Skip to main content
Back to Guides
Compliance5 min read

Connecticut CTDPA Cookie Compliance in 2026

Connecticut's data privacy law just got a major overhaul that took effect July 1, 2026: a far lower coverage threshold, expanded sensitive data, and a blanket ban on targeted ads to teens. The GPC mandate has been live since January 2025.

Connecticut just moved the goalposts. On July 1, 2026, a set of amendments to the Connecticut Data Privacy Act (CTDPA) took effect that dropped the coverage threshold from 100,000 consumers to 35,000, widened what counts as sensitive data, and banned targeted advertising to anyone the business knows is a teenager. The original CTDPA has been live since July 1, 2023, and its universal opt-out mandate since January 1, 2025. If you thought you were too small to worry about Connecticut, check again.

Does the CTDPA reach cookies?

The CTDPA regulates personal data linked or reasonably linkable to an identifiable individual, which pulls in cookie IDs and advertising identifiers used for profiling. Functional-only cookies generally sit outside.

The triggering activities are the familiar pair: sale of personal data (defined broadly to include exchange for monetary or other valuable consideration) and targeted advertising across sites you don't own. Connecticut residents can opt out of both, plus profiling that produces significant effects.

The consent model: opt-out plus a mandatory signal

Connecticut runs an opt-out model. Default-on tracking is allowed, but you have to give residents a clear opt-out for sale and targeted advertising, and since January 1, 2025 you have to honor a universal opt-out preference signal automatically.

That means a Connecticut visitor whose browser sends GPC has opted out of sale and targeted advertising, full stop, and your site has to suppress those cookies without waiting for a banner click. The Connecticut Attorney General's CTDPA page is the primary reference.

What the July 2026 overhaul changed

The 2026 amendments are the reason to revisit your setup:

  • Lower threshold. Coverage now starts at 35,000 consumers (down from 100,000). Processing any sensitive data, or selling personal data, triggers the law regardless of volume.
  • Broader sensitive data. The definition now sweeps in government identifiers (driver's license, passport), financial account details, and Social Security numbers, on top of the usual health, biometric, and precise-geolocation categories.
  • No selling sensitive data without consent. The amendments expressly forbid selling sensitive data absent consumer consent.
  • Teen protections. Targeted advertising to and sale of the data of consumers aged 13 to 17 is prohibited where the controller knows or wilfully disregards the age, consent or not.
  • Wider profiling opt-out. The right now covers profiling that feeds any significant automated decision, where before it reached only solely-automated ones.

The exemptions narrowed too

The 2026 changes reach businesses that used to sit outside the law. The broad entity-level exemption for organizations regulated under the Gramm-Leach-Bliley Act and HIPAA was replaced with a narrower data-level exemption. In plain terms, GLBA- and HIPAA-covered data is still exempt, but the non-covered data those same companies hold now falls under the CTDPA. A bank or health-adjacent business that assumed it was fully carved out may now be partly in scope for its marketing and website data. Connecticut also added a rule that selling consumer health data requires separate, affirmative written consent, and starting August 1, 2026, controllers must run an impact assessment for profiling that drives significant automated decisions.

What to do before you rely on old scoping

If your last Connecticut review predates July 2026, redo it. Three checks matter most. Recount your Connecticut consumers against the new 35,000 threshold, and remember that any sale of personal data, or processing any single resident's sensitive data, pulls you in regardless of volume. Re-audit which trackers now touch the expanded sensitive-data list (government IDs, financial account details, Social Security numbers) and move them behind opt-in. And if you ever claimed a GLBA or HIPAA entity exemption, confirm it still holds now that it's a data-level carve-out, because your marketing and website data may no longer be exempt.

Sensitive data needs opt-in

To process sensitive data, the CTDPA requires prior opt-in consent. With the expanded 2026 definition, that now includes trackers touching precise geolocation, health, biometric identifiers, and the newly added financial and government-ID categories. Default-on is not an option for any of them.

Penalties and enforcement

The Connecticut Attorney General enforces the CTDPA under the Connecticut Unfair Trade Practices Act, with civil penalties up to $5,000 per willful violation, plus injunctive relief, restitution, and disgorgement. The right to cure that existed through December 31, 2024 has expired, so the AG can now act without giving you a fix-it window. Enforcement is real: the office reached a settlement with an online ticket marketplace in 2025 over CTDPA violations.

A practical setup for Connecticut traffic

  1. Recount your reach. The 35,000 threshold and the no-volume triggers mean smaller sites are now covered.
  2. Publish an opt-out control for sale and targeted advertising.
  3. Honor GPC automatically, mandatory since January 2025.
  4. Re-scope sensitive data to the expanded 2026 list and gate all of it behind opt-in.
  5. Block teen targeting. If you know a visitor is 13 to 17, don't run targeted ads or sell their data.

How CookieBeam handles Connecticut

CookieBeam's US opt-out states preset serves the CTDPA opt-out model, and GPC honoring is on by default in the runtime, which satisfies the January 2025 signal mandate. The regional consent engine lets you scope Connecticut to the opt-out model while the EU gets opt-in from the same banner. Sensitive categories can require opt-in, and you can gate categories by declared age to help with the teen-targeting ban. Given the July 2026 amendments are fresh, confirm the current statute and AG guidance before you rely on any single configuration.

Connecticut CTDPA Cookie Compliance 2026: New Rules | CookieBeam