ARTICLE
8 July 2025

Fragmentation Of Privacy Requirements Accelerates As Four States Amend Nascent Laws

KD
Kelley Drye & Warren LLP

Contributor

Kelley Drye & Warren LLP logo
Kelley Drye & Warren LLP is an AmLaw 200, Chambers ranked, full-service law firm of more than 350 attorneys and other professionals. For more than 180 years, Kelley Drye has provided legal counsel carefully connected to our client’s business strategies and has measured success by the real value we create.
Explore Firm Details
On June 25, 2025, Connecticut Governor Ned Lamont signed into law a major amendment to the state's comprehensive privacy law (CTDPA), just over three years after signing the CTDPA into law on May 10...
United States Colorado Connecticut Montana Oregon Privacy
Alysa Hutnik,Alexander Schneider, and Meaghan M. Donahue

On June 25, 2025, Connecticut Governor Ned Lamont signed into law a major amendment to the state's comprehensive privacy law (CTDPA), just over three years after signing the CTDPA into law on May 10, 2022 and two years after signing an expansion of the CTDPA that safeguards certain types of health or reproductive data on June 26, 2023.

The most recent amendment expands the applicability of the CTDPA, makes significant changes to profiling-related disclosure requirements and consumer rights, adds to the list of "sensitive data" elements, and removes the GLBA entity-level exception from the CTDPA.

Connecticut's near-annual re-write of its privacy law is no longer unique. In just the first half of 2025, three other states have also passed significant amendments that make a slew of changes to their existing state privacy laws. These states are:

  • Montana - On May 8, 2025, Montana Governor Greg Gianforte signed MT SB 297, amending the Consumer Data Privacy Act (MCDPA). These amendments will become effective October 1, 2025.
  • Colorado - On May 23, 2025, Colorado Governor Jaren Polis signed CO SB 25-276, amending the Colorado Privacy Act (CPA). These amendments will become effective October 1, 2025.
  • Oregon - On June 3, 2025, Oregon Governor Tina Kotek signed OR SB 2008, amending the Oregon Consumer Privacy Act (OCPA). These amendments will be effective January 1, 2026.
  • Connecticut – As described above, on June 25, 2025, Connecticut Governor Ned Lamont signed CT SB 1295, amending the CTDPA. These amendments will become effective on July 1, 2026.

As these new laws take effect, businesses will be required to re-evaluate (1) whether they are subject to the laws, as amended, (2) whether privacy policies or consumer rights communications must be updated to account for changes to the laws, and (3) whether internal policies and procedures must be revised to address these amendments. For some businesses, the adjustments will turn out to be minor, while others will need to fully re-consider prior implementation decisions or risk mitigation efforts.

In this blog post, we highlight key changes ushered in by these amendments.

Expanded Applicability. Amendments in Montana and Connecticut have broadened the applicability of each respective law, extending legal obligations to smaller businesses and removing an entity-level exemption relied on by many financial institutions.

  • Specifically, MT SB 297 cuts the MCDPA's applicability threshold to entities that process the data of 25,000 Montanans (previously 50,000), or process the data of 15,000 Montanans (previously 25,000) and make 25% of their revenue from selling personal data. MT SB 297 also limits the availability of the law's non-profit exemption to organizations that "detect and prevent fraudulent acts in connection with insurance."
  • Similarly, CT SB 1295 lowers the CTDPA's applicability threshold to include businesses that process the personal data of 35,000 consumers (previously 100,000), as well as any business that controls or processes sensitive personal data, or offers a consumer's personal data "for sale in trade or commerce" (even if the business does not meet the data processing threshold, and is not limited to data brokers).
  • Although the majority of state privacy laws completely exempts entities subject to the Gramm-Leach-Bliley Act (GLBA), MT SB 297 and CT SB 1295 follow the approach adopted in California, Minnesota, and Oregon omit this exemption. Instead, they provide a narrower exemption that applies only to personal data collected, processed, sold, or disclosed pursuant to the GLBA. This means that entities such as credit card companies and banks that process personal data outside of the scope of their roles as financial institutions, such as for targeted advertising, may now be required to comply with comprehensive privacy laws in Montana and Connecticut (along with California, Minnesota, and Oregon).

Profiling and Automated Decision Making. CT SB 1295 adds new layers of regulatory obligations for companies that engage in profiling or automated decision making.

Specifically, the law modifies how CTDPA regulates businesses that process personal information for "profiling for the purpose of making decisions that produce legal or similarly significant effects."

For example, as amended, the law requires businesses to allow consumers to opt-out of profiling in furtherance of any automated decision that produces any legal or similarly significant effect, replacing language that had limited the right to "solely automated decisions." This broader language could be interpreted to apply to discrete uses of automation, even in cases where automated decisions are combined with other non-automated decisions.

In addition, in instances where a consumer's personal data was processed for the purposes of profiling in furtherance of any automated decision that produced any legal or similarly significant effect, CT SB 1295 provides the consumer the right to 1) question the result of the profiling, 2) obtain information about the reason the profiling resulted in the decision, and 3) review the personal data used as part of the profiling. If a decision is related to housing, consumers must also have the right to correct inaccuracies in the personal data used and to have the decision reevaluated.

Businesses that engage in covered forms of profiling will also be required to conduct an in-depth impact assessment for the profiling, including an analysis of risks posed to consumers and the steps taken to mitigate these risks.

CT SB 1295 also tucks in a disclosure obligation that will require businesses to report in their privacy policies whether or not they collect, use, or sell personal data "for the purpose of training large language models."

Updated Protections for Children's Data. Children's privacy remains a hot topic at both the state and federal level, with amendments in Connecticut, Montana, and Oregon that include new restrictions on the use of personal data of individuals under the age of 18.

  • MT SB 297 enhances the knowledge standard for prohibiting the processing of the personal data of minors 13, 14, and 15 years old for targeted advertising, sales, or profiling by adding a "willfully disregards" standard. The amendment also expands the applicability of these restrictions to individuals under 18, whereas the pre-amended version of the law applied these restrictions to individuals under 16.
  • CT SB 1295 prohibits the use of the personal data of an individual a business knows or willfully disregards is under 18 for sale or targeted advertising.
  • Likewise, OR HB 2008 also prohibits businesses from selling the personal information of individuals they know or willfully disregard to be under 16 years old for targeted advertising or profiling in furtherance of legal or similarly significant decisions.

CTDPA and OCPA previously permitted targeted advertising to minors with consent. Now, without an opportunity to solicit consent, these laws could pose unique challenges for companies that seek to market to older teens or young adults.

Sensitive Personal Data. Amendments to privacy laws in Colorado, Connecticut, and Oregon continue the recent trend of expanding the categories of personal data that are considered sensitive. Specifically, the laws add new categories to their respective definitions of sensitive data, including precise geolocation information, status as transgender or nonbinary, neural data, financial account data (with an access code), and government issued identifiers, such as social security numbers or driver's license numbers.

Also of note, OR HB 2008 establishes a complete prohibition on the sale of personal data linked or linkable to an individual that can be used to identify the individual's past or present location within 1,750 feet. Once effective, this amendment may have particular impact for companies engaged in location-based targeted advertising in the state.

Consumer Rights. Ensuring businesses provide consumers with access to their personal data, and a meaningful understanding regarding how personal data is processed is an ongoing priority for state legislators and regulators, as evidenced in recent enforcement reports out of Connecticut and Oregon, as well as a sweep of enforcement actions in California.

In this vein, CT SB 1295 follows Minnesota and Oregon and adds the consumer "right to request a specific list of the third parties" with which the business discloses an individual's personal data. The Connecticut attorney general's recent enforcement report released in April 2025 explicitly encouraged the legislature to adopt this right, in an effort to provide consumers more transparency into the downstream use of their personal data.

Other Notable Provisions:

These amendments include additional notable provisions and changes, including the following:

  • CT SB 1295 and MT SB 297 include clarified privacy notice and consumer disclosure requirements – both now affirmatively require businesses to make privacy notices available via a conspicuous hyperlink that includes the word "privacy" on website homepages and within the settings menu of mobile applications. Additionally, MT SB 297 also requires businesses that sell personal data to third parties to provide a conspicuous method outside of the privacy notice, such as a hyperlink labeled "your privacy rights" that "directly effectuates" the opt-out request, or takes the consumer to a page where they can make the request.
  • MT SB 297 removed the MCDPA's 60-day cure period and provides the state attorney general authority to issue civil investigative demands pursuant to the law.

Regulators have indicated they are on the lookout for companies that fail to address unique provisions of their state laws. As businesses prepare for these amended privacy laws, it is increasingly important to re-evaluate current compliance programs and identify any potential gaps in consumer privacy notices, opt-out procedures, and information collection and consent practices.

Click here for a downloadable brochure of this blogpost.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Alysa Hutnik
Alysa Hutnik
Photo of Alexander Schneider
Alexander Schneider
Photo of Meaghan M. Donahue
Meaghan M. Donahue
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More