Connecticut · CTDPAWordPress hosting with CTDPA plugin built into the platform.
Opt-out signals for sale and targeted advertising, opt-in for sensitive data, a 45-day response workflow, and a Universal Opt-Out Mechanism that honors Global Privacy Control signals at the Cloudflare edge — handled by Yovale's compliance MU-plugin. You don't install it. You don't update it. You don't pay for it. It's how every Yovale site ships, on every plan. The same platform also handles CCPA, VCDPA, CPA, TDPSA, OCDPA, and MCDPA — one stack, every US state privacy law.
Under the CTDPA, you can opt out of the sale of personal data, targeted advertising, and profiling. You can also access, correct, delete, or export the data we hold about you, and appeal any denial.
Six obligations you have to meet.
The Connecticut Data Privacy Act took effect on July 1, 2023, making Connecticut the fifth US state with a comprehensive consumer privacy law alongside California, Virginia, Colorado, and Utah. It applies to controllers that process the personal data of 100,000+ Connecticut residents, or 25,000+ residents when 25% or more of revenue comes from selling personal data. Enforcement sits with the Connecticut Attorney General under the Connecticut Unfair Trade Practices Act (CUTPA), with civil penalties of up to $5,000 per violation. The 60-day cure period sunsetted on December 31, 2024.
- 01
Opt-out for sale, targeted ads, profiling
Consumers can opt out of the sale of personal data, targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects. The mechanism has to be clear, conspicuous, and free of dark patterns.
- 02
Universal Opt-Out Mechanism (UOOM)
Since January 1, 2025, controllers must recognize and honor a Universal Opt-Out Mechanism such as Global Privacy Control (GPC). A browser signal counts as a valid opt-out for sale and targeted advertising — no consent banner click required. Failure to honor GPC is the most common CTDPA enforcement trigger.
- 03
Opt-IN for sensitive data
You cannot process sensitive data without explicit consent. Sensitive data covers racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, precise geolocation, and personal data from a known child.
- 04
Consumer rights: access, correct, delete, port
Connecticut residents can request access to the personal data you hold, correct inaccuracies, delete it, and obtain a portable copy in a readily usable format. You respond within 45 days, extendable once by 45 days when reasonably necessary.
- 05
Appeal process within 60 days
When you deny a consumer request, you must give the resident a clear way to appeal the decision and respond to the appeal within 60 days. If the appeal is denied, you provide a written explanation and an online mechanism to submit a complaint to the Connecticut Attorney General.
- 06
Controller and processor contracts
Contracts between controllers and processors must spell out processing instructions, confidentiality, deletion or return of data at end of service, audit rights, and assistance with consumer requests. Yovale acts as your processor under a written contract.
Built into the platform. Not a plugin you install.
Yovale ships CTDPA compliance as a signed must-use plugin — part of the hosting itself, not something you install from the WordPress repository. It's version-pinned, fetched from R2 with SHA-256 verification, and dropped into a per-site bind-mounted mu-plugins directory at provision time. GPC detection runs at the Cloudflare edge worker before any WordPress code executes, so opt-out signals apply even on cached HTML.
GPC-aware consent banner
Connecticut visitors see CTDPA opt-out controls for sale, targeted advertising, and profiling. The Sec-GPC header and DOM Global Privacy Control signal are read at the edge — when GPC is on, sale and targeted ads are blocked before the banner even renders, and the audit log records the GPC-derived opt-out.
Privacy portal
/.well-known/privacy on every Yovale site. Connecticut residents can submit access, correction, deletion, and portability requests without filing a support ticket. Every request shows up in your Compliance dashboard tab with a 45-day SLA timer. Identity verification is handled by the platform — you only review and approve.
Appeal workflow with AG complaint link
When a request is denied, the resident gets a one-click appeal link. The appeal opens a separate 60-day SLA case in your dashboard, with the original decision attached. If you deny the appeal, the platform automatically attaches the Connecticut AG online complaint URL as required by the CTDPA.
Signed processor contract
Pre-signed controller-processor contract that meets CTDPA Public Act 22-15 § 7 requirements. Lists every sub-processor (Cloudflare, Anexia, R2), purpose limits, confidentiality, audit rights, deletion at end of service, and assistance with consumer requests and data protection assessments. PDF download from the dashboard.
Why infrastructure beats a plugin.
Typical WordPress CTDPA plugin
- Adds 200-500ms to every page load (banner JS, geo lookup, DB writes)
- Misses GPC signals — most plugins still don't read Sec-GPC, the #1 CTDPA enforcement gap
- Stores opt-out signals in wp_options — slow, untyped, breaks with object caching
- Updates through wp-admin — you maintain it, you break it, you debug conflicts
- Costs $49-149/year per site and rarely covers the appeal workflow or AG complaint link
- Breaks when you migrate hosts; opt-out history and appeal records lost
Yovale's built-in approach
- 0ms latency — GPC and opt-out state computed at the edge worker, cached in the CDN
- Sec-GPC and DOM signals read at the edge before any banner renders, the cure period is gone so this matters
- Audit log in a dedicated database, queryable, never blocks page render
- Updates ship through the platform — you don't see them, you don't break them
- Included on every plan ($149 / $249 / $499 per year), no per-site compliance fees
- Travels with your site forever — opt-out and appeal history is yours to export
14 regulations. One toggle each. All automatic.
- Opt-out for sale, targeted ads, profiling
- Honor GPC and UOOM (since January 1, 2025)
- Opt-in for sensitive data
- 45-day consumer request response
- Appeal process within 60 days
CTDPA + Yovale, answered.
Does the CTDPA apply to my site?
It applies if you control personal data of 100,000 or more Connecticut residents in a calendar year, or 25,000 or more residents when 25% or more of your gross revenue comes from selling personal data — note the threshold ratio is lower than the VCDPA's 50%. Government bodies, certain non-profits, HIPAA-covered entities, and FERPA-covered education data are out of scope. If you're below the thresholds you're not directly covered, but Yovale runs the same protections by default so your site is ready when you cross them.
What changed on January 1, 2025?
Two things. First, the 60-day cure period sunsetted on December 31, 2024 — the Connecticut AG no longer has to give you a chance to fix a violation before bringing an enforcement action. Second, controllers must honor a Universal Opt-Out Mechanism such as Global Privacy Control. A browser sending the Sec-GPC: 1 header is treated as a valid opt-out for sale and targeted advertising, and you have to act on it even if the visitor never clicks your consent banner. Yovale's edge worker reads both Sec-GPC headers and the DOM signal, applies the opt-out before any page renders, and logs it.
How is the CTDPA different from the CCPA?
Both give consumers opt-out for sale and targeted advertising, plus rights to access, delete, and port their data. The CTDPA goes further on sensitive data — it requires opt-IN consent, while California uses an opt-out signal. The CTDPA also mandates a formal appeal process for denied requests and is enforced by the Connecticut Attorney General under CUTPA, with no private right of action. Civil penalties cap at $5,000 per violation versus $7,500 under CCPA. Yovale handles both regimes from one platform.
What counts as sensitive data and how is the opt-in handled?
Sensitive data under the CTDPA covers racial or ethnic origin, religious beliefs, mental or physical health diagnosis or condition, sexual orientation, citizenship or immigration status, genetic or biometric data processed to uniquely identify a person, precise geolocation within 1,750 feet, and personal data from a known child under 13. Yovale's MU-plugin blocks any plugin or script that touches a sensitive category until the consumer has actively opted in through the consent UI.
What happens when I deny a consumer request?
The platform sends the consumer a denial notice with a one-click appeal link. The appeal opens a separate case in your Compliance dashboard with its own 60-day SLA. If you deny the appeal too, Yovale automatically attaches a link to the Connecticut Attorney General's online complaint form, as the CTDPA requires. Every step is timestamped in the audit log.
Do you provide a processor contract?
Yes. A pre-signed controller-processor contract that meets the CTDPA's processor contract requirements is available as a PDF in your dashboard. We're listed as your processor, you're the controller. It lists every sub-processor (Cloudflare, Anexia, R2), purpose limits, confidentiality terms, audit rights, return or deletion of data at end of service, and our duty to assist with consumer requests and data protection assessments.
Ship a CTDPA-compliant WordPress site in 60 seconds.
Every Yovale site is CTDPA-ready from the moment you deploy. GPC honored at the edge. Sensitive-data opt-in enforced. Appeal workflow live. AG complaint link wired. Start the free Growth trial and see your first compliance dashboard.