Connecticut Enacts Amendments to State’s Data Privacy Law

Tatum Andres, John Brigagliano, Meghan Farmer
Kilpatrick
Contact
LinkedIn
Facebook
X
Send
Embed

Kilpatrick

On June 25, 2025, Governor Ned Lamont signed Connecticut Senate Bill 1295 into law. SB 1295 significantly amends the Connecticut Data Privacy Act (CTDPA) by lowering the threshold for applicability, broadening the definition of sensitive data, and introducing more stringent data minimization and children’s data protections.

The bottom line:

This amendment broadens the CTDPA’s reach, meaning many businesses that were previously outside its scope may now fall under it. While the original threshold applied to those controlling or processing the personal data of 100,000 consumers, the revised law lowers that bar to just 35,000 Connecticut residents, triggering new compliance obligations for a somewhat wider range of organizations. The bill also removes the GLBA-entity level exception. The amendment also introduced heightened requirements for data collection, use, and consumer rights especially for sensitive data, minors, and profiling activities.

Key categories of change:

  • GLBA Entity-Level Exception Removed: The amendment removes the law’s entity level (but not data level) GLBA exception. Financial institutions (as the GLBA broadly defines them) are now subject to the law with respect to non-GLBA data.
  • Applicability Thresholds Lowered: Now applies to businesses processing data of 35,000 consumers (down from 100,000), any amount of sensitive data (excluding personal data controlled or processed solely for completing a payment transaction), or those offering consumers’ personal data for sale in trade or commerce.
  • Expanded Definition of Sensitive Data: Includes neural data, crime victim status, financial credentials, precise geolocation, and more.
  • Stricter Data Minimization Requirements: Data must be “reasonably necessary and proportionate” to disclosed purposes.
  • New Restrictions on Minors’ Data: Prohibits selling data or using it for targeted ads for ages 13–17, even with consent.
  • New Rights Around Profiling & AI: Consumers can now contest automated decisions with legal or significant impacts, including reviewing and correcting data.

What you need to do:

Determine if your organization now falls within the CTDPA’s expanded scope. If so, review and revise your privacy notices, consent processes, and data practices, especially for sensitive data, profiling, and teen users, to ensure compliance before the law takes effect on July 1, 2026.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Kilpatrick

Written by:

Kilpatrick
Kilpatrick
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Kilpatrick on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide