Connecticut consumers can now opt out of most targeted advertising and sales of their personal data by using a single tool, like a browser extension. Residents can send what’s known as an “opt-out preference signal” to websites — essentially an automatic message — indicating whether they want the site to track their data. And under a portion of the Connecticut Data Privacy Act that went into effect Jan. 1, businesses are required to adhere to those preferences. “We’re all familiar now with the ‘ask site not to track’ pop-ups. Starting January 1, you can install a simple browser extension to answer that question once and for all — and sites you visit will be responsible for knowing and following your preference,” Attorney General William Tong said in a statement. Here’s what to know about the change. How can I opt into, or out of, targeted advertising and the sale of my personal data? Consumers can send an “opt out preference signal” by using a privacy protecting browser or a browser extension. For example, Global Privacy Control, a signal that is used by over 50 million people, can be sent to websites using several browsers and extensions. Among them is DuckDuckGo, which offers a privacy browser, and extensions like Privacy Badger that can be added to a user’s Google Chrome, Firefox or Microsoft Edge browser. The “personal data” the tools cover is any non-publicly available information like a user’s home address, driver’s license or state ID number, passport information or login credentials. Which companies will be required to adhere to my preference signal? All businesses operating in Connecticut that in the previous year controlled or processed the personal data of at least 100,000 consumers — or those that controlled or processed data from at least 25,000 consumers if they derived over 25% of their gross revenue from selling personal data. Businesses are subject to the rule regardless of whether they’re headquartered in Connecticut or not. Entities known as “controllers” of consumer health data that operate in Connecticut are required to honor the opt-out requests, regardless of their size. “Controllers” are operators that have decision-making authority over the purposes and means of personal data collection, whereas “processors” handle the processing of that data — the collection, use, storage and sale of it. What if I choose to opt out but have previously opted into targeted advertising? If a consumer who previously opted into data tracking wants to opt out via an opt-out preference signal, that choice will supersede their previous data tracking selection. That could affect the consumer’s participation in programs like loyalty rewards. Businesses have the option to inform customers that their signals are conflicting and that choosing to opt out of data tracking could affect their ability to participate in rewards programs. What else does the Connecticut Data Privacy Act cover? Initially passed in 2022, the CTDPA is a consumer privacy law that formalized policies around controlling and processing personal data. The attorney general’s office has called it one of the first “comprehensive consumer privacy law(s)” in the nation. Other parts of the law have previously taken effect, including provisions that give consumers the right to access personal data that a collector has collected about them, correct inaccuracies within it, delete it and obtain a copy of it that allows them to transfer it to a different collector with ease.