UConn Cookie Information

By Mary Kay Della Camera, CTSBDC Business Advisor

Connecticut’s Data Privacy Act (CTDPA) went into effect July 1, 2023, and gives Connecticut residents rights over their personal data (in an individual/household context) while imposing specific privacy obligations on businesses that act as “controllers” and their vendors, called “processors.” The CTDPA generally applies if, in the prior calendar year, you controlled/processed personal data of 100,000+ Connecticut consumers, or 25,000+ Connecticut consumers and over 25% of gross revenue came from selling personal data. Separately, if you are a “Consumer Health Data Controller” (for example, you collect or use consumer health data in an app, intake form, portal, or similar), CTDPA obligations can apply regardless of size. The law does not typically cover employee/job-applicant data, and several categories of entities and data types are exempt, but the coverage analysis is fact-specific. 

There have been significant changes to CTDPA, including several 2026 amendments (effective July 1, 2026; some assessment requirements begin August 1, 2026) that small business owners should understand.

CTDPA changes explained for small businesses

For covered businesses, the practical compliance baseline is straightforward: publish a clear privacy notice; limit collection to what is adequate, relevant, and reasonably necessary; obtain consent before processing sensitive data; operationalize consumer rights requests (access, correct, delete, portability, and opt-out of targeted advertising, sale, and certain profiling) within the required timelines; and use reasonable safeguards to secure personal data. Importantly, as of January 1, 2025, covered businesses must honor universal opt-out signals (for example, Global Privacy Control signals) for targeted advertising and sales of personal data—this has become an active enforcement focus, particularly for websites and online marketing stacks.

Connecticut enacted another significant update (SB 1295) that materially expands who is covered and what compliance requires. The most important change for small businesses is scope: the consumer-data volume threshold drops to 35,000 consumers (from 100,000), and the law also becomes “triggered” for businesses that control/process any sensitive data (with a payment-processing exception) or that offer personal data for sale. In other words, a business may be in scope even without large customer counts if it handles sensitive data or monetizes data in ways the law defines as a “sale.”

SB 1295 also expands and tightens substantive requirements, especially in four areas:

1. Sensitive data expands (and matters more) – The definition of sensitive data broadens to include categories such as disability/treatment information, nonbinary/transgender status, neural data, certain financial access credentials, and government-issued IDs. The law also heightens expectations around consent, including separate consent for the sale of sensitive data.
2. Profiling and automated decisions – Consumer opt-out rights expand beyond “solely automated” decisions, and consumers gain more insight into whether profiling is happening and, where feasible, the ability to challenge outcomes and understand the reasoning. Beginning August 1, 2026, Connecticut adds a distinct “impact assessment” requirement for certain profiling that produces legal or similarly significant effects.
3. Minors – Connecticut strengthens protections for minors, including categorical limits on targeted advertising and sale of minors’ personal data for certain online services, and additional assessment/mitigation expectations when profiling minors.
4. Privacy notices – Privacy policies must become more specific and operational, including stronger disclosures and presentation requirements. Notably, SB 1295 adds a disclosure about whether personal data is collected/used/sold for the purpose of training large language models (LLMs), and it requires notice and an opportunity to withdraw consent when retroactive material changes are made.

Across the legal analyses and compliance commentary, there is broad alignment on the core takeaway: Connecticut is moving from a “threshold-based” privacy law that mostly affected larger companies to a more expansive framework that captures smaller organizations/businesses which (a) touch sensitive data, (b) use ad-tech/targeted advertising, (c) share data with third parties in ways that may be considered a sale, or (d) offer online features used by minors. 

CTDPA: Key takeaways for small business owners

• There are expanded coverage requirements and narrower exemptions – SB 1295 narrows the practical reach of the Gramm-Leach-Bliley Act (GLBA) entity exemption by moving toward a data-level approach for many businesses in or adjacent to financial services, which is a meaningful shift for fintech and other non-bank providers.
• There are more demanding profiling requirements – Legal summaries of these changes stress that profiling/automated decision-making is now a central compliance and documentation obligation, with new assessment and transparency requirements.
• CT is instituting stronger protections for minors – Multiple sources underscore Connecticut’s aggressive stance on minors’ privacy and design features that can materially increase or extend minors’ engagement.
• Privacy notice “operationalization” – The law is increasingly expecting privacy notices to match real-world practices (including ad-tech disclosures, opt-out mechanics, accessibility, and now LLM training disclosures).

CTDPA checklist for small businesses 

We strongly advise you to check with your small business attorney to ensure compliant practices. In the meantime, here are a few practical next steps for Connecticut small businesses, ensuring compliance with CTDPA enforcement and the 2026 amendments:

• Confirm whether you are in scope now (and whether you might be in scope in 2026). Pay special attention to whether you process sensitive data, use targeted advertising, or share data with partners/vendors in ways that may be viewed as a “sale.”
• Inventory personal data and map it to purpose. Identify what you collect, why you collect it, where it is stored, who receives it (including ad-tech), and how long you keep it.
• Review your website and marketing stack. Ensure you can honor opt-out rights and universal opt-out signals; confirm that cookie/banner experiences are not confusing or asymmetrical; and validate that your “do not sell / do not share” style mechanisms work end-to-end.
• Tighten sensitive data handling. Document what qualifies as sensitive data in your business; ensure consent collection and recordkeeping; and limit collection/use to what is necessary and proportionate to disclosed purposes.
• Update your privacy notice for accuracy and completeness. Make sure your notice describes categories of data, purposes, sharing/sales, rights, opt-out methods, and contact methods; plan now for 2026 additions (including LLM training disclosures and retroactive material change notices).
• Establish a rights-request process (DSAR workflow). Be able to intake, authenticate, respond within required timelines, and track appeals.
• Review vendor contracts (processors). Confirm contracts address data processing instructions, confidentiality, security, and cooperation with consumer rights requests.
• If minors may use your product/service, assess and redesign where needed. Identify targeted advertising, profiling, and UX features that could be restricted under the amendments; document mitigations.

This content is for educational purposes and is not legal advice. If you believe you are in scope (or will be in scope due to sensitive data, ad-tech use, or the 2026 amendments), consider consulting qualified counsel for a tailored assessment.