On June 24, 2025, the Connecticut governor signed SB 1295, which amends the state’s comprehensive privacy statute, the Connecticut Data Privacy Act (“CTDPA”). SB 1295 takes effect on July 1, 2026.
SB 1295 makes a number of changes to the CTDPA. Some of these changes make edits that reflect requirements in other state privacy statutes. Most frequently, changes to the CTDPA through SB 1295 reflect substantive provisions that are in the California Consumer Privacy Act (“CCPA”). Additionally, SB 1295 amends the CTDPA to introduce provisions related to minor privacy.
Notable provisions in SB 1295 include:
- Applicability: SB 1295 removes the processing thresholds for the processing of consumer sensitive data and consumer’s personal data for sale in trade or commerce. Accordingly, controllers that control or process sensitive data (without reference to volume) or businesses that sell data (in any amount) could be within scope of the law. Additionally, SB 1295 removes the CTDPA’s entity-level GLBA exemption and replaces it with a data-level exemption and an exemption for certain specified entities.
- Sensitive Data: The definition of “sensitive data” is amended to include several aspects covered by some other state privacy statutes, such as disability or treatment, neural data, and status as nonbinary or transgender. Additionally, SB 1295 amends the CTDPA to include elements found in the CCPA’s definition of sensitive data, such as financial account numbers and government-issued identifications.
- Sale Consent: The revisions to the statute prohibit a controller from selling sensitive data of consumers “without the consumer’s consent.” Consent is defined as a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer.
- Privacy Notice: SB 1295 amends the privacy notice obligations to require controllers to make a statement disclosing whether the controller collects, uses, or sells personal data for the purpose of training large language models.
- Impact Assessments: SB 1295 creates requirements for “impact assessments” that are separate from the CTDPA’s existing data protection impact assessment requirements. Impact assessments are required for profiling for the purposes of making a decision that produces any legal or similarly significant effect concerning a consumer. Impact assessments are required to include several components, such as the intended use cases, deployment context, and benefits of the profiling, an analysis of risks, categories of personal data processed as inputs and description of the outputs, metrics used to evaluate the performance and known limitations of the profiling, description of transparency measures taken, and description of post-deployment monitoring and user safeguards. This level of detail in an impact assessment is unique among state comprehensive privacy statutes.
- Restrictions on Features for Minors: SB 1295 prohibits the use of any system design feature intended to significantly increase, sustain, or extend a minor’s use of services, regardless of whether the minor consents.