Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jul 01, 2026 · 8 min read

Connecticut's Toughest Privacy Rules Take Effect July 1

The CTDPA amendments in SB 1295, signed by Governor Ned Lamont on June 25, 2025, go live July 1, 2026 — lowering the coverage threshold to 35,000 consumers, adding neural data to the sensitive category, and forcing new disclosures about training large language models.

Connecticut's privacy law just got significantly harder to ignore. As of today, the amendments to the Connecticut Data Privacy Act (CTDPA) signed by Governor Ned Lamont on June 25, 2025 are live — and they reshape who must comply, what data is protected, and what rights consumers can exercise against automated decisions made about them.

Key Takeaways

  • Connecticut SB 1295, signed June 25, 2025, takes effect July 1, 2026 and is the most sweeping overhaul of the CTDPA since the law passed.
  • The applicability threshold drops from 100,000 to 35,000 Connecticut consumers — and any entity processing even one consumer's sensitive data is now covered regardless of volume.
  • Neural data — information generated by measuring activity in an individual's central nervous system — is now sensitive data requiring opt in consent before processing.
  • The cure period for CTDPA violations expired in December 2024, so the Connecticut Attorney General can pursue enforcement immediately upon discovering a violation, with no warning required.
  • Connecticut becomes one of roughly 20 states with an active comprehensive privacy law, making multi state compliance a baseline expectation for any mid size business operating nationally.

Who Has to Comply Now?

The previous CTDPA applied to entities controlling or processing personal data of at least 100,000 Connecticut consumers annually, or at least 25,000 consumers if the business derived more than 25% of revenue from selling personal data. Those thresholds made the law easy for mid size companies to sidestep.

That changes today. SB 1295 lowers the primary threshold to 35,000 consumers. More significantly, any entity that processes even a single Connecticut consumer's sensitive data — in any volume — is now covered, as is any entity that sells personal data regardless of how much. A Connecticut facing SaaS company with a few thousand users is now in scope if it collects health information, financial credentials, or any of the newly added sensitive categories.

The Connecticut State Capitol building in Hartford under soft daylight, representing the state's expanded data privacy law

What Is Neural Data and Why Is It Protected?

Neural data is newly defined under the amended CTDPA as information generated by measuring the activity of an individual's central nervous system. This covers EEG readings, brain computer interface outputs, and data collected by neurofeedback devices — but Connecticut's definition stops at the central nervous system (brain and spinal cord), excluding peripheral nerve activity.

As the Future of Privacy Forum has documented, defining neural data precisely is a legislative challenge: too broad and it captures ordinary biometric data; too narrow and it misses meaningful threats. Connecticut's formulation tracks the brain spine boundary, which is narrower than some proposed frameworks but still covers consumer wearables used in meditation, focus, and gaming applications.

Businesses processing this data must now obtain opt in consent — the same heightened standard that applies to all sensitive data under the CTDPA.

What Else Counts as Sensitive Data Now?

The sensitive data category gets six additions under SB 1295:

  • Mental or physical health disability or treatment information
  • Transgender or nonbinary status
  • Information derived from genetic or biometric data
  • Neural data (newly defined, as described above)
  • Financial account numbers, credentials, and login information
  • Government issued identification numbers (driver's licenses, passports, Social Security numbers)

Each of these categories now requires opt in consent before processing. Controllers who have been relying on implied consent or legitimate interest grounds for financial or health adjacent data need to revisit those legal bases immediately.

The Wiley analysis of the CTDPA amendments also flags that SB 1295 now expressly prohibits selling sensitive data without consumer consent — a prohibition that didn't exist in the original law.

What Changes on July 1 for Automated Profiling?

This is where the CTDPA overhaul moves furthest from its predecessors. The original law gave consumers opt out rights for profiling decisions based "solely" on automated processing that produced legal or similarly significant effects. The amended law removes "solely" — opt out now covers any automated decision with legal or significant effects, even if a human reviews the output at some point.

Consumers also gain new rights in this area:

  • The right to question an automated decision's outcome
  • The right to be told the reasoning behind it
  • The right to review the data used to reach it
  • In housing contexts specifically, the right to correct inaccurate data and request reevaluation

Controllers running credit, insurance, housing, or employment scoring models need to build these rights into their response infrastructure before any enforcement action gives them cause to scramble.

Data protection impact assessments are now required for profiling activities with legal or significant effects — but only for activities created or generated on or after August 1, 2026. Existing profiling processes are not grandfathered indefinitely; organizations should treat August 1 as a hard deadline to assess new pipelines.

The GLBA Exemption Narrows

Financial institutions leaning on the entity level Gramm-Leach-Bliley Act exemption under the original CTDPA should note that SB 1295 replaces it with a data level exemption. The shift is meaningful: an institution can no longer claim blanket CTDPA exemption because it is a GLBA regulated entity. Only the specific data regulated under GLBA is exempt. Non GLBA data held by the same organization — marketing lists, behavioral analytics, web tracking data — falls back under CTDPA jurisdiction.

New Disclosure: LLM Training

Controllers must now disclose whether they collect, use, or sell personal data for the purpose of training large language models. This applies in the controller's privacy notice and presumably in responses to consumer rights requests. It is one of the first US state law provisions to explicitly name LLM training as a processing purpose requiring transparency — a direct response to the wave of AI companies quietly using customer data to improve their models.

Heightened Protections for Minors

Controllers are categorically prohibited from processing minors' personal data for targeted advertising or sale, regardless of consent. The amendments also bar collecting precise geolocation data from minors unless strictly necessary for the requested service. Connecticut has effectively eliminated consent as an escape valve for minor targeted data processing — if the baseline prohibition applies, no opt in from a parent overrides it.

Why Email Users Should Care

The profiling opt out expansion has a direct parallel in email marketing. Every open tracking pixel and click tracking link generates behavioral signals — when you read, what you clicked, how long you lingered — that feed into engagement scores, send time optimization models, and list segmentation. Under the amended CTDPA, if those behavioral profiles feed into decisions with significant effects on Connecticut consumers, those consumers now have opt out rights, access rights, and the ability to contest the outcome. Email marketers building profiles from inbox behavior should treat the new profiling rules as directly applicable, not merely analogous. The EDPB's parallel crackdown on email tracking disclosures under GDPR suggests this direction is global, not just a Connecticut concern.

What Should Businesses Do Before July 1?

The cure period for CTDPA violations expired in December 2024. There is no required notice period before enforcement begins. Four steps deserve immediate attention:

  1. Recheck your applicability. If your Connecticut consumer count is between 35,000 and 100,000, or if you process any sensitive data from Connecticut residents, you are now in scope. Run a threshold analysis against the new criteria.
  2. Audit your sensitive data inventory. The six new categories — particularly financial credentials, government IDs, and neural data — may already be in your systems under different labels. Map them, confirm legal bases, and build consent flows where they don't exist.
  3. Review your GLBA exemption claims. If your privacy compliance has relied on entity level GLBA exemption, categorize which data is genuinely GLBA regulated and which falls outside that scope. The latter needs CTDPA treatment now.
  4. Update your privacy notice for LLM training. If your organization uses personal data to train, fine tune, or evaluate any large language model — including through a third party vendor — that must now be disclosed. This is a novel affirmative requirement with no grace period.

For a broader view of the multi state compliance landscape, the SECURE Data Act federal preemption debate is worth tracking — Congress is still working out whether a federal standard will override state laws like Connecticut's, and the outcome will determine whether today's compliance investments need to be rebuilt on a different foundation.

Looking Ahead

Connecticut joins a cohort of states — including California, Virginia, Texas, and Oregon — that have moved toward stricter enforcement postures and broader scope in their second generation privacy amendments. The cure period expiration, the GLBA narrowing, and the new sensitive data categories together make Connecticut's law among the most demanding in the US. Organizations that built CTDPA compliance programs when the original law passed in 2022 should treat SB 1295 as a substantial rebuild, not a patch. Connecticut's own enforcement record — 1,830 reported breaches in 2025 alone — suggests the Attorney General's office has both the data and the appetite to use these new tools.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.