Privacy & Information Security Law Blog

On June 24, 2025, Connecticut enacted SB 1295, which adds another round of amendments to the Connecticut Data Privacy Act (“CTDPA”). While most of the changes will take effect on July 1, 2026, impact assessment requirements will apply to processing activities created or generated on or after August 1, 2026. The following is a summary of key amendments to the law.

Expanded Applicability

The CTDPA now applies to entities that meet any of the following thresholds:

• control or process the personal data of at least 35,000 consumers;
• control or process consumers’ sensitive data, excluding personal data controlled or processed solely for the purposes of completing a payment transaction; or
• offer consumers’ personal data for sale.

This significantly broadens the applicability of the CTDPA, as the CTDPA previously only applied to entities that controlled or processed the personal data of at least 100,000 consumers or controlled or processed the personal data of at least 25,000 consumers and derived 25% or more of their gross revenue from the sale of personal data. 

Notably, the amended CTDPA removes the entity-level Gramm-Leach-Bliley Act exemption but includes a data-level exemption. 

Additionally, the definition of sensitive data has been expanded and now includes categories such as disability or treatment, status as nonbinary or transgender, genetic or biometric data or information derived therefrom (i.e., with the words “for the purpose of uniquely identifying an individual” removed), neural data, and certain financial and government ID information.

Revisions to Access Right

The CTDPA’s consumer rights framework has also been revised. Notably, the right to access now explicitly includes the right to know the inferences, and has been updated with respect to profiling (see below). Additionally, the law now prohibits controllers from disclosing certain higher-risk identifiers (e.g., Social Security numbers and biometric data) in response to access requests. Instead, consumers must be notified that this data is held, without revealing the data itself.

Strengthened Profiling Provisions

Previously, consumers could opt out of profiling only for solely automated decisions. The amendments remove “solely”, expanding this right to cover profiling in furtherance of any automated decision that produces any legal or similarly significant effect concerning the consumer.

In another key revision, the law now explicitly includes within the meaning of “decision that produces any legal or similarly significant effect” a decision made “on behalf of” a controller, which may include decisions made by third parties or service providers.

The access right is also updated to reflect the expanded reach of profiling. Consumers can now request confirmation as to whether a controller or processor is processing a consumer’s personal data for the purposes of covered profiling.

The amendments also provide that, with respect to covered profiling, where feasible, consumers will be able to:

• question the outcome of the decision;
• receive an explanation of how the result was reached;
• review the personal data that was used in the profiling; and
• in housing-related contexts, correct inaccurate data and request a re-evaluation.

Importantly, controllers engaging in covered profiling must now conduct impact assessments. Under the new requirements, companies must conduct an impact assessment for profiling activities that includes:

• a clear explanation of why the profiling is being done, its intended use, and the benefits it offers;
• an evaluation of any known or foreseeable heightened risks of harm to consumers, and the steps taken to mitigate those risks;
• a description of the types of personal data used and the outputs generated by the profiling;
• an overview of the data categories used to tailor the profiling, if applicable;
• any metrics used to assess how well the profiling works and its known limitations;
• actions taken to inform consumers about the profiling while it is occurring; and
• post-deployment oversight processes, user protections, and mechanisms to address issues that arise from the profiling.

Adjustments to Data Minimization

SB 1295 makes several updates to the CTDPA’s data minimization and purpose limitation requirements. Controllers must now ensure that collection is not only “reasonably necessary” but also “proportionate” to the disclosed purposes. The law also clarifies when secondary uses of personal data (termed “material new purposes”) require new consent.

Controllers processing sensitive data must still obtain consent, but the processing must be reasonably necessary in relation to the disclosed purposes. In addition, separate consent is now required for the sale of sensitive data.

Enhanced Protections for Minors

Controllers are now categorically prohibited from processing minors’ personal data for targeted advertising or sale, regardless of whether consent is obtained. The amendments prohibit the use of any system design feature to significantly increase, sustain or extend any minor’s use of such online service, product or feature. The law also imposes stricter requirements for profiling of minors and calls for impact assessments in addition to data protection assessments. 

Updates to Privacy Notices and Transparency

The amendments also include several updates to privacy notice requirements, some of which include:

• Profiling and large language models (“LLM”) disclosures: Privacy notices must state whether the controller engages in profiling and whether personal data is used to train LLMs.
• Targeted Advertising disclosures: Whether the controller processes personal data for targeted advertising, or whether the controller sells personal data to a third party for the purposes of targeted advertising.
• Placement and accessibility: Notices must be available through a conspicuous hyperlink that includes the word "privacy" on the controller’s homepage. Notices must also be provided in each language the controller uses in its business and be accessible to individuals with disabilities.
• Notice of retroactive changes: If a controller makes material retroactive changes to its data practices, it must notify consumers and give them an opportunity to withdraw consent for any further collection, use, or sharing of previously collected data.

Next Steps

With these changes, organizations subject to the law should begin reviewing their data governance practices now, particularly around profiling, sensitive data and consumer rights workflows.