In This Blog:
- Does CTDPA apply to my organization?
- Where CTDPA failures happen
- How to ensure third-party scripts are CTDPA compliant
- CTDPA timelines
There’s a growing gap between what companies think they’re doing to protect user data and what privacy laws like CTDPA (Connecticut Data Privacy Act) actually expect. The browser is where personal data is increasingly collected, but it’s also where almost nobody is watching. That’s the gap regulators are zeroing in on.
Without monitoring, misconfigured or malicious scripts can access sensitive fields, override consent choices, or transmit data without being disclosed. If asked, “Do third-party scripts on your site behave the way your privacy notice claims?” most organizations can’t provide an evidence-backed response.
This article walks through CTDPA’s requirements and shows how to bring the browser layer into compliance before a violation takes place.
Does CTDPA Apply to My Organization?
CTDPA follows the “Virginia/Colorado-style” applicability model. It applies based on the volume of personal data processed. Below are the 2 main criteria points that you can use as a simple checklist. ALL of these points must be true for your business to fall under CTDPA rules.
1. CTDPA Criteria: You conduct business in Connecticut OR target CT residents
This includes companies that:
- Sell to Connecticut consumers, market or advertise to CT residents, operate a website or app that serves CT customers, have users, subscribers, or customers in CT.
This applies even if the business is not physically located in Connecticut. “Target” doesn’t require intentional outreach. If Connecticut residents can access your site, receive your ads, or choose to sign up, you may still be considered as conducting business in the state.
2. CTDPA Criteria: You process a significant volume of Connecticut residents’ data
CTDPA applies if, in the prior calendar year, you processed:
2 A) 100,000+ Connecticut residents’ personal data
OR
2 B) 25,000+ residents’ personal data AND you derive 25%+ of revenue from selling personal data
Let’s break down those thresholds further:
2 A) (Expanded) 100,000+ Connecticut residents’ personal data
Personal data = any data linked or linkable to an individual (IP addresses included). This matters because a visitor doesn’t need to fill out a form or explicitly “provide” information to fall under CTDPA. Most analytics, advertising, and tracking tools collect IP-based identifiers automatically.
This limit excludes:
- Personal data processed solely to complete a payment transaction
2 B) (Expanded): 25,000+ residents’ personal data AND you derive 25%+ of revenue from selling personal data
This mostly affects:
- Data brokers, lead resellers, and consumer apps or websites that monetize personal information
Who is excluded from CTDPA Requirements:
- Government agencies, Nonprofits (exempt), higher education institutions, data already regulated by FCRA, FERPA, or similar frameworks
However: Even exempt organizations must follow “reasonable security” practices. Client-side data exposure can still be a liability under other mandates like PCI DSS.
What is the Connecticut Data Privacy Act?
The Connecticut Data Privacy Act (CTDPA) is a state privacy law passed to give residents more control over how businesses collect, use, and share their personal data. Like GDPR and CCPA, the purpose of CTDPA is to give consumers meaningful control over their personal data. The law sets obligations for organizations who collect, use, or share personal data.
The Client-side Privacy Risk Surface
Modern privacy laws like CTDPA apply to the full data lifecycle, but the highest-risk area is the website itself. This is the layer where users first interact with your business and where personal data is initially collected - whether through form inputs or automatically by third-party scripts you don’t fully control.
Unfortunately, the client-side (code that your company serves to users when they interact with your website) is the least secured layer of most companies' defense stack. Servers are locked down, employees are trained on data handling processes, but the code executing in the user’s browser is unmonitored.
Third-party scripts are a privacy compliance risk:
Website elements interact with user data, and most teams have no governance over:
- Marketing tracking scripts fire before consent
- Pixels collect IP addresses and identifiers without opt-out
- Chat widgets process documents and account data
- A/B testing tools collect session metadata
- Marketing tools infer geolocation from device signals
Client-side attacks are a privacy data breach risk:
Not all data breaches are a result of someone breaking into the vault. More and more often, the compromise happens in the browser: attackers inject a few lines of malicious code into a trusted script on your site.
Suddenly, login credentials, ID scans, and credit card numbers are being harvested straight from pages like checkouts, onboarding forms, chatbots, or KYC processes.
A well-known illustration of this attack style is the 2018 British Airways breach, which triggered a £20 million fine. We cover that incident in detail, along with the latest examples, in our deep dive on the biggest Magecart attacks.
A client-side security platform detects and prevents these attacks.
Are cookie banners enough for CTDPA compliance?
Cookie banners capture user preferences but they do not always fully enforce them. In practice, there are several places where banners fall short:
- Incorrect or incomplete integrations between cookie banners and tag managers like Google Tag Manager
- Banners that accidentally block essential scripts such as forms or support chat tools
- Misconfigured or malicious scripts that ignore user consent selections
Some cookie banner vendors attempt to solve these challenges, but misconfiguration is still common. And even when implemented correctly, cookie banners aren’t designed to prevent client-side attacks. That gap leads to a lack of “reasonable security safeguards,” which has been the most frequently cited allegation in privacy lawsuits under similar laws like the CCPA.
Where CTDPA Compliance Failures Happen
1. Failure to honor consumer rights (access/deletion/opt-out)
Opting out is supposed to stop all processing of the user’s personal data. In practice, the user’s choice needs to be respected through multiple layers:
- Client-side scripts, analytics tools, session replay services, tag managers, and advertising platforms
On the client-side, this often breaks down. Companies believe they’ve respected the opt-out, but:
- User opts out on a cookie banner but scripts still fire
- “Session replay” analytics tools still capture sensitive info
- “Cookies” are blocked but scripts still run
- Tag managers override cookie consent settings
Honoring CTDPA rights requires ensuring that client-side scripts actually stop collecting or sharing data. This is only possible with tools that can observe and enforce script behavior directly in the browser.
2. Unmonitored Collection
One of the biggest gaps in compliance is when organizations don’t actually know what data is being collected on their website. Scripts come and go while vendors update their code without notice. Most organizations couldn’t list all the scripts running on their site today let alone explain what they access.
3. Failure to implement “reasonable security safeguards.”
Source: CCPA Litigation Tracker, Perkins Coie
According to the Perkins Coie CCPA Litigation Tracker, which analyzes every publicly filed court case under the CCPA (a similar privacy framework that has been in effect much longer), the vast majority of lawsuits stem from one issue:
“a claim of alleged failure to implement reasonable security safeguards resulting in a data breach”
The client-side has become the hottest attack surface, with major organizations suffering breaches from malicious scripts (see: Ticketmaster and British Airways attacks). In many of these incidents, companies believed they were “covered” by compliance tools that only manage banners or policies, not actual browser security.
True client-side protection must detect and prevent attacks like:
- Formjacking, session hijacking, and e-skimming
These attacks harvest consumer data right from the browser, meaning attackers never have to break into your internal environment at all.
4. Inaccurate or incomplete privacy disclosures
CTDPA requires organizations to clearly disclose what personal data they collect, why they collect it, and which third parties receive that information.
In practice, many privacy disclosures are incomplete simply because teams don’t have full visibility into every script, form, or external tool operating on their website.
Conducting a script inventory (such as through a free crawler scan) can help establish a baseline picture of scripts that need to be disclosed.
CTDPA (Connecticut Data Privacy Act) Key Requirements
Consumer Rights
Organizations must give users the ability to:
- Opt out
- Access their personal data
- Correct inaccuracies in personal data
- Delete personal data
- Request a portable copy of their data
Privacy Notices & Transparency
Organizations must provide a clear privacy notice that explains what personal data is collected, why it is collected, and how users can exercise their rights. This list should also include which third parties receive their information. Disclosures must be kept up to date when data practices change.
Consent for Sensitive Data
CTDPA requires affirmative opt-in consent before processing sensitive personal data including: health information, biometric identifiers, precise geolocation, or children’s data.
Data Minimization
Under CTDPA, companies must limit personal data collection to what is genuinely needed for the stated purpose. They may not gather excessive information, and they may not use data for new or unrelated purposes without obtaining fresh consent.
For an exhaustive list of requirements, visit our official resources section that will direct you to official privacy law documentation.
Official Resources & Government Links
Connecticut Data Privacy Act (Attorney General’s Office):
https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act
This is the CTDPA page published by the Connecticut Attorney General, the primary enforcement authority for the law. It provides official guidance, updates, and state-issued resources.
Official Senate Bill – Public Act No. 22-15 (2022)
This is the full text of the Connecticut Data Privacy Act as enacted by the state legislature in 2022.
CTDPA Timelines
CTDPA has rolled out in phases, with additional obligations added over time through amendments. Below are the key dates most teams should be aware of (for the full, always up-to-date picture, see the Official Resources section).
- May 10, 2022 – CTDPA signed into law.Connecticut passes its comprehensive privacy law as Senate Bill 6 / Public Act 22-15.
- July 1, 2023 – Law goes into effect. Controllers and processors that meet the thresholds are expected to comply from this date, with the Connecticut Attorney General as the enforcement authority.
- July 1, 2023 – Dec 31, 2024 – “Right-to-cure” enforcement window. During this period, the AG must give businesses a 60-day opportunity to cure a violation before taking action, if a cure is possible.
- Oct 1, 2023 – Oct 1, 2024 – Health and minors amendments phase in. New provisions for consumer health data, dating apps, and online services used by minors take effect over several dates in late 2023 and 2024.
- Jan 1, 2025 – Universal opt-out signals (e.g., GPC) honored. Connecticut consumers can send browser-level opt-out preference signals (like Global Privacy Control), and controllers subject to CTDPA are expected to honor them.
- July 1, 2025 – Data protection assessments apply to new high-risk processing. Assessment requirements attach to processing activities created or generated on or after this date.
- Dec 31, 2025 – Statutory right-to-cure expires. After this date, the AG is no longer obligated to offer a 60-day cure period, though it may still do so at its discretion.
- July 1, 2026+ – Additional amendments kick in. Amendments passed in 2025 (SB 1295) introduce further changes, including updated thresholds and impact-assessment requirements, with most changes effective from mid-2026 onward.
How cside Helps Organizations Achieve CTDPA Compliance
Transparency Into Client-Side Data Flows
- cside reveals which scripts collect personal data, what they collect, and where it goes. Privacy teams gain the visibility needed to publish accurate disclosures.
Data Minimization at the Script Level
- Most websites collect more data than they intend simply because scripts evolve over time. cside highlights when a script starts gathering more information than it should, helping teams keep collection tightly scoped.
Reasonable Security Safeguards
- cside detects malicious or tampered scripts, suspicious client side code changes, and data-skimming behavior at the browser layer. This supports CTDPA’s requirement to implement reasonable security safeguards and prevents potential data breaches.
Validate Third-Party Behavior
- Real-time monitoring ensures third-party processors adhere to your privacy obligations instead of unintentionally breaching them for you.
Audit-Ready Logs & Evidence
- cside provides a dashboard and detailed historical logs showing script activity along with data handling measures. This gives privacy teams the forensic evidence they need to demonstrate CTDPA compliance during audits or investigations.
FAQ
Does CTDPA apply to companies located outside Connecticut?
Yes. CTDPA applies to any organization that processes the data of Connecticut residents and meets the volume thresholds, regardless of where the company is physically located.
Are cookie banners enough to satisfy CTDPA consent requirements?
In most cases, no. Cookie banners capture preferences and manage cookies, but CTDPA requires enforcement at the script level and reasonable security measures that can prevent attacks that expose personal data.
What counts as “reasonable security safeguards” under CTDPA?
Organizations must protect personal data against unauthorized access, including risks in the client-side including misconfigured scripts, unmonitored third-party tools, and skimming attacks.
