On June 24, 2025, the Connecticut governor signed into law SB 1295, a bill amending the Connecticut Data Protection Act (CTDPA). The bill will cause CTDPA to reach more entities, more data, and more data processing activities when its changes become effective next July.
This post highlights some of the most significant changes that will result from SB1295 and provides recommendations for companies to assess (or reassess) their obligations under the law.
More Entities Will Be In Scope
The CTDPA applies to entities that conduct business in Connecticut or produce products or services targeted to Connecticut residents and that satisfy certain data processing or sales thresholds. With SB 1295, Connecticut has redrawn the applicability of the CTDPA, including by lowering its general processing threshold, modifying available exemptions, and expanding applicability to entities engaged in certain activities regardless of whether they meet the law’s thresholds.
- Lowered Processing Threshold: SB 1295 lowers the general CTDPA processing threshold—which is currently set at 100,000 Connecticut residents in the preceding calendar year—to 35,000 Connecticut residents. That reduction could cause the CTDPA to apply to a much larger group of entities than it currently does when it comes into effect next year.
- Removed Sales Thresholds: In addition to its general processing threshold, the CTDPA applies to entities that conduct business in Connecticut or produce products or services targeted to Connecticut if they controlled or processed personal data of at least 25,000 Connecticut residents and derived over 25% of gross revenue from the “sale” of personal data. SB 1295 removes these processing and revenue thresholds for entities that engage in sales of Connecticut residents’ personal data, and expands CTDPA’s applicability to any entities that “offer consumers’ personal data for sale in trade or commerce,” regardless of any processing or revenue thresholds. Notably, although the CTDPA defines “sale” as an exchange of personal data for monetary or other valuable consideration, this criterion does not require an entity to generate revenue or to receive other benefits from sales of Connecticut residents’ personal data—it requires only that the entity “offer” that data for sale.
- No Thresholds Applicable to Processing of Sensitive Data: SB 1295 adds a new criterion that will expand the CTDPA to entities that control or process any sensitive data (excluding sensitive data processed solely to complete a payment transaction). Not only has Connecticut expanded this applicability trigger, but SB 1295 also expands the definition of sensitive data (discussed below).
- Overhauled Exemptions: SB 1295 removes the CTDPA’s general entity-level exemption for entities subject to the Gramm-Leach-Bliley Act (GLBA) and replaces it with a more limited entity-level exemption for specific financial institutions, such as certain banks, credit unions, and insurers. SB 1295 does, however retain the CTDPA’s exemption for GLBA-covered data.
As a result of SB 1295’s revisions to the law’s applicability criteria, the CTDPA will cover more entities than ever before, including those that may previously have determined the CTDPA was not applicable to their business due to a data processing threshold or exemption.
Sensitive Subjects
Another major change that SB 1295 makes to the CTDPA is its expansion of the definition of “sensitive data,” to include a number of types of data, including:
- data revealing a mental or physical disability or treatment, to accompany condition or diagnosis which were already considered sensitive data;
- data revealing a resident’s status as nonbinary or transgender;
- information derived from genetic or biometric data, which is no longer required to be processed for the purpose of uniquely identifying an individual to constitute sensitive data;
- neural data (defined as “any information that is generated by measuring the activity of an individual’s central nervous system”);
- a financial account number, account log-in information, or credit or debit card number, when combined with certain information that would permit access a Connecticut resident’s financial account; and
- any government-issued identification number, including a Social Security number or driver’s license number.
SB 1295 is not the first time Connecticut has expanded its definition of sensitive data. In 2023, Connecticut amended the CTDPA to include consumer health data and individual crime victim status. The redesignation of a data category as sensitive can have a big impact on entities that process one category of covered personal information but not another. This is particularly true for Connecticut, where SB 1295 not only extends heightened requirements to these data, but also expands the scope of the CTDPA to reach entities processing any sensitive data.
It’s All About the Kids
Some of the most impactful changes to the CTDPA resulting from SB 1295 are those related to the processing of data of minors. Connecticut previously amended the CTDPA to add opt-in consent requirements for certain minor data processing activities, including collecting precise geolocation data and processing minors’ personal data for targeted advertising, that went into effect October 1, 2024. Among its new requirements related to minor data processing, SB 1295 amends the CTPDA to impose a complete ban on the processing of personal data of Connecticut teenaged residents under 18 for purposes of targeted advertising or data sales.
The result of these changes could be wide-ranging. Companies that engage in any data processing activities that are restricted or prohibited under the new amendments, such as targeted advertising, will be required to establish separate processes when the company has actual knowledge, or willfully disregards, that personal data belongs to minors. SB 1295 also requires an impact assessment, in addition to Connecticut’s previously required data protection assessment, for controllers that processes minor data for purposes of profiling.
Enforcement Warning
As we’ve written about recently, the Connecticut Office of the Attorney General (OAG) is sharply focused on enforcing CTDPA requirements. Just last week the OAG announced an $85,000 settlement with one entity for alleged deficiencies in the company’s privacy policy in violation of the CTDPA. SB 1295 makes several changes to the CTDPA that the OAG emphasized in its annual report, such as requirements related to privacy notices, minor data treatment, and thresholds and exemptions to the law. Connecticut’s mandatory cure period sunset at the end of 2024, so entities will need to be prepared as the requirements of SB 1295 come into effect next year.
What’s Next?
For companies that have already determined they are subject to the CTDPA, it’s time for a compliance checkup. For everyone else, it’s time to reassess:
- reviewing business operations and data processing activities to determine whether the company triggers any of the updated applicability;
- confirming whether any exemptions previously relied upon are still available;
- updating data classifications as necessary to address “sensitive data” categories; and
- ensuring internal processes account for new restrictions and prohibitions related to minor data processing.
Companies that will become (or are already) subject to the CTDPA will then need to account for the other new requirements in the law, such as by updating policies to comply with new consumer rights.
Covered entities have until July 1, 2026, to comply with most of the CTDPA’s new requirements, but remember – there’s no guaranteed cure period attached, so entities will need to be ready.
