ARTICLE
9 July 2026

Connecticut Dramatically Expands Its Data Privacy Act: What Businesses Need To Know Now

FL
Foley & Lardner

Contributor

Foley & Lardner LLP looks beyond the law to focus on the constantly evolving demands facing our clients and their industries. With over 1,100 lawyers in 24 offices across the United States, Mexico, Europe and Asia, Foley approaches client service by first understanding our clients’ priorities, objectives and challenges. We work hard to understand our clients’ issues and forge long-term relationships with them to help achieve successful outcomes and solve their legal issues through practical business advice and cutting-edge legal insight. Our clients view us as trusted business advisors because we understand that great legal service is only valuable if it is relevant, practical and beneficial to their businesses.
Connecticut has significantly expanded and toughened its consumer privacy law. Under Senate Bill 1295 (Public Act 25-113), sweeping amendments to the Connecticut Data Privacy Act (CTDPA) took effect on July 1, 2026...
United States Connecticut Privacy
Samuel D. Goldstick’s articles from Foley & Lardner are most popular:
  • in United States
  • with readers working within the Healthcare and Media & Information industries
Foley & Lardner are most popular:
  • within Wealth Management topic(s)

Connecticut has significantly expanded and toughened its consumer privacy law. Under Senate Bill 1295 (Public Act 25-113), sweeping amendments to the Connecticut Data Privacy Act (CTDPA) took effect on July 1, 2026, with one key obligation – a new profiling impact assessment – following on August 1, 2026. The amendments widen who must comply, broaden the data the law protects, and add new obligations around profiling, artificial intelligence, minors’ data, and privacy disclosures. For many businesses, the takeaway is simple: you may now be covered even if you never were before.

Who Is Now Covered?

As of July 1, 2026, the CTDPA applies to any entity that conducts business in Connecticut, or targets products or services to Connecticut residents, and that during the preceding calendar year satisfied any one of the following:

  • Controlled or processed the personal data of at least 35,000 consumers (reduced from 100,000), excluding data processed solely to complete a payment transaction;
  • Controlled or processed consumers’ sensitive dataregardless of volume; or
  • Offered consumers’ personal data for sale in trade or commerce, regardless of volume.

The prior threshold tied to deriving 25% or more of gross revenue from the sale of personal data has been removed. Because the second and third triggers contain no numerical threshold, any business that processes sensitive data or offers personal data for sale may now fall within the scope of the CTDPA, even a very small one.

What Counts as “Sensitive Data” under the CTDPA?

Your company is swept in if, during the past year, it collected or processed any of the following, no matter how few Connecticut residents were involved:

1814498a.jpg

What Counts as a “Sale”?

The “sale” trigger is broader than many businesses assume. Under the CTDPA, a “sale” includes sharing, transferring, or disclosing personal data to a third party for valuable consideration (in addition to money), so many everyday practices can qualify, including:

  • deploying tracking cookies from ad networks to serve targeted ads later;
  • embedding third-party tracking pixels on a checkout page, which transfers unique device IDs and browsing history to an ad network in exchange for targeted audience insights and optimized ad campaigns;
  • sending customer data to a vendor whose terms let it use your data to improve its own algorithms or train its AI models; and
  • swapping loyalty data or email marketing lists with a partner brand to cross-promote, even with no money changing hands (among other examples).

What’s Changed and Why It Matters

Below are the key operational implications for covered businesses under the latest amendments to the CTDPA.

Stronger Profiling and Automated Decision-Making Rules

The opt-out right now covers any automated decision that produces a legal or similarly significant effect (not just those made without human involvement) and expressly includes decisions made “on behalf of” a controller by third parties or service providers. Where feasible, consumers may question outcomes, receive an explanation of how a decision was reached, review the data used, and – in housing-related contexts – correct inaccurate data and request re-evaluation.

Expanded Consumer Rights

Consumers gain new rights tied to covered profiling decisions and a new right to obtain a list of third parties to whom their personal data was sold. The rights to know and access now expressly include inferences and profiling information. Notably, controllers may not hand over certain higher-risk categories (such as Social Security numbers, certain financial data, and biometric elements) in response to a request; only confirmation that the data is held is required.

Heightened Protections for Individuals Under 18

The protected age range rises from 13-16 to 13-17, and there is now a blanket prohibition on targeted advertising to, and the sale of personal data for this age group, regardless of consent, where the controller has actual knowledge of or willfully disregards that a consumer is between 13 and 17 years of age. Controllers are also barred from using design features that increase, sustain, or extend a minor’s use of an online service, and must conduct heightened impact assessments for minors’ data.

Updated Privacy Notice Requirements

Privacy notices must now disclose whether personal data is used to train large language models (LLMs), along with profiling and targeted advertising practices. Notices must be reachable through a conspicuous homepage hyperlink containing the word “privacy,” provided in each language the controller uses, and accessible to individuals with disabilities. Material retroactive changes to data practices require notice and an opportunity to withdraw consent.

Tighter Data Minimization and New Impact Assessments

Data collection must now be reasonably necessary and proportionate to the disclosed purposes, and material new secondary uses require fresh consent. Controllers that profile consumers to make legally significant decisions must conduct a dedicated impact assessment (separate from the existing data protection assessment) for processing activities created or generated on or after August 1, 2026.

Updated Controller Duties

Processing sensitive data now requires both a “reasonably necessary” basis and consent, and antidiscrimination obligations are reinforced to guard against unlawful disparate treatment.

The Bottom Line

Connecticut has shifted from a threshold-based law that mostly affected large companies to an expansive framework that can capture smaller organizations – particularly those that touch sensitive data, rely on ad-tech and targeted advertising, share data in ways that may count as a “sale,” or offer online features used by minors. With the Connecticut Attorney General’s cure period gone and enforcement already active, the cost of waiting has risen. Companies with any nexus to Connecticut should consider the following steps:

  • Reassess whether you are in scope. Given that the sensitive data and sale triggers under the amended CTDPA have no volume threshold, assume you may be in scope until confirmed otherwise.
  • Map your data. Inventory what personal and sensitive data you collect, how it is used, and with whom it is shared – including via tracking pixels and list exchanges.
  • Refresh privacy notices and consent flows. Disclose profiling, targeted advertising, and any use of personal data to train LLMs, and ensure notices are conspicuous, multilingual, and accessible.
  • Review profiling and automated decision-making. Build compliant processes to honor opt-out requests, provide explanations for how decisions were reached, and complete the new impact assessment for activities on or after August 1, 2026.
  • Strengthen protections for minors. Stop targeted advertising to, and sales of personal data of, individuals aged 13-17, and remove engagement-maximizing design features.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More