Data Privacy Law Expansion Raises Business Concerns

A legislative committee has advanced a sweeping expansion of the state’s Data Privacy Act that limits businesses’ ability to advertise, market, and conduct consumer-based research.

The General Law Committee approved SB 1356, which adds additional businesses to the act’s scope, on a 16-5 vote. 

Adopted in 2022, the CTDPA was a compromise with the business community to implement one of the first comprehensive laws in the country to provide residents with certain rights over personal data and established responsibilities and privacy protection standards for data controllers.

According to the Attorney General’s Office, as of Jan. 1, 2025, businesses covered under the act must honor universal opt-out preference signals sent by Connecticut residents. 

Key Changes

SB 1356 makes several key changes to the act by:

• Updating key definitions critical to the CTDPA:
  • “Biometric data:” Redefines to include data from automatic measurements of biological characteristics (e.g., fingerprints, voiceprints) used for identification, excluding photos or data from user-provided content unless processed for ID purposes.
  • “Know or knowingly:” Adds a new definition tied to a reasonable person standard—whether a controller should reasonably know a consumer is under 18 based on collected data.
  • “Publicly available information:” Expands to exclude biometric data derived from public sources if used for identification, tightening privacy protections.
  • “Sensitive data:” Adds precise geolocation data (within 1,750 feet), religious beliefs or affiliations, and data revealing union membership to the list of sensitive categories.

• Lowers the applicability threshold for businesses:
  • Now applies to entities that process personal data of at least 50,000 Connecticut consumers annually—down from the current 100,000 consumer threshold—or 12,500 consumers if over 25% of revenue comes from selling personal data (down from the current 25,000 consumer threshold).
• Modifies exemptions for financial institutions, nonprofits, and HIPAA entities:
  • Removes broad exemption for institutions subject to the Gramm-Leach-Bliley Act and HIPAA, replacing it with a narrower exemption for data processed under GLBA and HIPAA rules, ensuring non-GLBA and HIPAA data falls under CTDPA.
• Adds a data minimization requirement:
  • Controllers may only collect, process, or retain personal data necessary to provide a product or service explicitly requested by the consumer—strictly limiting what data can be collected.
  • Prohibits selling consumer health data without affirmative, separate written consent from the consumer, collected at the point of sale.
  • Prohibits disclosing sensitive data to third parties without prior affirmative consent, unless required by law or necessary for the requested service.
• Adds social media data requirements:
  • Updates “social media platform” to include online services primarily designed for user-generated content sharing, excluding private messaging or services not aimed at broad interaction.
  • Prohibits social media platforms from requiring parents to create accounts to submit requests (e.g., to access or delete a minor’s data).
• Youth data collection rebuttable presumption removed:
  • Requires controllers to delete a consumer’s personal data upon request if they know or should know the consumer is under 18, unless retention is legally required.
  • Removes prior rebuttable presumption that controllers didn’t know a consumer’s age, increasing accountability.
  • Prohibits processing personal data of consumers under 18 for targeted advertising or profiling if the controller knows or should know their age, with exceptions for contextual advertising or legal obligations.
• Data broker registration:
  • Requires data brokers to register annually with the Department of Consumer Protection by Jan. 31 2026, with a $200 fee.

Outsized Small Business Burden

These expanded requirements will make it difficult for companies to use consumer data responsibly to grow their business.

The bill’s proposed adjustments to applicability thresholds places an outsized burden on small and medium-sized employers in Connecticut.

In testimony to the committee, CBIA’s Chris Davis warned that a family-owned retailer or restaurant with less than 20 employees, handling modest customer data for loyalty programs, could now face the same regulatory demands as a multinational corporation. 

The bill now awaits action in the state Senate.

---

For more information, contact CBIA’s Chris Davis (860.244.1931).