CTDPA: Guide to Requirements + Third-Party Script Compliance

---

In This Blog:

• Does CTDPA apply to my organization?
• Where CTDPA failures happen
• How to ensure third-party scripts are CTDPA compliant
• CTDPA timelines

---

There’s a growing gap between what companies think they’re doing to protect user data and what privacy laws like CTDPA (Connecticut Data Privacy Act) actually expect. The browser is where personal data is increasingly collected, but it’s also where almost nobody is watching. That’s the gap regulators are zeroing in on.

Without monitoring, misconfigured or malicious scripts can access sensitive fields, override consent choices, or transmit data without being disclosed. If asked, “Do third-party scripts on your site behave the way your privacy notice claims?” most organizations can’t provide an evidence-backed response.

This article walks through CTDPA’s requirements and shows how to bring the browser layer into compliance before a violation takes place.

Does CTDPA Apply to My Organization?

CTDPA follows the “Virginia/Colorado-style” applicability model. It applies based on the volume of personal data processed. Below are the 2 main criteria points that you can use as a simple checklist. ALL of these points must be true for your business to fall under CTDPA rules.

1. CTDPA Criteria: You conduct business in Connecticut OR target CT residents

This includes companies that:

• Sell to Connecticut consumers, market or advertise to CT residents, operate a website or app that serves CT customers, have users, subscribers, or customers in CT.

This applies even if the business is not physically located in Connecticut. “Target” doesn’t require intentional outreach. If Connecticut residents can access your site, receive your ads, or choose to sign up, you may still be considered as conducting business in the state.

2. CTDPA Criteria: You process a significant volume of Connecticut residents’ data

CTDPA applies if, in the prior calendar year, you processed:

2 A) 100,000+ Connecticut residents’ personal data

OR

2 B) 25,000+ residents’ personal data AND you derive 25%+ of revenue from selling personal data

Let’s break down those thresholds further:

2 A) (Expanded) 100,000+ Connecticut residents’ personal data

Personal data = any data linked or linkable to an individual (IP addresses included). This matters because a visitor doesn’t need to fill out a form or explicitly “provide” information to fall under CTDPA. Most analytics, advertising, and tracking tools collect IP-based identifiers automatically.

This limit excludes:

• Personal data processed solely to complete a payment transaction

2 B) (Expanded): 25,000+ residents’ personal data AND you derive 25%+ of revenue from selling personal data

This mostly affects:

• Data brokers, lead resellers, and consumer apps or websites that monetize personal information

Who is excluded from CTDPA Requirements:

• Government agencies, Nonprofits (exempt), higher education institutions, data already regulated by FCRA, FERPA, or similar frameworks

However: Even exempt organizations must follow “reasonable security” practices. Client-side data exposure can still be a liability under other mandates like PCI DSS.

What is the Connecticut Data Privacy Act?

The Connecticut Data Privacy Act (CTDPA) is a state privacy law passed to give residents more control over how businesses collect, use, and share their personal data. Like GDPR and CCPA, the purpose of CTDPA is to give consumers meaningful control over their personal data. The law sets obligations for organizations who collect, use, or share personal data.

The Client-side Privacy Risk Surface

Modern privacy laws like CTDPA apply to the full data lifecycle, but the highest-risk area is the website itself. This is the layer where users first interact with your business and where personal data is initially collected - whether through form inputs or automatically by third-party scripts you don’t fully control.

Unfortunately, the client-side (code that your company serves to users when they interact with your website) is the least secured layer of most companies' defense stack. Servers are locked down, employees are trained on data handling processes, but the code executing in the user’s browser is unmonitored.

Third-party scripts are a privacy compliance risk:

Website elements interact with user data, and most teams have no governance over:

• Marketing tracking scripts fire before consent
• Pixels collect IP addresses and identifiers without opt-out
• Chat widgets process documents and account data
• A/B testing tools collect session metadata
• Marketing tools infer geolocation from device signals

Client-side attacks are a privacy data breach risk:

Not all data breaches are a result of someone breaking into the vault. More and more often, the compromise happens in the browser: attackers inject a few lines of malicious code into a trusted script on your site.

Suddenly, login credentials, ID scans, and credit card numbers are being harvested straight from pages like checkouts, onboarding forms, chatbots, or KYC processes.

A well-known illustration of this attack style is the 2018 British Airways breach, which triggered a £20 million fine. We cover that incident in detail, along with the latest examples, in our deep dive on the biggest Magecart attacks.

A client-side security platform detects and prevents these attacks.

Are cookie banners enough for CTDPA compliance?

Cookie banners capture user preferences but they do not always fully enforce them. In practice, there are several places where banners fall short:

• Incorrect or incomplete integrations between cookie banners and tag managers like Google Tag Manager
• Banners that accidentally block essential scripts such as forms or support chat tools
• Misconfigured or malicious scripts that ignore user consent selections

Some cookie banner vendors attempt to solve these challenges, but misconfiguration is still common. And even when implemented correctly, cookie banners aren’t designed to prevent client-side attacks. That gap leads to a lack of “reasonable security safeguards,” which has been the most frequently cited allegation in privacy lawsuits under similar laws like the CCPA.

Where CTDPA Compliance Failures Happen

1. Failure to honor consumer rights (access/deletion/opt-out)

Opting out is supposed to stop all processing of the user’s personal data. In practice, the user’s choice needs to be respected through multiple layers:

• Client-side scripts, analytics tools, session replay services, tag managers, and advertising platforms

On the client-side, this often breaks down. Companies believe they’ve respected the opt-out, but:

• User opts out on a cookie banner but scripts still fire
• “Session replay” analytics tools still capture sensitive info
• “Cookies” are blocked but scripts still run
• Tag managers override cookie consent settings

Honoring CTDPA rights requires ensuring that client-side scripts actually stop collecting or sharing data. This is only possible with tools that can observe and enforce script behavior directly in the browser.

2. Unmonitored Collection 

One of the biggest gaps in compliance is when organizations don’t actually know what data is being collected on their website. Scripts come and go while vendors update their code without notice. Most organizations couldn’t list all the scripts running on their site today let alone explain what they access. 

3. Failure to implement “reasonable security safeguards.”

Source: CCPA Litigation Tracker, Perkins Coie

According to the Perkins Coie CCPA Litigation Tracker, which analyzes every publicly filed court case under the CCPA (a similar privacy framework that has been in effect much longer), the vast majority of lawsuits stem from one issue:

“a claim of alleged failure to implement reasonable security safeguards resulting in a data breach”

The client-side has become the hottest attack surface, with major organizations suffering breaches from malicious scripts (see: Ticketmaster and British Airways attacks). In many of these incidents, companies believed they were “covered” by compliance tools that only manage banners or policies, not actual browser security. 

True client-side protection must detect and prevent attacks like:

• Formjacking, session hijacking, and e-skimming

These attacks harvest consumer data right from the browser, meaning attackers never have to break into your internal environment at all.

4. Inaccurate or incomplete privacy disclosures

CTDPA requires organizations to clearly disclose what personal data they collect, why they collect it, and which third parties receive that information. 

In practice, many privacy disclosures are incomplete simply because teams don’t have full visibility into every script, form, or external tool operating on their website.

Conducting a script inventory (such as through a free crawler scan) can help establish a baseline picture of scripts that need to be disclosed.

CTDPA (Connecticut Data Privacy Act) Key Requirements

Consumer Rights

Organizations must give users the ability to:

• Opt out
• Access their personal data
• Correct inaccuracies in personal data
• Delete personal data
• Request a portable copy of their data

Privacy Notices & Transparency

Organizations must provide a clear privacy notice that explains what personal data is collected, why it is collected, and how users can exercise their rights. This list should also include which third parties receive their information. Disclosures must be kept up to date when data practices change.

Consent for Sensitive Data

CTDPA requires affirmative opt-in consent before processing sensitive personal data including: health information, biometric identifiers, precise geolocation, or children’s data.

Data Minimization

Under CTDPA, companies must limit personal data collection to what is genuinely needed for the stated purpose. They may not gather excessive information, and they may not use data for new or unrelated purposes without obtaining fresh consent.

For an exhaustive list of requirements, visit our official resources section that will direct you to official privacy law documentation.

Official Resources & Government Links

Connecticut Data Privacy Act (Attorney General’s Office):

https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act

This is the CTDPA page published by the Connecticut Attorney General, the primary enforcement authority for the law. It provides official guidance, updates, and state-issued resources.

Official Senate Bill – Public Act No. 22-15 (2022)