ARTICLE
1 July 2025

Connecticut Amends Privacy Law: New Rules For Sensitive Data, Profiling, And Consumer Rights Take Effect July 1, 2025

RJ
Roth Jackson

Contributor

Roth Jackson and Marashlian & Donahue’s strategic alliance delivers premier regulatory, litigation,and transactional counsel in telecommunications, privacy, and AI—guiding global technology innovators with forward-thinking strategies that anticipate risk, support growth, and navigate complex government investigations and litigation challenges.
On June 6, 2025, Connecticut Governor Ned Lamont signed Public Act No. 25-113 into law, amending the Connecticut Data Privacy Act (CTDPA) with significant new provisions...
United States Connecticut Privacy

On June 6, 2025, Connecticut Governor Ned Lamont signed Public Act No. 25-113 into law, amending the Connecticut Data Privacy Act (CTDPA) with significant new provisions aimed at enhancing consumer protection in light of emerging technologies and evolving business practices. The amendments will take effect July 1, 2025, and require action from both data controllers and processors to ensure compliance.

Connecticut's new rules position the state as one of the most forward-looking jurisdictions in the country, particularly with respect to biometric data, consumer profiling, and high-impact automated decision-making.

Key Changes in Public Act No. 25-113

  1. Expanded Definition of Biometric Data and Sensitive Information

The amendment clarifies and expands the scope of biometric data, now explicitly including "an image or recording of a person from which a biometric data identifier template can be extracted," as well as "data generated by automatic measurements of a person's biological characteristics". Sensitive data has been broadened to include precise geolocation, pregnancy status, and the personal data of a known child, with an emphasis on affirmative consent before processing.

Controllers must now obtain consent to collect or process sensitive data, including:

  • Personal data revealing pregnancy status, mental or physical health diagnosis, and immigration status.
  • The processing of a known child's personal data.
  • Biometric identifiers and data used for identification purposes.
  1. Stronger Restrictions on Profiling and Automated Decision-Making

The law introduces explicit rights related to profiling, including:

  • A right to opt out of profiling of decisions that produce legal or similarly significant effects, such as access to financial services, housing, education, or employment opportunities.

The amendments also add nuanced provisions:

  • Controllers may process personal data for profiling in furtherance of automated decisions only if the processing is strictly limited to detecting or correcting bias, is necessary for that purpose, and the data is deleted immediately after the task.
  • Such internal uses must comply with security and privacy safeguards, such as pseudonymization, strict access controls, and non-transmission to third parties.
  1. New Obligations for Data Processors and Vendors

Connecticut's amendments align with privacy-by-design principles and require contracts between controllers and processors to address:

  • Restrictions on de-identified data use and reuse.
  • Reasonable data security safeguards consistent with industry standards.
  • Documentation of data processing activities, including independent audits and cooperation with assessments.
  • Expanded responsibilities for subcontractors and obligations regarding children's data.
  1. Youth Data Protections

Controllers are explicitly prohibited from processing the personal data of children under 18 for targeted advertising, selling data, or profiling in furtherance of decisions with legal or similarly significant effects without verifiable parental or guardian consent.

The law reflects growing state-level momentum for minor-specific protection, following trends in California, Maryland, and other states.

  1. Attorney General Enforcement and Rulemaking Authority

The Connecticut Attorney General retains exclusive enforcement authority and may seek injunctive relief, civil penalties, and other remedies. The amended CTDPA empowers the AG to adopt regulations on the processing of sensitive data, profiling, and children's data, and clarifies that guidance or rules issued will have the force of law once finalized.

Implications for Telecommunications, AdTech, and AI Vendors

These amendments will be especially relevant for:

  • Telecom & VoIP providers use call detail records, location data, or behavioral analytics for customer profiling.
  • AdTech firms and data brokers engaged in targeted advertising, especially involving youth or sensitive attributes.
  • AI vendors offering scoring, eligibility assessment, or predictive modeling tools must now ensure transparency, fairness, and opt-out capabilities.

Next Steps for Clients

  • Conduct a CTDPA-Specific Gap Analysis: Identify gaps between current data practices and the new requirements, especially profiling and consent.
  • Update Privacy Notices: Ensure all required disclosures, particularly around profiling, sensitive data, and children's data—are included.
  • Review and Amend Contracts: Vendor and processor agreements must be updated to reflect new requirements on data use, audits, and security.
  • Implement Profiling Opt-Out Tools: Update systems to allow consumer opt-outs from profiling, including through customer-facing tools with clear instructions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More