Connecticut Expands Its Privacy Law: What PA 25-113 Means Starting July 1

Connecticut Expands Its Privacy Law: What PA 25-113 Means Starting July 1

Connecticut's comprehensive privacy law grows significantly in scope on July 1, 2026, when Public Act 25-113 takes effect, lowering applicability thresholds, adding new sensitive-data categories, and imposing the first-in-the-nation disclosure requirement for businesses that train large language models on personal data.

Information last verified on June 26, 2026. This is a developing story; we update it as the record changes.

Status: Signed June 24, 2025 as Public Act 25-113 (Substitute Senate Bill 1295); takes effect July 1, 2026. As of June 26, 2026 the amendments are not yet in force.

Jurisdiction scope: These amendments apply to controllers and processors that conduct business in Connecticut or produce products or services targeted to Connecticut residents and that meet applicable thresholds under the Connecticut Data Privacy Act. As of July 1, 2026, businesses processing the personal data of at least 35,000 Connecticut consumers per year, or that offer consumers' personal data for sale in trade or commerce (with no minimum consumer volume), will be covered. Controllers that process sensitive personal data are also covered regardless of consumer volume.

What Happened

On June 24, 2025, Connecticut Governor Ned Lamont signed Substitute Senate Bill 1295 into law as Public Act 25-113, adding a broad second round of amendments to Connecticut's omnibus consumer privacy statute. The law passed the General Assembly in June 2025 after clearing the General Law Committee.

The amendments are substantial. At the threshold level, the law lowers the number of consumers whose personal data a controller must process before CTDPA obligations attach from 100,000 to 35,000. It also deletes the prior prong that covered a controller processing the data of at least 25,000 consumers while deriving more than 25 percent of gross revenue from selling personal data. In its place, PA 25-113 adds a volume-free trigger: any controller that offers consumers' personal data for sale in trade or commerce is covered regardless of how many consumers' data it sells, and controllers that process sensitive personal data are likewise covered regardless of consumer volume.

On sensitive data, the act expands the definition to add several categories not previously listed:

• Neural data, data generated by a consumer's neural activity, including data generated by devices such as brain-computer interfaces
• Status as transgender or nonbinary
• Disability or treatment data, data reflecting a consumer's disability status or medical treatment related to that disability
• Government-issued identification numbers, such as Social Security numbers and driver's license numbers
• Financial account data, including account numbers, login credentials, and credit or debit card numbers when combined with any access code, password, or credential that would permit access to the account

The act adds a novel disclosure requirement targeting artificial intelligence. A controller that collects, uses, or sells personal data for the purpose of training large language models must include a statement to that effect in its privacy notice. Multiple sources analyzing the amendment have described this as the first requirement of its kind in a U.S. state comprehensive privacy law.

For minors, the act raises the age threshold for categorical protections. Previously, Connecticut required opt-in consent before selling the personal data of consumers under 16 or using such data for targeted advertising. Under PA 25-113, controllers are categorically prohibited from processing the personal data of any individual they know or willfully disregard to be under 18 for targeted advertising or for sale, regardless of whether consent has been obtained.

New consumer rights added by the act include:

• Third-party disclosure list: consumers may request a list of the third parties to whom the controller has sold their personal data
• Inference access: the right to access now extends to inferences the controller has drawn from personal data, not only the underlying raw data
• Profiling and automated-decision rights: consumers gain rights tied to certain covered automated profiling decisions, including the right to know the reasoning behind a decision, to review the data used, and, in specified circumstances, to correct the underlying data and request reevaluation

Most provisions take effect July 1, 2026. Impact-assessment obligations apply to processing activities created on or after August 1, 2026.

What the Law Actually Says

Connecticut's privacy framework began with Public Act 22-15, signed May 10, 2022 and effective July 1, 2023. That law, modeled in part on the Virginia Consumer Data Protection Act, established a rights-and-obligations framework covering controllers and processors operating in Connecticut. It granted consumers the rights to access, delete, correct, and obtain a portable copy of their personal data, and to opt out of the processing of personal data for targeted advertising, sale, or certain profiling.

CTDPA consumer rights as originally enacted applied to controllers processing the personal data of at least 100,000 Connecticut consumers per year, or deriving more than 25 percent of gross revenue from selling personal data while processing the data of at least 25,000 consumers. PA 22-15 also defined sensitive data to include racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, precise geolocation, genetic or biometric data processed for identification, and personal data from a known child.

PA 25-113 operates as an amendment to that structure. It does not create a separate law; it modifies the definitions, obligations, and rights already in the CTDPA. The practical effect is that a controller reading the CTDPA after July 1, 2026 will encounter the amended thresholds, the expanded sensitive-data list, the LLM-training disclosure requirement, the categorical minor-data prohibition, and the expanded consumer rights as part of the same statutory framework.

The Connecticut Data Privacy Act hub page tracks the full structure of the law as amended. For the complete text of the amendment, see the official act at the Connecticut General Assembly website linked in Sources below.

Analysis: Why This Matters

The following is analysis from the Recording Law Editorial Team.

A much larger compliance universe. The drop from 100,000 to 35,000 consumers is not incremental. A mid-size e-commerce operator, a regional healthcare adjacent services company, or a subscription platform that previously sat comfortably below the CTDPA threshold may find itself in scope as of July 1. The removal of volume floors for sensitive-data processing and data sales tightens the net further: any company selling personal data, even in modest volumes, is now a covered controller.

Neural data as a legal category. Connecticut joins a small but growing group of states to codify neural data as a protected category. The provision reflects the emergence of consumer-facing neurotechnology, from wellness headbands that detect stress responses to early-stage brain-computer interfaces. By placing neural data alongside biometric and genetic data in the sensitive-data tier, Connecticut signals that data derived from brain activity carries a heightened privacy interest. Controllers handling any consumer device that reads neural signals will need to evaluate whether their data collection triggers CTDPA obligations.

The LLM-training disclosure. The requirement to disclose in a privacy notice whether personal data is used to train large language models is, based on current reporting, the first of its kind enacted at the state level in the United States. It does not prohibit such use; it requires transparency about it. The practical compliance question is whether a controller's current privacy notice addresses AI training data practices at all. Many do not. Controllers that collect data through consumer-facing products and feed that data into model-training pipelines will need to update their notices before July 1.

Categorical minor protections at 18. Moving from a consent-based regime for under-16 consumers to a categorical ban for under-18 consumers eliminates the option to obtain consent and then proceed. Controllers cannot opt in a 16- or 17-year-old to targeted advertising or data sale; those uses are prohibited outright. The addition of prohibitions on design features intended to extend minors' engagement with a service adds a layer that goes beyond data-handling rules into product design territory.

Connecticut in the multi-state July 1 privacy wave. Connecticut is not alone in expanding its privacy framework in mid-2026. Multiple states have passed or amended comprehensive privacy laws with clustered effective dates. This reflects a pattern in state privacy legislation: governors sign bills in spring, and July 1 serves as a recurring activation date for privacy provisions. Businesses operating across multiple states face an accelerating compliance calendar as the body of state law diverges in threshold levels, sensitive-data definitions, and rights catalogs.

The transgender and nonbinary status category. Adding status as transgender or nonbinary to the sensitive-data definition places this category alongside sexual orientation, which has been sensitive data under the CTDPA since 2023. Controllers that collect this data, whether through user-provided forms, inferred signals, or third-party sources, will need to apply the higher-protection obligations that apply to sensitive data generally, including data-protection-assessment requirements and opt-in consent for processing.

How This Affects You

If you are a Connecticut consumer: As of July 1, 2026, you will have expanded rights under the CTDPA. You can ask a covered controller for the list of third parties to whom your data was sold. You can request access to inferences the controller has drawn from your data, not only the underlying records. If you or a minor in your household are under 18, no covered controller may sell your personal data or use it for targeted advertising, regardless of any consent mechanism.

If you operate a business: Review whether you cross the 35,000-consumer threshold as of your most recent calendar year. If you previously reviewed your CTDPA obligations and concluded you were not covered, rerun that analysis. Check your privacy notice for compliance with the LLM-training-disclosure requirement if your business uses customer data to train AI models. Audit your practices with respect to consumers under 18. Sensitive-data categories have expanded; any data-protection assessment conducted before PA 25-113 was signed may need to be revisited.

What Happens Next

The July 1, 2026 effective date is days away. Connecticut law vests enforcement authority in the Attorney General; there is no private right of action under the CTDPA. In February 2026, the Connecticut AG's office issued a signal of heightened enforcement interest specifically around minors' data privacy. The AG's office has not published formal guidance specific to PA 25-113 as of the date of this article, but the office's general posture on CTDPA enforcement has been active since the law's original 2023 effective date.

Impact-assessment obligations tied to processing activities created on or after August 1, 2026 give controllers a short additional window for that specific compliance step, but the core obligations, threshold applicability, sensitive-data handling, privacy-notice updates, minor-data prohibitions, and the new consumer rights, take effect July 1.

This is general legal information, not legal advice. It covers Connecticut privacy law and reflects sources verified on June 26, 2026. Laws change and this story is developing; consult a lawyer licensed in your jurisdiction about your specific situation.

Sources

• Connecticut Public Act 25-113 (Substitute Senate Bill 1295), 2025 Session, Connecticut General Assembly (primary source; PDF; cga.ct.gov)
• Hunton Andrews Kurth Privacy and Cybersecurity Law Blog: "Connecticut Amends the Connecticut Data Privacy Act" (Tier-2 firm analysis)
• Wiley Law: "Major Changes to Connecticut's Consumer Privacy Law Will Take Effect July 1, 2026" (Tier-2 firm analysis)
• Bryan Cave Leighton Paisner: "Connecticut Quietly Adds AI Disclosure Mandate to Consumer Privacy Law" (Tier-2 firm analysis, Oct. 2025)
• Covington Inside Privacy: "Connecticut Legislature Amends Its Privacy Statute" (Tier-2 firm analysis)
• Kelley Drye Ad Law Access: "Fragmentation of Privacy Requirements Accelerates as Four States Amend Nascent Laws" (Tier-2 firm analysis)
• Perkins Coie: "Connecticut Pierces the GLBA Veil in Overhauling its Omnibus Privacy Law" (Tier-2 firm analysis)
• Future of Privacy Forum: "The Connecticut Data Privacy Act Gets an Overhaul (Again)" (nonprofit policy analysis)
• Connecticut Attorney General: The Connecticut Data Privacy Act (gov; enforcement authority)

Related articles

• Connecticut Data Privacy Act (CTDPA), Overview
• CTDPA Consumer Rights Guide
• Connecticut Biometric Privacy Law
• U.S. Data Privacy Laws, National Hub

---

Last updated: 2026-06-26. This is a developing story; details verified as of 2026-06-26.