On June 24, 2025, Connecticut enacted Senate Bill 1295 (Public Act No. 25-113), the most significant amendments to the Connecticut Data Privacy Act (“CTDPA” or the “Act”) since the law took effect.

The amendments meaningfully expand who must comply with the CTDPA, broaden the categories of regulated data, and impose heightened obligations in connection with profiling, automated decision-making, sensitive data, the personal data of individuals under 18, and privacy disclosures.

The substantive amendments take effect July 1, 2026, with a separate August 1, 2026, trigger for the new profiling impact-assessment obligation. Because several of the new applicability triggers carry no volume threshold, organizations that previously fell outside the CTDPA — including smaller businesses and certain financial-services entities—should reassess their status now.  Employers should note that the Act continues to exclude employee and business-to-business data from its scope. We discuss this and other important considerations below.

Key Changes Under SB 1295

Expanded Applicability—Including New “No-Threshold” Triggers

As of July 1, 2026, the CTDPA will apply to an entity that conducts business in Connecticut, or targets products or services to Connecticut residents, and that, during the preceding calendar year, satisfies any one of the following:

  • controlled or processed the personal data of at least 35,000 consumers (reduced from 100,000), excluding data processed solely to complete a payment transaction;
  • controlled or processed consumers’ sensitive data, excluding data processed solely to complete a payment transaction—regardless of volume; or
  • offered consumers’ personal data for sale in trade or commerce—regardless of volume.

The prior threshold tied to entities deriving 25 percent or more of gross revenue from the sale of personal data has been removed. Because the second and third triggers contain no numerical threshold, any business that processes sensitive data or offers personal data for sale may now fall within the scope of the CTDPA.

Narrowed GLBA Exemption

The amendments replace the CTDPA’s entity-level GLBA exemption with a narrower data-level exemption, while adding new entity-level exemptions for certain institutions such as banks and insurers. Financial-services and fintech entities that are not separately exempt—and that process personal data outside the scope of the GLBA—may now be subject to the CTDPA with respect to that data and should map their data flows accordingly.

Broadened “Sensitive Data” Definition and New Sale Restriction

The definition of “sensitive data” is expanded to include additional categories, such as status as nonbinary or transgender, disability or treatment, neural data, certain government identifiers (e.g., driver’s license or passport numbers), specified financial-account information, and Social Security numbers. Processing sensitive data continues to require consent and must now also be reasonably necessary in relation to the disclosed purpose. In addition, the sale of sensitive data now requires separate consumer consent.

Strengthened Profiling and Automated Decision-Making Provisions

The amendments remove the word “solely” from the profiling opt-out, extending the right to cover profiling in furtherance of any automated decision that produces a legal or similarly significant effect—not only decisions made without human involvement. The definition of such a decision now expressly includes decisions made “on behalf of” a controller, which may capture determinations by third parties or service providers. Where feasible, consumers will be able to question the outcome of a covered decision, receive an explanation of how it was reached, review the personal data used, and—in housing-related contexts—correct inaccurate data and request re-evaluation.

Enhanced Consumer Rights

  • The right to access now expressly includes inferences derived from a consumer’s personal data, as well as confirmation of covered profiling.
  • A new right allows consumers to obtain a list of the third parties to which the controller has sold their personal data.
  • Controllers may not disclose certain high-risk identifiers (e.g., Social Security numbers, biometric data, and specified financial data) in response to an access request; they must instead confirm that the data is held.

Heightened Protections for Individuals Under 18

The amendments raise the protected age range from 13–16 to 13–17 and impose a blanket prohibition on targeted advertising to, and the sale of personal data of, individuals the controller knows—or willfully disregards—are at least 13 and under 18. This prohibition applies regardless of consent. Controllers are also barred from using any system-design feature to significantly increase, sustain, or extend a minor’s use of an online service, and heightened profiling and assessment obligations apply to minors’ data.

Updated Privacy Notice Requirements

  • Notices must disclose whether the controller uses or sells personal data to train large language models (LLMs), and whether it engages in profiling and targeted advertising.
  • Notices must be reachable through a conspicuous homepage hyperlink containing the word “privacy,” provided in each language the controller uses in its business, and be accessible to individuals with disabilities.
  • Material retroactive changes to data practices require notice to consumers and an opportunity to withdraw consent to further processing of previously collected data.

Adjusted Data Minimization and New Impact Assessments

Data collection must now be both reasonably necessary and proportionate to the disclosed purposes, and the amendments clarify when secondary uses (“material new purposes”) require fresh consent. Separately, controllers that engage in profiling to make a decision producing a legal or similarly significant effect must conduct a dedicated impact assessment. As noted in the dates section above, this requirement applies to processing activities created or generated on or after August 1, 2026, and is distinct from the CTDPA’s existing data protection assessment obligation.

Note: Employee and B2B Data Are Excluded

A threshold point for employers: the CTDPA does not regulate employee or business-to-business personal data. The Act protects only a “consumer”—defined as a Connecticut resident acting in an individual or household capacity—and expressly excludes an individual acting in a commercial or employment context. SB 1295 does  not alter this definition. Two related mechanisms reinforce the carve-out:

Contextual Exclusion From “Consumer”

  • Employees, job applicants, owners, directors, officers, and contractors are not “consumers” when their interaction with the controller occurs solely within the employment or business relationship. An organization’s internal HR data about its own workforce therefore does not give rise to CTDPA consumer rights.

Data-Level Exemption

  • The CTDPA separately exempts personal data processed or maintained in the course of an individual applying to, or acting as, an employee, agent, or independent contractor of a controller, processor, or third party—to the extent the data is collected and used within the context of that role—as well as emergency-contact and benefits-administration data used for those purposes.

Three Practical Caveats Warrant Attention

First, the exclusion is contextual, not personal: the same individual is a “consumer” as to activity outside the employment relationship—for example, an employee who is also a Connecticut resident purchasing the company’s products as a customer. Second, the exclusion is Connecticut-specific and does not extend across a multi-state footprint. California remains the notable divergence: the CCPA/CPRA brought HR and B2B data within scope, so an employer cannot assume the CTDPA’s carve-out maps onto its California obligations. Third, the carve-out addresses coverage of the data, not the entity: processing employee data does not, by itself, render an organization a controller, but an organization that is otherwise in scope through its consumer-facing activity remains subject to the Act as to that consumer data.

Compliance Dates at a Glance

The amendments phase in on a staggered basis:

Effective Date

Obligation / Milestone

Through June 30, 2026

The current CTDPA framework remains in effect, including the existing 100,000 / 25,000-consumer applicability thresholds and the entity-level Gramm-Leach-Bliley Act (GLBA) exemption.

July 1, 2026

The substantive SB 1295 amendments take effect. This includes the lowered 35,000-consumer threshold and the new no-threshold triggers, the broadened “sensitive data” definition and related consent and sale restrictions, the expanded profiling and consumer-rights provisions, the heightened protections for individuals under 18, and the new privacy-notice content and presentation requirements.

August 1, 2026

The new impact-assessment requirement for covered profiling applies to processing activities created or generated on or after this date. This obligation is distinct from, and may be in addition to, the CTDPA’s existing data protection assessment requirement.


Connecticut’s statutory cure period sunsets on December 31, 2024. As a result, the Office of the Attorney General is not required to offer an opportunity to cure before pursuing enforcement, and organizations should treat the July 1, 2026, effective date as a firm compliance deadline rather than the start of a grace period.

Recommended Actions

Organizations that do business in Connecticut or target Connecticut residents should consider the following steps:

  • Reassess applicability under the 35,000-consumer threshold and the new no-threshold triggers for processing sensitive data and offering personal data for sale, and confirm whether any previously available exemption—in particular the GLBA exemption—still applies.
  • Map data against the expanded definition of sensitive data and implement consent mechanisms for both the processing and the sale of such data.
  • Update consumer-rights workflows to address inferences, the new third-party sale disclosure, covered profiling rights, and the restriction on returning high-risk identifiers in access responses.
  • Evaluate processing of individuals under 18, assess actual-knowledge and willful-disregard exposure, and implement the prohibition on targeted advertising and sale for this age group.
  • Refresh privacy notices to add the LLM-training disclosure and to satisfy the new placement, language, and accessibility requirements.
  • Review profiling governance and assessment templates so that covered profiling activities created or generated on or after August 1, 2026, are supported by a compliant impact assessment.

Epstein Becker Green Staff Attorney Ann W. Parks contributed to the preparation of this post.

Back to Workforce Bulletin Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Workforce Bulletin posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.