ARTICLE
20 June 2025

Connecticut Amends Privacy Law

BS
Ballard Spahr LLP

Contributor

Ballard Spahr LLP—an Am Law 100 law firm with more than 750 lawyers in 18 U.S. offices—serves clients across industries in litigation, transactions, and regulatory compliance. A strategic legal partner to clients, Ballard goes beyond to deliver actionable, forward-thinking counsel and advocacy powered by deep industry experience and an understanding of each client’s specific business goals. Our culture is defined by an entrepreneurial spirit, collaborative environment, and top-down focus on service, efficiency, and results.
On June 11, 2025, Connecticut passed Senate Bill 01295 (SB 01295). If signed by the governor, SB 01295 will amend the existing Connecticut Data Privacy Act (CTDPA) in several important ways...
United States Connecticut Privacy

On June 11, 2025, Connecticut passed Senate Bill 01295 (SB 01295). If signed by the governor, SB 01295 will amend the existing Connecticut Data Privacy Act (CTDPA) in several important ways, with the amendments going into effect on July 1, 2026.

Expanded Scope: In what is seen as a general trend, SB 01295 broadens the reach of the CTDPA by lowering exemption thresholds: The law will apply to organizations that control or process the personal data of 35,000 consumers or more, controls or processes any sensitive data, or engage in the sale of personal data. The bill also expands the definition of sensitive data, thereby increasing the number of covered entities.

Signaling another important trend, the amendment would remove the entity-level exemption for financial institutions under the Gramm-Leach-Bliley Act (GLBA), and instead only exempt data subject to the GLBA. Notably, however, certain types of financial institutions may continue to enjoy entity-level exemptions.

Stricter Regulations for Minors: Social media platforms and online services targeting minors (individuals under 18) would also be subject to heightened obligations and standards, including restrictions related to processing minors' personal data related to certain risks and automated decisions.

Additional Changes: Additionally, the amended changes would include additional responsibilities placed on data controllers, including those related to consumer rights requests, data protection assessments and privacy notices and disclosures.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More