Connecticut Legislative AI, Data Privacy Updates

The following article first appeared in the News & Insights section of Carmody Torrance Sandak Hennessey’s website. It is reposted here with permission.

---

Last-minute, little-noticed legislative amendments from the Connecticut 2025 legislative session will have outsized impacts on small and medium-sized Connecticut businesses beginning July 1, 2026.

Consumer-facing businesses (and their service providers) that deploy AI and similar “algorithmic decision making” solutions will need to make public disclosures and conduct data protection impact assessments to ensure that consumers are protected from unforeseen harms from these tools.

Moreover, with dramatically lowered thresholds and expanded definitions, many more businesses will be surprised to find on July 1st that they are covered entities under the Connecticut Data Privacy Act.  

Connecticut Data Privacy Act Amendment Highlights

Effective July 1, 2026:

• Amendments will apply to for-profit businesses that meet any of the following thresholds:
  • control/process personal data of 35,000 or more Connecticut consumers (with exception)
  • control/process Connecticut consumers’ “sensitive data” (with exception)
  • offer consumers’ personal data for “sale”
• Expand the definition of “sensitive data”
• Prohibit sale of sensitive personal data without consumer opt-in
• Require additional disclosures in public-facing privacy notices
• Mandate opt-outs and impact assessments for “profiling” used to advance “automated decision making” that produces any “legal or similarly significant effect”
• Removes blanket exemption for businesses regulated by Gramm Leach Bliley Act (GLBA) rules (i.e., companies offering consumer financial products/services) 

Top Operational Impacts for Connecticut Businesses

Assess. Assess whether CTDPA’s lowered thresholds make the company a covered entity.

Legal compliance. Assemble an operations and legal team to develop a CTDPA compliance program.

Review. Review and revise employee- and vendor-facing policies to ensure CTDPA compliance.

Privacy notices and opt-outs. Update public-facing privacy notices and opt-out/opt-in procedures.

Risk management. Identify high-risk areas involving use of sensitive data and profiling or automated decision-making activities requiring impact assessments.

Cybersecurity. Update and strengthen cybersecurity measures.

Monitor. Constantly monitor and evaluate policies and practices.

Manage AI. Adopt policies for the use of AI and identify a point person for questions and oversight.

Educate. Train leadership and workforce on requirements and expectations.

Listen. Promote employee involvement and feedback on the use of AI, particularly since it is a constantly evolving area.

Concluding Considerations

With July 1, 2026, rapidly approaching, companies that will soon be covered by the CTDPA’s lowered thresholds should be proactive in assessing their risk profile and preparing their compliance strategy.

Future Pulse on Privacy posts will drill down on a number of the operational impacts identified above and suggest strategies for reasonable compliance.

---

About the author: Sherwin Yoder is a partner with Carmody Torrance and leads the firm’s leads Carmody’s Privacy & Data Security practice.