Connecticut Data Privacy Act

What is CTDPA?


The Connecticut Data Privacy Act (CTDPA) applies to businesses that operate in Connecticut or target their products or services at its residents and have met the following conditions in the previous calendar year:

  • They process data of at least 100,000 consumers, excluding the personal data that was only used or processed to complete payment.

  • They process data of at least 25,000 consumers and make more than 25% of their total income from selling personal data.

Nonprofits and government entities are exempt from the law.

If you meet these thresholds, you must implement robust data security measures for the data you process. At the same time, you must limit the processing to the purposes specified in your privacy policy and to the minimum data necessary for such purposes.

The law also requires you to provide consumers with mechanisms to opt out of selling or sharing their data with third parties and respond to their consumer requests.

Consumers can submit requests to exercise their rights to:

  • Know
  • Access
  • Delete
  • Data portability
  • Correction
  • Opt-out.

MergeBase and CTDPA


MergeBase’s operations fall outside the scope of the Connecticut Data Privacy Act, as our organizational structure and scale do not trigger the thresholds requiring compliance with this specific piece of legislation.

Nevertheless, this exemption does not lessen our dedication to data security and privacy. Being at the forefront of cybersecurity, our fundamental principle is to create and sustain the utmost secure and reliable data environment.

Our compliance with Canada’s stringent data protection laws means that we maintain the highest data security standards. These Canadian laws are recognized for their thorough and stringent approach to data privacy, establishing a standard that we aim not just to meet but to surpass. This dedication ensures that, regardless of whether Connecticut law is applicable, our practices and protocols meet or exceed the most rigorous security requirements.


How Can MergeBase Help You Comply with the CTDPA?


The CTDPA, in terms of data security, requires the following:

  • Reasonable security measures — CTDPA requires implementing and maintaining “reasonable security measures” to protect personal data from unauthorized access, disclosure, alteration, destruction, or similar risks.

  • Risk-based approach — These measures should be appropriate to the risks associated with the data processing activities and the nature of the personal data collected.

  • Data breach notification — In case of a data breach involving unauthorized access or disclosure of personal data, companies must notify affected individuals and the Attorney General under certain circumstances.


We can help you stay away from trouble with the Attorney General and help with the following:

  • Proactive identification — MergeBase helps identify vulnerabilities in open-source components used within applications that process personal data. These vulnerabilities can be exploited to gain unauthorized access to data, violating CTDPA’s security requirements.

  • Prioritization — MergeBase prioritizes vulnerabilities based on severity and exploitability, allowing companies to focus on patching critical ones first, addressing high-risk security gaps faster.

  • Integration with patch management — MergeBase reports can be integrated with patch management tools for faster patching, reducing the window of vulnerability for personal data.

  • Ongoing vulnerability scanning — Our ongoing monitoring helps companies stay ahead of potential threats and address them promptly, contributing to continuous data security efforts.

  • Auditability — Vulnerability logs and reports provided by MergeBase demonstrate active security monitoring and risk management, potentially aiding in demonstrating compliance with CTDPA’s security measures requirement.

  • Reduced attack surface — Our focus on open-source components helps minimize the attack surface for applications handling personal data.