Opt Out of Data Sharing Under Connecticut Data Privacy Act

The Connecticut Data Privacy Act (CTDPA), effective since July 1, 2023, grants Connecticut residents significant control over their personal data. If you live in Connecticut or serve Connecticut users, understanding how to exercise and implement these opt-out rights is essential for privacy-conscious individuals and developers building compliant applications.

What CTDPA Covers

CTDPA applies to businesses that process personal data of Connecticut residents and meet one of these thresholds:

Annual revenue exceeding $25 million
Buy, sell, or share personal data of 25,000+ consumers (excluding payment transactions)
Derive 50%+ of annual revenue from selling personal data

Personal data under CTDPA includes any information linked or reasonably linkable to an identified individual. This encompasses names, IDs, location data, online identifiers, and professional or employment-related information.

Your Rights Under CTDPA

Connecticut residents can exercise these rights:

Right to Know - Request what personal data is collected and how it’s used
Right to Delete - Request deletion of personal data
Right to Opt-Out - Prevent sale of personal data, targeted advertising, and profiling
Right to Correct - Request correction of inaccurate personal data
Right to Data Portability - Receive data in a portable, machine-readable format
Right to Appeal - Appeal denied requests

Direct Consumer Requests

The most straightforward method is contacting businesses directly. Most companies provide privacy request forms on their websites:

# Example: Finding opt-out mechanisms
curl -s "https://example-company.com/privacy" | grep -i "opt-out\|do not sell\|request"

Many businesses honor the Global Privacy Control (GPC) signal, which automatically transmits your opt-out preference when visiting websites. Enable GPC in your browser settings or use a privacy-focused browser extension.

Automating Opt-Out Requests

For power users managing data across multiple services, automated requests save time. Here’s a Python script to generate CTDPA deletion requests:

#!/usr/bin/env python3
"""
CTDPA Data Deletion Request Generator
Generates formatted deletion requests for multiple services
"""

import json
import smtplib
from email.mime.text import MIMEText
from datetime import datetime

CTDPA_DELETION_TEMPLATE = """
Subject: Connecticut Data Privacy Act - Data Deletion Request
From: {email}
To: {privacy_email}
Date: {date}

Dear Privacy Team,

Pursuant to the Connecticut Data Privacy Act (CTDPA), I hereby request the deletion of all personal data you have collected about me.

Identifying Information:
- Email: {email}
- Name: {name}
- Account Identifier (if applicable): {account_id}

This request applies to all personal data as defined by CTDPA, including but not limited to:
- Account information
- Purchase history
- Location data
- Online identifiers
- Any profiling or automated decision-making data

Please confirm receipt of this request and provide confirmation of deletion within 45 days as required by CTDPA.

Sincerely,
{name}
{email}
"""

def generate_deletion_request(privacy_email, user_info):
    """Generate a formatted deletion request email"""
    request = CTDPA_DELETION_TEMPLATE.format(
        email=user_info['email'],
        privacy_email=privacy_email,
        name=user_info['name'],
        account_id=user_info.get('account_id', 'N/A'),
        date=datetime.now().strftime("%a, %d %b %Y %H:%M:%S %z")
    )
    return request

# Example usage
user_info = {
    'email': 'user@example.com',
    'name': 'Connecticut Resident',
    'account_id': 'USER-12345'
}

# Privacy contact for a hypothetical company
privacy_email = 'privacy@company.com'
request = generate_deletion_request(privacy_email, user_info)
print(request)

Browser-Based Opt-Out Tools

Several browser extensions help automate GPC signal transmission:

// If building a privacy-focused extension, here's how to set GPC
// Global Privacy Control is set via a request header

// For Chrome Extension:
chrome.webRequest.onBeforeSendHeaders.addListener(
  function(details) {
    details.requestHeaders.push({
      name: "Sec-GPC",
      value: "1"
    });
    return {requestHeaders: details.requestHeaders};
  },
  {urls: ["<all_urls>"]},
  ["blocking", "requestHeaders"]
);

For Developers: Implementing CTDPA Compliance

If you build applications serving Connecticut users, you must respect opt-out signals and handle consumer requests.

Detecting GPC Signals

// Server-side detection of GPC in Node.js
app.use((req, res, next) => {
  const gpc = req.headers['sec-gpc'];
  const doNotTrack = req.headers['dnt'] === '1';

  if (gpc === '1' || doNotTrack) {
    req.userOptsOut = true;
    // Apply opt-out logic
  }
  next();
});

# Flask middleware for GPC detection
@app.before_request
def check_gpc_signal():
    gpc_header = request.headers.get('Sec-GPC')
    dnt_header = request.headers.get('DNT')

    if gpc_header == '1' or dnt_header == '1':
        g.session.user_opts_out = True
        # Disable data sale, targeted advertising
        disable_targeted_ads()
        disable_data_sale()

Handling Deletion Requests

import hashlib
from datetime import datetime, timedelta

class CTDPARequestHandler:
    def __init__(self, db_connection):
        self.db = db_connection

    def handle_deletion_request(self, user_id, request_id):
        """Process CTDPA deletion request within 45-day window"""

        # Step 1: Verify user identity
        user = self.db.get_user(user_id)
        if not user:
            return {"error": "User not found"}, 404

        # Step 2: Create audit trail
        self.db.log_request(
            request_id=request_id,
            user_id=user_id,
            request_type="deletion",
            timestamp=datetime.now(),
            deadline=datetime.now() + timedelta(days=45)
        )

        # Step 3: Delete from all data stores
        tables = ['users', 'profiles', 'activity_log', 'payments', 'analytics']

        for table in tables:
            self.db.execute(
                f"DELETE FROM {table} WHERE user_id = ?",
                (user_id,)
            )

        # Step 4: Handle third-party data sharing
        self.revoke_third_party_access(user_id)

        # Step 5: Confirm deletion
        return {"status": "deleted", "request_id": request_id}

    def revoke_third_party_access(self, user_id):
        """Remove user data from third-party integrations"""
        # Remove from email marketing platforms
        self.db.execute(
            "DELETE FROM marketing_lists WHERE user_id = ?",
            (user_id,)
        )
        # Revoke data broker access
        self.db.execute(
            "DELETE FROM data_broker_shares WHERE user_id = ?",
            (user_id,)
        )

Data Portability Implementation

def export_user_data(user_id, format='json'):
    """Export user data in machine-readable format"""
    user_data = {
        'profile': get_profile(user_id),
        'activity': get_activity(user_id),
        'preferences': get_preferences(user_id),
        'payments': get_payment_history(user_id)
    }

    if format == 'json':
        return json.dumps(user_data, indent=2)
    elif format == 'csv':
        return convert_to_csv(user_data)

Verifying Your Opt-Out Status

After submitting requests, verify companies have honored them:

Check privacy dashboards - Many services show connected data
Use data broker removal services - Tools like DeleteMe automate removal from data brokers
Monitor for data leakage - Set up Google Alerts for your name and email
Test with different browsers - Verify GPC signals work across browsers

Common Pitfalls

Several issues frequently trip up Connecticut residents exercising their rights:

Broad requests - Specify what data types you want deleted
Verification delays - Companies can request additional verification
Third-party data - Deletion doesn’t always remove data shared with partners
Retention exceptions - Companies can keep data for security, legal obligations

Built by theluckystrike — More at zovo.one