On June 24, 2025, Connecticut enacted Senate Bill 1295 (Public Act No. 25-113), the most significant amendments to the Connecticut Data Privacy Act (“CTDPA” or the “Act”) since the law took effect.
The amendments meaningfully expand who must comply with the CTDPA, broaden the categories of regulated data, and impose heightened obligations in connection with profiling, automated decision-making, sensitive data, the personal data of individuals under 18, and privacy disclosures.
The substantive amendments take effect July 1, 2026, with a separate August 1, 2026, trigger for the new profiling impact-assessment obligation. Because several of the new applicability triggers carry no volume threshold, organizations that previously fell outside the CTDPA — including smaller businesses and certain financial-services entities—should reassess their status now. Employers should note that the Act continues to exclude employee and business-to-business data from its scope. We discuss this and other important considerations below.
Key Changes Under SB 1295
Expanded Applicability—Including New “No-Threshold” Triggers
As of July 1, 2026, the CTDPA will apply to an entity that conducts business in Connecticut, or targets products or services to Connecticut residents, and that, during the preceding calendar year, satisfies any one of the following:
- controlled or processed the personal data of at least 35,000 consumers (reduced from 100,000), excluding data processed solely to complete a payment transaction;
- controlled or processed consumers’ sensitive data, excluding data processed solely to complete a payment transaction—regardless of volume; or
- offered consumers’ personal data for sale in trade or commerce—regardless of volume.
The prior threshold tied to entities deriving 25 percent or more of gross revenue from the sale of personal data has been removed. Because the second and third triggers contain no numerical threshold, any business that processes sensitive data or offers personal data for sale may now fall within the scope of the CTDPA.
Narrowed GLBA Exemption
The amendments replace the CTDPA’s entity-level GLBA exemption with a narrower data-level exemption, while adding new entity-level exemptions for certain institutions such as banks and insurers. Financial-services and fintech entities that are not separately exempt—and that process personal data outside the scope of the GLBA—may now be subject to the CTDPA with respect to that data and should map their data flows accordingly.
Broadened “Sensitive Data” Definition and New Sale Restriction
The definition of “sensitive data” is expanded to include additional categories, such as status as nonbinary or transgender, disability or treatment, neural data, certain government identifiers (e.g., driver’s license or passport numbers), specified financial-account information, and Social Security numbers. Processing sensitive data continues to require consent and must now also be reasonably necessary in relation to the disclosed purpose. In addition, the sale of sensitive data now requires separate consumer consent.
Strengthened Profiling and Automated Decision-Making Provisions
The amendments remove the word “solely” from the profiling opt-out, extending the right to cover profiling in furtherance of any automated decision that produces a legal or similarly significant effect—not only decisions made without human involvement. The definition of such a decision now expressly includes decisions made “on behalf of” a controller, which may capture determinations by third parties or service providers. Where feasible, consumers will be able to question the outcome of a covered decision, receive an explanation of how it was reached, review the personal data used, and—in housing-related contexts—correct inaccurate data and request re-evaluation.
Enhanced Consumer Rights
- The right to access now expressly includes inferences derived from a consumer’s personal data, as well as confirmation of covered profiling.
- A new right allows consumers to obtain a list of the third parties to which the controller has sold their personal data.
- Controllers may not disclose certain high-risk identifiers (e.g., Social Security numbers, biometric data, and specified financial data) in response to an access request; they must instead confirm that the data is held.
Heightened Protections for Individuals Under 18
The amendments raise the protected age range from 13–16 to 13–17 and impose a blanket prohibition on targeted advertising to, and the sale of personal data of, individuals the controller knows—or willfully disregards—are at least 13 and under 18. This prohibition applies regardless of consent. Controllers are also barred from using any system-design feature to significantly increase, sustain, or extend a minor’s use of an online service, and heightened profiling and assessment obligations apply to minors’ data.
Updated Privacy Notice Requirements
- Notices must disclose whether the controller uses or sells personal data to train large language models (LLMs), and whether it engages in profiling and targeted advertising.
- Notices must be reachable through a conspicuous homepage hyperlink containing the word “privacy,” provided in each language the controller uses in its business, and be accessible to individuals with disabilities.
- Material retroactive changes to data practices require notice to consumers and an opportunity to withdraw consent to further processing of previously collected data.
Adjusted Data Minimization and New Impact Assessments
Data collection must now be both reasonably necessary and proportionate to the disclosed purposes, and the amendments clarify when secondary uses (“material new purposes”) require fresh consent. Separately, controllers that engage in profiling to make a decision producing a legal or similarly significant effect must conduct a dedicated impact assessment. As noted in the dates section above, this requirement applies to processing activities created or generated on or after August 1, 2026, and is distinct from the CTDPA’s existing data protection assessment obligation.
Note: Employee and B2B Data Are Excluded
A threshold point for employers: the CTDPA does not regulate employee or business-to-business personal data. The Act protects only a “consumer”—defined as a Connecticut resident acting in an individual or household capacity—and expressly excludes an individual acting in a commercial or employment context. SB 1295 does not alter this definition. Two related mechanisms reinforce the carve-out:
Contextual Exclusion From “Consumer”
- Employees, job applicants, owners, directors, officers, and contractors are not “consumers” when their interaction with the controller occurs solely within the employment or business relationship. An organization’s internal HR data about its own workforce therefore does not give rise to CTDPA consumer rights.
Data-Level Exemption
- The CTDPA separately exempts personal data processed or maintained in the course of an individual applying to, or acting as, an employee, agent, or independent contractor of a controller, processor, or third party—to the extent the data is collected and used within the context of that role—as well as emergency-contact and benefits-administration data used for those purposes.
Three Practical Caveats Warrant Attention
First, the exclusion is contextual, not personal: the same individual is a “consumer” as to activity outside the employment relationship—for example, an employee who is also a Connecticut resident purchasing the company’s products as a customer. Second, the exclusion is Connecticut-specific and does not extend across a multi-state footprint. California remains the notable divergence: the CCPA/CPRA brought HR and B2B data within scope, so an employer cannot assume the CTDPA’s carve-out maps onto its California obligations. Third, the carve-out addresses coverage of the data, not the entity: processing employee data does not, by itself, render an organization a controller, but an organization that is otherwise in scope through its consumer-facing activity remains subject to the Act as to that consumer data.
Compliance Dates at a Glance
The amendments phase in on a staggered basis:
|
Effective Date |
Obligation / Milestone |
|
Through June 30, 2026 |
The current CTDPA framework remains in effect, including the existing 100,000 / 25,000-consumer applicability thresholds and the entity-level Gramm-Leach-Bliley Act (GLBA) exemption. |
|
July 1, 2026 |
The substantive SB 1295 amendments take effect. This includes the lowered 35,000-consumer threshold and the new no-threshold triggers, the broadened “sensitive data” definition and related consent and sale restrictions, the expanded profiling and consumer-rights provisions, the heightened protections for individuals under 18, and the new privacy-notice content and presentation requirements. |
|
August 1, 2026 |
The new impact-assessment requirement for covered profiling applies to processing activities created or generated on or after this date. This obligation is distinct from, and may be in addition to, the CTDPA’s existing data protection assessment requirement. |
Connecticut’s statutory cure period sunsets on December 31, 2024. As a result, the Office of the Attorney General is not required to offer an opportunity to cure before pursuing enforcement, and organizations should treat the July 1, 2026, effective date as a firm compliance deadline rather than the start of a grace period.
Recommended Actions
Organizations that do business in Connecticut or target Connecticut residents should consider the following steps:
- Reassess applicability under the 35,000-consumer threshold and the new no-threshold triggers for processing sensitive data and offering personal data for sale, and confirm whether any previously available exemption—in particular the GLBA exemption—still applies.
- Map data against the expanded definition of sensitive data and implement consent mechanisms for both the processing and the sale of such data.
- Update consumer-rights workflows to address inferences, the new third-party sale disclosure, covered profiling rights, and the restriction on returning high-risk identifiers in access responses.
- Evaluate processing of individuals under 18, assess actual-knowledge and willful-disregard exposure, and implement the prohibition on targeted advertising and sale for this age group.
- Refresh privacy notices to add the LLM-training disclosure and to satisfy the new placement, language, and accessibility requirements.
- Review profiling governance and assessment templates so that covered profiling activities created or generated on or after August 1, 2026, are supported by a compliant impact assessment.
Epstein Becker Green Staff Attorney Ann W. Parks contributed to the preparation of this post.