Connecticut Dramatically Expands Its Data Privacy Act: What Businesses Need to Know Now
Connecticut has significantly expanded and toughened its consumer privacy law. Under Senate Bill 1295 (Public Act 25-113), sweeping amendments to the Connecticut Data Privacy Act (CTDPA) took effect on July 1, 2026, with one key obligation – a new profiling impact assessment – following on August 1, 2026. The amendments widen who must comply, broaden the data the law protects, and add new obligations around profiling, artificial intelligence, minors’ data, and privacy disclosures. For many businesses, the takeaway is simple: you may now be covered even if you never were before.
Who Is Now Covered?
As of July 1, 2026, the CTDPA applies to any entity that conducts business in Connecticut, or targets products or services to Connecticut residents, and that during the preceding calendar year satisfied any one of the following:
- Controlled or processed the personal data of at least 35,000 consumers (reduced from 100,000), excluding data processed solely to complete a payment transaction;
- Controlled or processed consumers’ sensitive data, regardless of volume; or
- Offered consumers’ personal data for sale in trade or commerce, regardless of volume.
The prior threshold tied to deriving 25% or more of gross revenue from the sale of personal data has been removed. Because the second and third triggers contain no numerical threshold, any business that processes sensitive data or offers personal data for sale may now fall within the scope of the CTDPA, even a very small one.
What Counts as “Sensitive Data” under the CTDPA?
Your company is swept in if, during the past year, it collected or processed any of the following, no matter how few Connecticut residents were involved:
| – Data revealing racial or ethnic origin – Data revealing religious beliefs – Data revealing a mental or physical health condition, diagnosis, disability, or treatment – Data revealing sex life, sexual orientation, or status as nonbinary or transgender – Data revealing citizenship or immigration status – Consumer health data – Genetic or biometric data, or information derived therefrom – Precise geolocation data | – Personal data collected from a known or willfully disregarded child – Data concerning an individual’s status as a victim of a crime – Neural data – Financial account numbers, log-in credentials, or credit/debit card numbers that, combined with any required access code or password, would allow access to a financial account – Government-issued identification numbers (e.g., Social Security numbers, passport numbers, state ID or driver’s license numbers) |
What Counts as a “Sale”?
The “sale” trigger is broader than many businesses assume. Under the CTDPA, a “sale” includes sharing, transferring, or disclosing personal data to a third party for valuable consideration (in addition to money), so many everyday practices can qualify, including:
- deploying tracking cookies from ad networks to serve targeted ads later;
- embedding third-party tracking pixels on a checkout page, which transfers unique device IDs and browsing history to an ad network in exchange for targeted audience insights and optimized ad campaigns;
- sending customer data to a vendor whose terms let it use your data to improve its own algorithms or train its AI models; and
- swapping loyalty data or email marketing lists with a partner brand to cross-promote, even with no money changing hands (among other examples).
What’s Changed and Why It Matters
Below are the key operational implications for covered businesses under the latest amendments to the CTDPA.
Stronger Profiling and Automated Decision-Making Rules
The opt-out right now covers any automated decision that produces a legal or similarly significant effect (not just those made without human involvement) and expressly includes decisions made “on behalf of” a controller by third parties or service providers. Where feasible, consumers may question outcomes, receive an explanation of how a decision was reached, review the data used, and – in housing-related contexts – correct inaccurate data and request re-evaluation.
Expanded Consumer Rights
Consumers gain new rights tied to covered profiling decisions and a new right to obtain a list of third parties to whom their personal data was sold. The rights to know and access now expressly include inferences and profiling information. Notably, controllers may not hand over certain higher-risk categories (such as Social Security numbers, certain financial data, and biometric elements) in response to a request; only confirmation that the data is held is required.
Heightened Protections for Individuals Under 18
The protected age range rises from 13-16 to 13-17, and there is now a blanket prohibition on targeted advertising to, and the sale of personal data for this age group, regardless of consent, where the controller has actual knowledge of or willfully disregards that a consumer is between 13 and 17 years of age. Controllers are also barred from using design features that increase, sustain, or extend a minor’s use of an online service, and must conduct heightened impact assessments for minors’ data.
Updated Privacy Notice Requirements
Privacy notices must now disclose whether personal data is used to train large language models (LLMs), along with profiling and targeted advertising practices. Notices must be reachable through a conspicuous homepage hyperlink containing the word “privacy,” provided in each language the controller uses, and accessible to individuals with disabilities. Material retroactive changes to data practices require notice and an opportunity to withdraw consent.
Tighter Data Minimization and New Impact Assessments
Data collection must now be reasonably necessary and proportionate to the disclosed purposes, and material new secondary uses require fresh consent. Controllers that profile consumers to make legally significant decisions must conduct a dedicated impact assessment (separate from the existing data protection assessment) for processing activities created or generated on or after August 1, 2026.
Updated Controller Duties
Processing sensitive data now requires both a “reasonably necessary” basis and consent, and antidiscrimination obligations are reinforced to guard against unlawful disparate treatment.
The Bottom Line
Connecticut has shifted from a threshold-based law that mostly affected large companies to an expansive framework that can capture smaller organizations – particularly those that touch sensitive data, rely on ad-tech and targeted advertising, share data in ways that may count as a “sale,” or offer online features used by minors. With the Connecticut Attorney General’s cure period gone and enforcement already active, the cost of waiting has risen. Companies with any nexus to Connecticut should consider the following steps:
- Reassess whether you are in scope. Given that the sensitive data and sale triggers under the amended CTDPA have no volume threshold, assume you may be in scope until confirmed otherwise.
- Map your data. Inventory what personal and sensitive data you collect, how it is used, and with whom it is shared – including via tracking pixels and list exchanges.
- Refresh privacy notices and consent flows. Disclose profiling, targeted advertising, and any use of personal data to train LLMs, and ensure notices are conspicuous, multilingual, and accessible.
- Review profiling and automated decision-making. Build compliant processes to honor opt-out requests, provide explanations for how decisions were reached, and complete the new impact assessment for activities on or after August 1, 2026.
- Strengthen protections for minors. Stop targeted advertising to, and sales of personal data of, individuals aged 13-17, and remove engagement-maximizing design features.
If you are unsure whether the amended CTDPA now applies to your business – or how to close the gaps – our Data Privacy and Cybersecurity attorneys can help you assess your compliance obligations and build a practical path forward. Please reach out to a member of our team to start the conversation.