily usable format.
8.5 Right to Opt Out (Section 42-518(a)(4-6))
You have the right to opt out of:
- Targeted advertising
- Sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects
9. EXERCISING YOUR RIGHTS
9.1 How to Submit a Request
Methods to Submit Requests:
☐ Online Portal: [URL]
☐ Email: [PRIVACY EMAIL]
☐ Phone: [PHONE NUMBER]
☐ Mail: [MAILING ADDRESS]
9.2 Identity Verification
We will authenticate your identity before fulfilling your request using commercially reasonable methods.
9.3 Authorized Agents
You may designate an authorized agent to submit requests on your behalf. Requirements include:
- Written authorization signed by you
- Verification of your identity
- Verification of the agent's authority
9.4 Response Timeline
Pursuant to Conn. Gen. Stat. Section 42-518(c):
- Initial Response: Within 45 days of receipt
- Extension: May extend by an additional 45 days when reasonably necessary
- Notification: We will inform you of any extension and the reason
9.5 No Fee
We provide responses free of charge up to one request per year. We may charge a reasonable fee for additional requests or manifestly unfounded, excessive, or repetitive requests.
10. UNIVERSAL OPT-OUT MECHANISMS
10.1 Recognition of Opt-Out Preference Signals
Pursuant to Conn. Gen. Stat. Section 42-518(e), we recognize and process universal opt-out mechanisms including:
☐ Global Privacy Control (GPC)
☐ Other Universal Opt-Out Mechanisms: [SPECIFY]
10.2 How Universal Opt-Out Requests Are Processed
When we receive a universal opt-out signal, we will:
- Process it as a valid opt-out request for targeted advertising and sale of personal data
- Apply the opt-out to the browser or device from which the signal was sent
10.3 Opt-Out Link
"Do Not Sell or Share My Personal Data" / "Your Privacy Choices" Link: [URL]
11. RIGHT TO APPEAL
11.1 Appeal Process
Pursuant to Conn. Gen. Stat. Section 42-518(d), if we decline your request, you have the right to appeal.
To Submit an Appeal:
☐ Email: [APPEAL EMAIL]
☐ Online Form: [URL]
☐ Mail: [ADDRESS]
11.2 Appeal Response
- We will respond to your appeal within 60 days
- If we deny your appeal, we will provide information on how to contact the Connecticut Attorney General
11.3 Contact the Attorney General
Office of the Connecticut Attorney General
165 Capitol Avenue
Hartford, CT 06106
Phone: (860) 808-5420
Website: portal.ct.gov/AG
12. DATA PROTECTION ASSESSMENTS
12.1 Standard Data Protection Assessments
Pursuant to Conn. Gen. Stat. Section 42-521, we conduct data protection assessments for processing activities that present heightened risk of harm, including:
☐ Processing for targeted advertising
☐ Sale of personal data
☐ Processing for profiling with reasonably foreseeable risk
☐ Processing sensitive data
☐ Any processing presenting heightened risk of harm
12.2 Impact Assessments (SB 1295 - Effective August 1, 2026)
Pursuant to SB 1295, we conduct impact assessments for:
☐ Profiling that produces legal or similarly significant effects concerning consumers
Impact assessment requirements apply to processing activities created or generated on or after August 1, 2026.
13. MINOR PROTECTIONS
13.1 Children Under 13
Pursuant to Conn. Gen. Stat. Section 42-520(a)(5), we obtain verifiable parental consent before collecting personal data from children under 13, in compliance with COPPA.
13.2 Minors 13-16
For minors between 13 and 16 years of age, we obtain affirmative consent before:
☐ Processing personal data for targeted advertising
☐ Selling personal data
13.3 Known Child Data
We obtain consent before processing sensitive data from a known child under any age.
14. DUTY OF CARE FOR MINORS (SB 1295 - EFFECTIVE JULY 1, 2026)
Pursuant to SB 1295 (effective July 1, 2026), if we offer services, products, or features to users we know or willfully disregard are minors, we:
☐ Take reasonable care to avoid heightened risk of harm to minors
☐ Implement age-appropriate design features
☐ Conduct impact assessments for processing that affects minors
15. DATA MINIMIZATION AND PURPOSE LIMITATION
15.1 Data Minimization
Pursuant to Conn. Gen. Stat. Section 42-520(a)(3), we limit collection to what is adequate, relevant, and reasonably necessary for the specified purposes.
15.2 Purpose Limitation
Pursuant to Conn. Gen. Stat. Section 42-520(a)(4), we do not process personal data for purposes incompatible with the disclosed purposes without obtaining your consent.
16. DATA SECURITY
Pursuant to Conn. Gen. Stat. Section 42-520(a)(2), we maintain reasonable administrative, technical, and physical data security practices to protect personal data.
Our security measures include:
☐ Encryption of data in transit and at rest
☐ Access controls and authentication
☐ Regular security assessments
☐ Employee training
☐ Incident response procedures
☐ Vendor security requirements
17. DATA RETENTION
We retain personal data only as long as reasonably necessary for the purposes disclosed:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account Information | [PERIOD] | [BASIS] |
| Transaction Records | [PERIOD] | [BASIS] |
| Marketing Data | [PERIOD] | [BASIS] |
| Communication Records | [PERIOD] | [BASIS] |
18. CONTROLLER AND PROCESSOR RELATIONSHIPS
18.1 Controller Information
[COMPANY NAME] is the controller of personal data processed under this Notice.
Controller Contact:
[ADDRESS]
[EMAIL]
[PHONE]
18.2 Processor Contracts
Pursuant to Conn. Gen. Stat. Section 42-519, our contracts with processors include:
- Clear processing instructions
- Nature and purpose of processing
- Type of data processed
- Duration of processing
- Rights and obligations of both parties
- Confidentiality requirements
- Subprocessor restrictions
- Audit rights
19. CONTACT INFORMATION
Privacy Inquiries:
Name: [PRIVACY OFFICER NAME]
Title: [TITLE]
Email: [EMAIL]
Phone: [PHONE]
Address: [ADDRESS]
Consumer Rights Requests:
Email: [EMAIL]
Online: [URL]
Phone: [PHONE]
20. CHANGES TO THIS NOTICE
We may update this Notice to reflect changes in our practices or legal requirements. We will notify you of material changes:
☐ By posting an updated Notice on our website
☐ By email notification
☐ By notice within our application
DOCUMENT CONTROL
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | [DATE] | [NAME] | Initial version |
| 2.0 | [DATE] | [NAME] | Updated for SB 1295 (2026) |
Legal Review: ☐ Completed Date: _________ Reviewer: _________
Next Review Date: _____________
This Notice is provided for informational purposes and compliance with the Connecticut Data Privacy Act. It does not constitute legal advice. Consult with qualified legal counsel for specific compliance questions.
About This Template
Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: February 2026
Get your Connecticut Data Privacy Act Privacy Notice, done and ready to use
Fill it in for your situation, adjust it for your state, and download the finished Word and PDF. Let the AI do it in about 5 minutes, or finish it yourself in the editor. Drafting this from scratch takes hours. Finish yours in about 5 minutes for $49, one time.