Connecticut Amends the Connecticut Data Privacy Act
Wednesday, August 6, 2025
Print Mail Download info_icon_img/>i

On June 24, 2025, Connecticut enacted SB 1295, which adds another round of amendments to the Connecticut Data Privacy Act (“CTDPA”). While most of the changes will take effect on July 1, 2026, impact assessment requirements will apply to processing activities created or generated on or after August 1, 2026. The following is a summary of key amendments to the law.

Expanded Applicability

The CTDPA now applies to entities that meet any of the following thresholds:

  • control or process the personal data of at least 35,000 consumers;
  • control or process consumers’ sensitive data, excluding personal data controlled or processed solely for the purposes of completing a payment transaction; or
  • offer consumers’ personal data for sale.

This significantly broadens the applicability of the CTDPA, as the CTDPA previously only applied to entities that controlled or processed the personal data of at least 100,000 consumers or controlled or processed the personal data of at least 25,000 consumers and derived 25% or more of their gross revenue from the sale of personal data. 

Notably, the amended CTDPA removes the entity-level Gramm-Leach-Bliley Act exemption but includes a data-level exemption. 

Additionally, the definition of sensitive data has been expanded and now includes categories such as disability or treatment, status as nonbinary or transgender, genetic or biometric data or information derived therefrom (i.e., with the words “for the purpose of uniquely identifying an individual” removed), neural data, and certain financial and government ID information.

Revisions to Access Right

The CTDPA’s consumer rights framework has also been revised. Notably, the right to access now explicitly includes the right to know the inferences, and has been updated with respect to profiling (see below). Additionally, the law now prohibits controllers from disclosing certain higher-risk identifiers (e.g., Social Security numbers and biometric data) in response to access requests. Instead, consumers must be notified that this data is held, without revealing the data itself.

Strengthened Profiling Provisions

Previously, consumers could opt out of profiling only for solely automated decisions. The amendments remove “solely”, expanding this right to cover profiling in furtherance of any automated decision that produces any legal or similarly significant effect concerning the consumer.

In another key revision, the law now explicitly includes within the meaning of “decision that produces any legal or similarly significant effect” a decision made “on behalf of” a controller, which may include decisions made by third parties or service providers.

The access right is also updated to reflect the expanded reach of profiling. Consumers can now request confirmation as to whether a controller or processor is processing a consumer’s personal data for the purposes of covered profiling.

The amendments also provide that, with respect to covered profiling, where feasible, consumers will be able to:

  • question the outcome of the decision;
  • receive an explanation of how the result was reached;
  • review the personal data that was used in the profiling; and
  • in housing-related contexts, correct inaccurate data and request a re-evaluation.

Importantly, controllers engaging in covered profiling must now conduct impact assessments. Under the new requirements, companies must conduct an impact assessment for profiling activities that includes:

  • a clear explanation of why the profiling is being done, its intended use, and the benefits it offers;
  • an evaluation of any known or foreseeable heightened risks of harm to consumers, and the steps taken to mitigate those risks;
  • a description of the types of personal data used and the outputs generated by the profiling;
  • an overview of the data categories used to tailor the profiling, if applicable;
  • any metrics used to assess how well the profiling works and its known limitations;
  • actions taken to inform consumers about the profiling while it is occurring; and
  • post-deployment oversight processes, user protections, and mechanisms to address issues that arise from the profiling.

Adjustments to Data Minimization

SB 1295 makes several updates to the CTDPA’s data minimization and purpose limitation requirements. Controllers must now ensure that collection is not only “reasonably necessary” but also “proportionate” to the disclosed purposes. The law also clarifies when secondary uses of personal data (termed “material new purposes”) require new consent.

Controllers processing sensitive data must still obtain consent, but the processing must be reasonably necessary in relation to the disclosed purposes. In addition, separate consent is now required for the sale of sensitive data.

Enhanced Protections for Minors

Controllers are now categorically prohibited from processing minors’ personal data for targeted advertising or sale, regardless of whether consent is obtained. The amendments prohibit the use of any system design feature to significantly increase, sustain or extend any minor’s use of such online service, product or feature. The law also imposes stricter requirements for profiling of minors and calls for impact assessments in addition to data protection assessments. 

Updates to Privacy Notices and Transparency

The amendments also include several updates to privacy notice requirements, some of which include:

  • Profiling and large language models (“LLM”) disclosures: Privacy notices must state whether the controller engages in profiling and whether personal data is used to train LLMs.
  • Targeted Advertising disclosures: Whether the controller processes personal data for targeted advertising, or whether the controller sells personal data to a third party for the purposes of targeted advertising.
  • Placement and accessibility: Notices must be available through a conspicuous hyperlink that includes the word "privacy" on the controller’s homepage. Notices must also be provided in each language the controller uses in its business and be accessible to individuals with disabilities.
  • Notice of retroactive changes: If a controller makes material retroactive changes to its data practices, it must notify consumers and give them an opportunity to withdraw consent for any further collection, use, or sharing of previously collected data.

Next Steps

With these changes, organizations subject to the law should begin reviewing their data governance practices now, particularly around profiling, sensitive data and consumer rights workflows.

Copyright © 2025, Hunton Andrews Kurth LLP. All Rights Reserved.

Current Public Notices

Post Your Public Notice Today!

PUBLIC NOTICE OF RECIEVERSHIP SALE: Bison Hardwood, LLC
Published: 28 August, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Canary, LCC and it’s subsidiaries
Published: 25 August, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Interest in Contractor Sales & Services, LLC
Published: 25 August, 2025
PUBLIC NOTICE OF TRUSTEE-ASSIGNEE SALE: Elorac, Inc
Published: 25 August, 2025
PUBLIC NOTICE OF UCC SALE: Shoreview Holding LLC
Published: 25 August, 2025
PUBLIC NOTIC OF AUCTION OF ASSETS: BolderPlay
Published: 22 August, 2025
PUBLIC NOTICE OF DISPOSITION OF COLLATERAL: Vertify, Inc
Published: 20 August, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: News Direct Corp.
Published: 20 August, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Phillips Amsterdam II LLC
Published: 18 August, 2025
PUBLIC NOTICE OF UCC SALE: BMD-III CHT Mezz, LLC
Published: 18 August, 2025
PUBLIC NOTICE OF ASSET SALE: Cliq Products, Inc
Published: 15 August, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Pulse Partners LLC
Published: 14 August, 2025
PUBLIC NOTICE OF UCC SALE: Whitworth Tool, Inc
Published: 12 August, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Membership Interests in RINO 17 LLC
Published: 11 August, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: LCP Hollywood Lender LLC
Published: 8 August, 2025
Discover more public notices

Current Legal Analysis

More from Hunton Andrews Kurth

China NGO Identifies 70 Apps in Violation of National Privacy Law
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
The Impact of Tariffs on the Commercial Real Estate Market
by: Veronica P. Adams , Mark R. Vowell
NYDFS Settles With Healthplex for $2 Million Over Inadequate Cybersecurity Measures
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
Epic Failures in TAR Collaboration: When Discovery Turns Dysfunctional
by: Meghan A. Podolny , Jessie Purtell
USCIS Expands “Good Moral Character” Standards for Naturalization
by: Immigration & Nationality Law Practice
New York Attorney General Sues Zelle Developer for Inadequate Account Security and Verification Measures
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
UK ICO Launches Consultations on Guidance Regarding UK Data (Use and Access) Act 2025
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
Colleges and Universities Directed to Submit Admissions Data to Federal Government
by: Amy Fabiano , Brigid Harrington
Title IX Policy Updates: Sexual Offense Definitions Change
by: Amy Fabiano , Brigid Harrington
Remember to Enroll in EDGAR Next by September 12
by: Mayme Beth F. Donohue , Eric R. Markus
September 2025 Visa Bulletin – Fiscal Year-End Calm
by: Suzan Kern
Employer Guidance for New Tax Deductions for Tips and Overtime Pay
by: Jason Feingertz , Ryan A. Glasgow
UK ICO Considers Application of Data Protection Law to Live Facial Recognition Technology
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
Summarizing the Newly Issued Executive Order: Unleashing American Energy
by: Matthew Z. Leopold , David Arthur Terry
DOE Announces Nearly $1 Billion to Secure US Critical Minerals and Materials Supply Chain
by: Joanna D. Enns , Benjamin Y. Cooper IV

Upcoming Events

 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up for any (or all) of our 25+ Newsletters.

 

Sign Up for any (or all) of our 25+ Newsletters