Connecticut has revised its privacy law for the third time since it was passed in 2022. With SB 1295, the state has mirrored others (like Colorado and Montana) in making ongoing changes to its law. Many of the changes incorporate either in concept, or wholesale, provisions that exist in other states. Connecticut makes these changes following 2024 and 2025 AG reports, which reports included recommendations to lawmakers, some of which ended up in SB 1295.
Among the changes that will take effect July 1, 2026 are the following:
- Expanded Scope. Like Montana, the threshold will be lowered. Rather than 100,000 consumers, it will be processing information of 35,000 consumers. This lowered threshold aligns with other states such as Delaware, New Hampshire, Maryland, and Rhode Island. The law will also cover entities that process any sensitive consumer data, and expands the definition of that term. It will also apply to those offering personal data for sale in trade or commerce. Connecticut has also replaced its broad GLBA exemption with more targeted exemptions for certain types of regulated entities (including banks, insurers, and investment advisors).
- Consumer Rights and Profiling Protections. As revised, consumers will be able to access inferences made about them, including marketing profiles or other information derived from their data. They will also be able to contest profiling decisions (mirroring Minnesota). As revised, they will have a right to know if their information is being used for certain types of profiling that can have real-world effects, such as decisions relating to employment or housing. Among other things, consumers will be able to review or question certain results of automated tools used to make significant decisions. Connecticut will also join Minnesota and Montana in placing restrictions on how much sensitive data businesses can disclose in response to access requests.
- Data Minimization. Once the changes are in effect, businesses will only be able to collect personal data that is "reasonably necessary and proportionate" to the purposes disclosed. Businesses that process sensitive data will need both a valid purpose and consumer consent, with separate consent needed to sell such data. If a business plans to use data in a manner not reasonably aligned with what was first disclosed to the consumer, extra factors (such as the consumer's reasonable expectations) must be considered.
- Profiling and AI. Businesses will need to conduct impact assessments for profiling used in decisions with legal or significant effects, such as denying a loan or a job. These assessments must disclose the purpose, potential risks, performance metrics, and safeguards associated with the profiling activities.
- Protections for Minors. Like Maryland and Oregon, businesses will be prohibited from engaging in targeted advertising to minors, as well as selling minors' personal data (currently, these activities are permitted with parental or, depending on the age of the child, minor consent). For these purposes, in Maryland a minor is defined as someone under 18, and in Connecticut under 16.
Putting It Into Practice: Between now and next July, companies that are subject to Connecticut's expanded scope will want to take the time to review their rights processes, as well as their approaches to automated decision making and sensitive information processing. These modifications are a reminder that the US may not have one "most stringent law" and instead, each state adds to the increasingly complicated patchwork of obligations facing companies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
