Connecticut’s Expanded Data Privacy Law Covers AI Training  

The updates come from Senate Bill 1295, which Connecticut’s legislature passed in June 2024. The law amends the state’s Consumer Data Privacy and Online Monitoring Act, and it touches nearly every part of the original statute. A recent analysis by law firm Moore & Van Allen walks through what’s changing and what businesses need to do before July.

One of the biggest shifts is who the law covers. Previously, it only applied to companies that processed data on at least 100,000 consumers, or 25,000 consumers if the company earned more than a quarter of its revenue from selling data. That threshold has dropped dramatically. Now, any business that processes the personal data of just 35,000 Connecticut consumers falls under the law. So do companies that process sensitive data or sell personal data as part of their business. That’s a much wider net.

The definition of “sensitive data” got a major expansion too. The law now covers mental health conditions and treatments, transgender or nonbinary status, neural data, financial account numbers and login credentials, and government-issued ID numbers like Social Security numbers and passports. Genetic and biometric data are also now explicitly included.

We’d love to be your preferred source for news.

Please add us to your preferred sources list so our news, data and interviews show up in your feed. Thanks!

Add as Preferred Source

As Moore & Van Allen noted, the updates also give consumers powerful new rights around automated decision-making. If a company uses profiling to make decisions that have legal or significant effects on a consumer, such as on housing, credit, or employment, that consumer can now challenge the result, ask for an explanation, review the data used, and in housing cases, correct inaccurate data and get the decision reevaluated.

Read more: New York Becomes Sixth State to Propose Moratorium on Data Center Construction

The law firm’s analysis highlighted that “the right to opt out of profiling in furtherance of automated decision making that produces legal or similarly significant effects was modified from ‘solely’ automated decision making to ‘any’ automated decision making.” That one-word change — from “solely” to “any” — is significant. It means companies can no longer avoid the rule by keeping a human nominally in the loop.

Privacy notices are getting an overhaul as well. Companies must now disclose whether they collect or sell data for training large language models. They must list what categories of data they sell and to whom. And they need to make their privacy policies available in every language they do business in, accessible to people with disabilities, and posted with a conspicuous link that includes the word “privacy.”

There are also new rules aimed at protecting kids. Controllers can no longer use personal data from anyone between 13 and 18 for targeted advertising — period. The previous version of the law only restricted this for 13-to-16-year-olds and allowed it with consent.

Companies that engage in profiling face a new requirement too: impact assessments. These must describe the purpose and benefits of the profiling, analyze risks of harm, detail what data goes in and what comes out, and explain what safeguards are in place. Those requirements apply to any profiling activity created after August 1, 2026.

Most of these changes take effect in July 2026, with additional provisions rolling out later in the year. Moore & Van Allen advises that organizations subject to the law should use the remaining months to review their data practices and make sure they are ready. For companies operating in the AI and data economy, Connecticut just raised the bar.