Connecticut just updated its privacy law again. Here's what brands need to know.

Connecticut moves fast on privacy. Faster than most states. Since the Connecticut Data Privacy Act took effect in 2023, the state has already passed multiple rounds of amendments, published regular enforcement reports, and handed out its first fine.

Now there's another set of changes coming. If you sell to Connecticut consumers, they're worth understanding before October 1, 2026.

What's changing and what you need to know

Public Act 26-64 covers a lot of ground, including data broker deletion registries, surveillance pricing disclosures, and consumer rights around genetic testing data.

For most ecommerce brands, the changes that matter most fall into three areas.

Publicly available information just got narrower

Under most state privacy laws, publicly available information isn't considered personal data. That's an important carve-out, and one many businesses rely on.

Connecticut is tightening that definition.

Going forward, genetic data and non-consensual intimate images, including AI-generated images, are explicitly excluded from the publicly available carve-out.

More relevant for most businesses, personal data created by combining publicly available information with other personal data no longer qualifies either.

That matters because a lot of audience enrichment, customer profiling, and segmentation work involves layering public information onto existing customer records. Under this amendment, the resulting profile is considered personal data and carries the obligations that come with it.

The law also creates a new deletion right for profiles built from publicly available information collected from public-facing websites.

This provision is largely aimed at data aggregation sites, but it reflects a broader trend. Regulators are paying closer attention to how businesses collect, combine, and use publicly available information.

Precise geolocation can no longer be sold

Precise geolocation, anything that identifies a consumer's location within 1,750 feet, was already classified as sensitive data under the CTDPA.

That meant collecting or processing it required express consent. The new amendment goes further. Selling precise geolocation data is now prohibited.

This follows a similar restriction that took effect in Oregon earlier this year and reflects a broader trend. States are treating location data differently than other categories of personal information, with tighter restrictions continuing to emerge.

If precise geolocation data flows through your vendor stack in any capacity, now is a good time to understand where it goes, who has access to it, and whether it gets shared downstream.

Facial recognition in retail now has specific rules

This one is more niche, but worth noting if you operate physical retail locations.

Facial recognition for loss prevention has lived in something of a gray area. The technology processes biometric data, which is considered sensitive data under Connecticut law, but security-related activities have historically been treated differently.

The new amendments provide a clearer framework.

Businesses using facial recognition for loss prevention must:

• Maintain facial recognition databases themselves rather than storing them with third-party vendors
• Post signage at public entrances informing consumers that facial recognition technology is in use
• Include a QR code or link to a facial recognition policy that provides contact information for the Connecticut Attorney General

If your business uses facial recognition technology, the compliance path is now much clearer.

If not, it's still worth paying attention. Biometric data continues to receive heightened scrutiny across state privacy laws, and requirements around how it's collected and used are becoming more defined.

The bigger pattern

Connecticut isn't an outlier. It's often an early signal of where privacy requirements are headed.

Over the last several years, states have continued expanding requirements around biometric data, geolocation, consumer rights, and what qualifies as personal information. Connecticut's latest amendments fit squarely within that trend.

For ecommerce teams, privacy requirements rarely change in isolation. They evolve alongside vendors, tracking setups, customer data practices, and the countless updates that happen across a storefront over time.

That's why compliance gaps often build quietly. A new vendor gets added, tracking changes, or customer data starts flowing somewhere new. Eventually, privacy workflows, policies, and configurations no longer fully reflect how the business operates today.

The October 1 deadline gives teams an opportunity to review where these updates intersect with their vendors, customer data practices, and existing privacy workflows before the new requirements take effect.