ARTICLE
9 February 2026

Connecticut Data Privacy Act Updates Go Into Effect This Year

MV
Moore & Van Allen

Contributor

Moore & Van Allen logo
Moore & Van Allen is an Am Law 200 firm with 400+ attorneys and professionals serving public companies, middle market private companies, and high net worth individuals in key practices including financial services transactions and regulatory compliance, corporate, private equity and investments, litigation, intellectual property, bankruptcy, and commercial real estate.
Explore Firm Details
Senate Bill 1295, entitled, An Act Concerning Broadband Internet, Gaming, Social Media, Online Services and Consumer Contracts ("Senate Bill 1295", the "Senate Bill", or the "Bill"), was passed...
United States Connecticut Privacy
Anvi S. Yalavarthy
Anvi S. Yalavarthy’s articles from Moore & Van Allen are most popular:
  • within Privacy topic(s)
  • with Finance and Tax Executives
  • in United States
  • with readers working within the Media & Information industries

Senate Bill 1295, entitled, An Act Concerning Broadband Internet, Gaming, Social Media, Online Services and Consumer Contracts (“Senate Bill 1295”, the “Senate Bill”, or the “Bill”), was passed by Connecticut legislature in June 2024 and was signed into law soon after. The Senate Bill amends various provisions of the Connecticut General Statutes, including various provisions of the Consumer Data Privacy and Online Monitoring Act (Conn. Gen. Stat. §§ 42-515 – 42-525) (the “Data Privacy Act”), with most of the changes taking effect starting in July 2026.

This article summarizes how the provisions of the Data Privacy Act were amended by Senate Bill 1295.

Definitions. A few definitions were amended as follows:

  • “Consumer health data” was amended to include any personal data used to identify a consumer's physical or mental health condition, diagnosis or status.
  • “Decision that produces any legal or similarly significant effect” include decisions made by the controller or on behalf of the controller.
  • A definition for “neural data” was added, where neural data means any information that is generated by measuring the activity of an individual's central nervous system.
  • “Publicly available information” was amended such that publicly available information does not directly include information that is lawfully made available through widely distributed media but does include information that a consumer has a reasonable basis to believe  has been lawfully made available to the general public from widely distributed media. Further, publicly available information does not include any biometric data that can be associated with a specific consumer and were collected without the consumer's consent.
  • “Sensitive data” was amended to include the following categories of data:
    • a mental health disability or treatment;
    • status as nonbinary or transgender;
    • information derived from genetic or biometric data;
    • neural data;
    • a consumer's financial account numbers, card numbers, or log-in information, along with information that would allow access to consumer's financial accounts;
    • government issued identification number (including SSN, passport numbers, etc.).

Applicability.

  • The Data Privacy Act applies to persons that conduct business in or target residents of Connecticut and in the preceding calendar year controlled or processed the personal data of at least thirty-five thousand (35,000) consumers; control or process consumer's sensitive data; or (3) offer consumers' personal data for sale in trade or commerce.
    • The requirement that such persons must have controlled or processed the data of at least 100,000 consumers or 25,000 consumers and derived more than 25% of their gross revenue from the sale of data has been removed.

Exemptions.

  • Senate Bill 1295 includes entity-level exemptions for:
    • candidate, national, party or political committees;
    • insurers, fraternal benefit societies, health carriers, insurance-support organizations, or insurance agents or producers;
    • banks, Connecticut credit unions, federal credit unions, out-of-state banks or out-of-state credit unions, or any affiliate or subsidiary thereof;
    • agent, broker-dealer, investment adviser or investment adviser agent.
  • The entity level exemption for financial institutions subject to the GLBA has been removed. Instead, only data subject to the GLBA is exempted.
  • Additionally, information included in a limited data set to the extent such information is used, disclosed and maintained in the manner specified in 45 CFR 164.514(e) is exempted.

Consumer Rights.

  • Consumer rights were expanded under Senate Bill 1295:
    • The consumer's right to confirm data includes any inferences about the consumer derived from such data and whether the consumer's data is being processed for the purposes of profiling to make a decision that produces any legal or similarly significant effect concerning a consumer. The definition of profiling did not change. It means any form of automated processing performed on personal data to evaluate, analyze or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location or movements. The right to opt out of profiling in furtherance of automated decision making that produces legal or similarly significant effects, however, was modified from “solely” automated decision making to “any” automated decision making.
    • New consumer rights added under the Senate Bill include:
      • the right to, if the consumer's personal data were processed for purposes of profiling in furtherance of any automated decision that produced any legal or similarly significant effect concerning the consumer, and if feasible, (A) question the result of such profiling, (B) be informed of the reason that such profiling resulted in such decision, (C) review the consumer's personal data that were processed for the purposes of such profiling, and (D) if the profiling decision concerned housing, to correct any incorrect personal data that were processed for the purposes of such profiling and have the profiling decision reevaluated based on the corrected personal data.
      • the right to obtain a list of third parties to which the controller has sold the consumer's personal data or, if such controller does not maintain such a list, a list of all third parties to which such controller has sold personal data, provided the controller shall not be required to reveal any trade secret.
  • The Bill also included a limitation stating that the controller shall not disclose certain information in response to a request to exercise a consumer's rights, including SSNs, driver license numbers, financial account numbers, health insurance or medical ID numbers, account passwords, security question or answers or biometric data. The controller shall only inform the consumer that the controller has collected such personal data, without disclosing the actual data.

Controller Duties.

  • Under the Senate Bill's amendments:
    • The controller must limit the collection of personal data to what is reasonably necessary and proportionate (as opposed to adequate, relevant and reasonably necessary) to the purposes for which such data is processed.
    • The controller shall not process consumer's personal data for any material new purpose without the consumer's consent, taking into factors like the consumer's reasonable expectation and the relationship between the new purpose and the purpose disclosed to the consumer, among others.
    • The controller shall not process sensitive data without the consumer's consent and unless processing is reasonably necessary for the purpose for which such data is processed.
    • The controller shall not sell sensitive data without the consumer's consent.
    • The controller shall not process the personal data of a consumer that is between thirteen and eighteen years of age for purposes of targeted advertising.
      • Previously, the controller could not process the personal data of a consumer between the age of thirteen and sixteen for the purpose of targeted advertising without consent.
    • The Bill also states that any evidence, or lack of evidence, concerning proactive anti-bias testing or any similar proactive effort to avoid processing personal data in violation of Connecticut law prohibiting unlawful discrimination, shall be relevant to any claim available for a violation of such law and any defense available thereto.

Privacy Notice.

  • Under the Senate Bill's amendments, controllers must include in their privacy notices:
    • description of the means for consumers to submit requests to exercise their rights, including, a description of how consumers may exercise their rights and how they may appeal controller decisions.
    • the categories of personal data the controller sells and the categories of third parties the controller sells data to.
    • a clear and conspicuous disclosure of any processing or sale of personal data for purposes of targeted advertising.
    • a statement disclosing whether the controller collects, uses or sells personal data for the purpose of training large language models.
    • the most recent month and year during which the controller updated the notice.
  • The privacy notice must be made publicly available
    • through a conspicuous hyperlink that includes the word "privacy" on the controller's website home page, on the application store or download page of a mobile device, and on the applications settings menu or similar accessible location;
    • through a medium in which the controller regularly interacts with consumers;
    • in each language in which the controller provides or carries out activities related to any product or service subject to the notice; and
    • in a manner that is reasonably accessible to, and usable by, individuals with disabilities.
  • The controller must also provide a clear and conspicuous hyperlink on its website that allows the consumer to opt out of (i) processing of consumer data for purposes of targeted advertising or (ii) sale of consumer data.
  • If a controller makes any retroactive material change to the privacy notice or privacy practices, the controller shall notify affected consumers of the change and provide a reasonable opportunity for the consumers to withdraw consent to any further and materially different collection, processing or transfer of previously collected personal data following such material change.
  • The Bill specifies that nothing in these provisions shall be construed to require a controller to provide a privacy notice that is specific to Connecticut if the controller provides a generally applicable privacy notice that satisfies the requirements established in the Data Privacy Act.

Data Protection and Impact Assessments.

  • In addition to conducting and documenting data protection assessments for each of the controller's processing activities that presents a heightened risk of harm to a consumer, each controller that engages in any profiling for the purposes of making a decision that produces any legal or similarly significant effect concerning a consumer shall conduct an impact assessment for such profiling. Such impact assessment shall include:
    • a statement by the controller disclosing the purpose, intended use cases and deployment context of, and benefits afforded by profiling;
    • an analysis of whether profiling poses any known or reasonably foreseeable heightened risk of harm to a consumer, and if so, the nature of such harm and the steps that have been taken to mitigate such harm;
    • a description of the categories of personal data processed as inputs for profiling and the outputs such profiling produces;
    • an overview of the categories of personal data the controller used to customize profiling, if applicable;
    • any metrics used to evaluate the performance and known limitations of profiling;
    • a description of any transparency measures taken concerning profiling; and
    • a description of the post-deployment monitoring and user safeguards provided concerning profiling.
  • Impact assessment requirements shall apply to processing activities created or generated on or after August 1, 2026, and are not retroactive.

Miscellaneous.

  • In addition to the existing limitations in the Data Privacy Act, the Senate Bill further states that the obligations under the Data Privacy Act shall not restrict a controller's, processor's or consumer health data controller's ability to collect, use or retain data for internal use to:
    • process personal data only to the extent necessary to detect or correct bias that may result from processing such data for profiling purposes provided that (i) such bias cannot be effectively detected or corrected without such processing, (ii) such data is deleted once such processing is completed, (iii) such data is subject to appropriate safeguards to protect consumer rights, (iv) such data is subject to technical restrictions concerning the reuse of such data and industry-standard security and privacy measures, including pseudonymization, (v) such data is subject to measures to ensure that such data are secure, protected and subject to suitable safeguards, and (vi) such data is not transmitted, transferred or otherwise accessed by any third party;
    • perform internal operations in accordance with the internal operations exception established in COPPA as applicable.
  • All references to a known child have been changed to a consumer or individual that the controller has actual knowledge, or willfully disregards, is a child.

With a majority of the updates taking effect in July 2026 and the rest taking effect later in the year, organizations subject to Connecticut's Data Privacy Act have a few more months to review their data privacy practices and ensure compliance with the Senate Bill updates.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Anvi S. Yalavarthy
Anvi S. Yalavarthy
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More