Source - Privacy and Cybersecurity Client Alert

Connecticut Revamps Its Privacy Law (Again)

Connecticut continues to tinker with its comprehensive privacy law—the Connecticut Data Privacy Act (CDPA). This year the revisions come courtesy of Senate Bill 1295, which the governor signed on June 24, 2025. The changes lower thresholds for the law to apply, update exemptions, create new categories of sensitive data, expand consumer rights, and more. These changes take effect on July 1, 2026.

Application and Exemptions

The amended CDPA will apply to more companies and certain financial institutions (that were previously exempt).

  • Thresholds. The legislature added a new trigger: Companies must comply with the CDPA if they process sensitive data. And the amendedlaw revamps the existing thresholds. Starting in July 2026, the CDPA will apply to companies that process personal information about at least 35,000 individuals (previously it was 100,000) or sell such information about at least one individual (previously it was 25,000 and included a requirement that the company derive more than 25% of its revenue from such sales).
  • GLBA Exemption. The legislature scrapped the blanket exemption for all companies subject to the GLBA. The amended law keeps the exemption for GLBA information and adds an entity-exemption for traditional financial institutions, including insurers, banks, and investment advisors. [The Attorney General recommended this change in his recent report on the law.]

Data/Processing Minimization

The amended law revises the data/processing requirements in two ways: tweaking the standard and adding criteria for assessing when consent is needed for a new use.

  • Baseline Standard. The CDPA currently requires a controller limit their collection of personal information to what is “adequate, relevant and reasonably necessary” for the disclosed purpose. Starting in July 2026, companies must limit the collection to what is “reasonably necessary and proportionate” to the disclosed purpose. It is questionable whether there is a meaningful difference between “proportionate” (the new language) and “adequate, relevant” (the old language).
  • New Uses. The CDPA currently requires a controller get consent to use personal information for a new, undisclosed purpose—unless that purpose is reasonably necessary or compatible with what the company told the consumer. Starting in July 2026, a controller assessing whether consent is needed for a new processing purpose must consider different factors, including the safeguards, consumer’s expectations, controller’s relationship with the consumer, and the relationship between the new purpose and what was disclosed to the consumer.

Sensitive Data

The amended law expands the definition of sensitive data to include neural data, financial details, nonbinary status, transgender status, medical disability or treatment, information derived from biometric/genetic data, and government-issued identification numbers—such as Social Security numbers or driver’s license numbers.

Consumer Rights

The amended law expands consumer rights while providing guardrails on how a controller responds to certain access requests.

  • Access Right. Consumers gain the right to obtain inferences derived from their personal information, learn whether the controller is processing their personal information for certain profiling, and obtain a list of third parties to whom the controller sold the consumer’s personal information.
  • Profiling. Consumers gain the right to opt out of more types of profiling and get more information about such processing. Previously a consumer could opt out of profiling in furtherance ofsolelyautomated decision-making with legal/significant effects. Starting in July 2026, consumers can opt out of such profiling even if humans are involved in making the decision. After such profiling, consumers will have the right to question the result, learn the reasoning for the decision, review the personal information involved, and (in cases involving housing) require the controller rerun the analysis after correcting inaccurate personal information.
  • Data Restrictions. Controllers cannot provide certain sensitive details (e.g., Social Security numbers) to the consumer in response to an access request. But the controller must inform the consumer that the company collected such data.

Disclosures

The legislature added new requirements around privacy policies.

  • Availability. Controllers must use specific language for the homepage hyperlink, make their policy accessible/usable by people with disabilities, and translate the policy into other languages that are relevant to activities governed by the policy.
  • Disclosures. Controllers must disclose whether they sell or process personal information for training large language models. They must also state when they last updated the policy.
  • Retroactive Changes. If a controller makes a retroactive change to their privacy practices, they must “take all reasonable measures” to notify affected consumers and provide them an opportunity to withdraw their consent to any further, materially different, processing of personal information the controller collected prior to the change.

Profiling

Companies that engage in profiling to make a decision that produces a legal/significant effect must perform a new risk analysis, which the amended law calls an “impact assessment.” This assessment must cover topics such as: (1) the personal information involved; (2) the profiling’s purpose and risks/benefits; (3) measures to mitigate risks; (4) metrics for evaluating performance, and (5) post-deployment monitoring. This change is not retroactive; it applies to activities created or generated after August 1, 2026.

Processor Responsibilities

Under the existing law, processors only have to assist with consumer requests to the extent “reasonably practicable.” Next year, however, they will need to assist “insofar as is possible."

Conclusion

The CDPA amendments create a wider scope and more obligations for companies that collect/process information about Connecticut residents. These changes are largely in line with recent developments in other states, including the general trend of making the laws more generally applicable and adding more obligations for controllers. But the changes around profiling are less common and could be especially burdensome for companies that use Connecticut residents’ information to engage in profiling. As a result, it is important for companies to be thinking about a compliance program well before the changes go into effect next summer.