Connecticut remains determined to stay at the forefront of privacy regulation. In June 2025, the state passed Senate Bill 1295, containing numerous amendments to its existing data privacy law.

These changes, which are slated to take effect in July 2026, seem largely aimed to bring it in line with other privacy laws like the California Consumer Privacy Act and the Colorado Privacy Act. Since Connecticut became the first state besides California to announce a fine for violations of its data privacy law, businesses should pay special attention to developments in the state.

Here is a summary of the most important changes to the Connecticut Data Privacy Act (CTDPA) from SB 1295.

Reduced Thresholds

Before even getting into the new rules, perhaps the most important change is that a lot more businesses will have to start complying with the CTDPA. Like most state privacy laws, the CTDPA applies to businesses that meet certain thresholds, i.e., the number of consumers (state residents) whose data they process in a year. 

Previously, the primary threshold under the CTDPA was 100,000 consumers; SB 1295 revises that number down to just 35,000. If a company does business in the state, even if only online, and collects personal data from 35,000+ Connecticut residents in a year, then the CTDPA applies. Considering that virtually every commercial website collects personal data from each of its visitors, that number adds up quickly.

Even more dramatically, SB 1295 removes numerical thresholds altogether for certain types of processing, meaning the CTDPA applies to businesses regardless of size or the number of consumers they collect personal data from if they do one of the following:

• Process consumers’ sensitive data (see below for more info), or
• Offer consumers' personal data for sale in trade or commerce

The second one in particular could result in many more businesses needing to consider privacy compliance. “Sale of personal data” under the CTDPA means exchanging data for money “or other valuable consideration.” Participating in marketing cooperatives (Shopify’s Network Intelligence, for example) is likely considered a sale; potentially, even the use of such common tools as Google Analytics could fall under this umbrella. It's not clear if offering data for sale "in trade or commerce" refers to these types of arrangements, or if the legislature meant for this to apply only to data brokers.

Businesses that previously thought themselves safe from privacy regulation should take a close look at the new thresholds.

Sensitive Data

The new amendments add significantly to the list of types of personal data that are considered “sensitive data.” 

Any processing of sensitive data will now cause a business to need to comply with the CTDPA (see above). Such processing must be reasonably necessary and requires a consumer’s express consent. Any sale of sensitive data will also require additional consent.

Here is the full list of categories of sensitive data, with new additions in italics.

• Data revealing:
  
  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition, diagnosis, disability or treatment
  • Sex life, sexual orientation, or status as nonbinary or transgender
  • Citizenship or immigration status
• Consumer health data
• Genetic or biometric data or information derived therefrom
• Personal data from a child under 13
  
  • If a business has actual knowledge or willfully disregards that they are a child
• Data concerning an individual’s status as a victim of a crime
• Precise geolocation
• Neural data
• A consumer’s financial account number, financial account log-in info, or credit card or debit card number that, in combination with access codes, passwords, or credentials, would allow for access to a consumer’s financial account.
• Government issued identification numbers

Clarifications Around Access Requests

Access requests are nothing new, but SB 1295 adds a bit more detail about how businesses should respond to them. The changes clarify that businesses must provide access to any inferences about the consumer derived from their personal data and also disclose whether they have used the consumer’s data for profiling to make decisions that produce a legal or similarly significant effect for the consumer.

Additionally, SB 1295 makes clear that businesses should not provide any of the following types of personal information (at least not in un-redacted form) in response to an access request:

• Social Security numbers
• Other government-issued ID numbers
• Financial account numbers
• Health-insurance or medical ID numbers
• Account passwords
• Log-in security questions or answers
• Biometric data

Businesses should still inform that they have collected this data, without revealing the full details. For example, they might disclose the last two digits of an account number, or disclose that they’ve collected a consumer’s fingerprints.

This is a welcome clarification that largely mirrors similar rules under the CCPA. However, it should be noted that no business should be providing the above information in un-redacted form in response to an access request in any state, regardless of whether its privacy law has specifically addressed the issue.

The amendments also give consumers the right to request a list of specific third parties to whom their personal data has been sold.

New Profiling Rights

Taking apparent inspiration from Minnesota’s privacy law (which went into effect in July 2025), the CTDPA will have a new right to question profiling results.

If a business uses a consumer’s personal data for profiling in furtherance of an automated decision that produces a legal or similar similarly significant effect (such as access to housing, loans, employment, etc.), the consumer has a right to:

• To question the result of the profiling
• To be informed of the reason that the profiling produced the decision
• To review the personal data used in the profiling
• If the decision concerned housing, to correct any incorrect personal data and have the decision reevaluated based on the corrected data

Expanded Protections for Minors

Following a general trend among state legislatures, Connecticut has expanded privacy protections for minors and young children.

Beyond “Actual Knowledge”

When it comes to children’s data, the existing version of the CTDPA, along with most other state privacy laws, defines it as sensitive data when it comes from a “known child” (i.e., under 13). In other words, it applies when a business has actual knowledge of the consumer’s age.

The new bill broadens this standard, saying that data is sensitive if the business “has actual knowledge, or wilfully disregards” that it is from a child. Though we don’t know exactly what that means, businesses should probably consider factors like the nature of their services (i.e., are they directed intentionally to children) and creating marketing segments based on likely age.

Minors Under 18

Senate Bill 1295 builds on existing rules concerning consumers under the age of 16, which require consent before selling their personal data or using it for targeted advertising. 

First, the new rules raise the age to apply to anyone under the age of 18. Second, businesses are outright prohibited from selling minors’ data or using it for targeted advertising, regardless of consent.

The bill also amends Connecticut’s age-appropriate design code provisions, including by restricting businesses’ ability to profile minors and track their precise geolocation, as well as imposing a requirement to prepare an impact assessment.

Privacy Notice Requirements

The CTDPA will also be adding a number of new requirements for privacy notices.

• Privacy notice must be available through a link on the business’s home page, app settings menu, and/or app download page that includes the word “privacy”
• Notices must be available in all languages used in the regular course of business
• Following any material change to the privacy notice, businesses must inform consumers of the changes and provide a reasonable opportunity for consumers to withdraw consent to further processing of their data
• Provide the most recent month and year during which the notice was updated
• Instead of including categories personal data shared with third parties (and the categories of those third parties), notices must disclose the categories of personal data that are sold to third parties
• Must include a clear disclosure of any processing or sale of personal data for the purpose of targeted advertising
• Must include a statement disclosing whether the controller collects, uses or sells personal data for the purpose of training large language models

Impact Assessment for Profiling

The CTDPA already requires businesses to carry out a data protection assessment for any profiling that presents a reasonably foreseeable risk of substantial injury to consumers.

The new bill additionally requires business to conduct an impact assessment for any profiling in furtherance of decisions that produce legal or similarly significant effects. This seems to be slightly different from a typical DPA, and must include:

• A statement disclosing the purpose, intended use cases and deployment context, and benefits afforded by the profiling
• An analysis of whether the profiling poses any known or foreseeable risk of heightened risk of harm to consumers, and if so, the nature of the risk and the steps taken to mitigate it
• A description of the main categories of personal data used as inputs, and the outputs produced
• An overview of the main categories of personal data used to customize the profiling
• Any metrics used to evaluate the performance and known limitations of the profiling
• A description of any transparency measures taken
• A description of post-deployment monitoring and user safeguards to address issues arising from the profiling

As with data protection assessments, impact assessments are to remain confidential in the case that they are requested by the attorney general.

Data Minimization Changes

Borrowing from California’s regulations, SB 1295 modifies and clarifies Connecticut’s data minimization rules. 

Businesses must limit the collection of personal data to what is reasonably necessary and proportionate to the purposes disclosed to the consumer at the time of collection. Unless they get consent, businesses may not use consumers’ personal data for any material new purpose that is neither reasonably necessary to nor compatible with the disclosed purposes. In this regard, business should take into account:

• The consumer’s reasonable expectations based on the purposes that were disclosed at the time of collection
• The relationship between the new purpose and the disclosed purposes
• The impact the new purpose might have on the consumer
• The relationship between the business and the consumer, and the context in which the data was collected
• The existence of additional safeguards (such as encryption and pseudonymization) for the new purposes

Tweaks to Exemptions

This won’t matter to most businesses, but SB 1295 also makes some changes to the statute’s exemption provisions.

• Political organizations, such as political parties and committees, are exempted
• Insurers are exempted.
• Banks and credit unions that are solely engaged in financial activities and have a program to comply with applicable requirements are exempted
• Interestingly, in light of the above point, the exemption for entities covered by the Gramm-Leach-Bliley Act is narrowed to a data-level exemption
• Investment brokers and advisers are exempted

Stay Current on Compliance with TrueVault

Privacy rules for business are not static; they are being updated all the time. There’s no such thing as one-and-done compliance, so businesses need a privacy solution that adapts to changes in the law.

TrueVault helps businesses of all sizes get compliant fast, and then stay that way via regular updates that incorporate the latest requirements and guidance from regulators. This includes adding in new state privacy laws as they go into effect—at no additional cost.

Contact our team today to learn how TrueVault can help your business stay up-to-date with privacy compliance.

‍