Update Applicable to:	Effective Date
All Covered Business	July 1, 2025   July 1, 2026 – Amendments go into Effect

What happened?

On June 25, 2025, Connecticut Governor Ned Lamont signed into law Senate Bill 1295, significantly updating the Connecticut Data Privacy Act (CTDPA) and introduces new consumer protection measures across broadband access, online services, social media, artificial intelligence, and children’s privacy.

Overview:

SB 1295 modernizes Connecticut’s privacy framework, expanding protections for consumers and minors while introducing new obligations for businesses. Companies in sectors like FinTech, housing, health services, and AI must reassess their data practices, ensure compliance with profiling and consent rules, and update their privacy notices accordingly.

Effective July 1, 2025

• General enactment date of the law.
• Gaming and lottery licensing updates (Section 2).
• Sports wagering and online gaming controls (Section 3).
• Consumer contract and automatic renewal transparency (Section 20).
• Vehicle sales and advertising transparency (Section 21).
• Home improvement advertising rules (Section 22).

Effective October 1, 2025

• Lottery vendor licensing and delivery provisions (Section 2).
• Consumer contract disclosures and cancellation mechanisms (Section 20).
• Vehicle dealer disclosure requirements (Section 21).
• Home improvement advertising exemptions for large national advertisers (Section 22).

Effective October 1, 2026

• Net Equality Program (affordable broadband access) begins.
• Social media platforms must implement:
  • Online Safety Centers
  • Cyberbullying policies

Effective July 1, 2026:

• Major amendments to the Connecticut Data Privacy Act (CTDPA):
  • Expanded applicability and definitions.
  • New consumer rights.
  • Sensitive data protections.
  • Data minimization and profiling rules.
  • Privacy notice requirements.
  • Impact assessments for profiling and AI.
• Children’s privacy protections.
• Connected vehicle service protections for survivors of domestic violence.
• Processor and controller obligations.
• Bias auditing and internal use exceptions.

Additional Information:

Expanded Scope of the CTDPA

• Lowers the applicability threshold to businesses processing data of 35,000+ consumers or any amount of sensitive data or data offered for sale.

• Removes the entity-level exemption for financial institutions under the Gramm-Leach-Bliley Act (GLBA), replacing it with a narrower data-level exemption.

Broader Definition of Sensitive Data

• Now includes disability status, nonbinary or transgender status, neural data, financial access credentials, and government-issued IDs.

• Prohibits the sale of sensitive data without clear, informed consumer consent.

Stronger Consumer Rights

• Consumers can now:
  • Access inferences made about them.
  • Know if their data is used in profiling.
  • Request a list of third parties to whom their data has been sold.

• Sensitive data like Social Security numbers and biometric data cannot be disclosed in access requests—only acknowledged.

Data Minimization Requirements

• Controllers must limit data collection to what is “reasonably necessary and proportionate” to the disclosed purpose.
• New uses of data require consent unless they are compatible with the original purpose.

Profiling, AI, and Impact Assessments

• Consumers can opt out of any automated decision-making with legal or significant effects—even if a human is involved.

• Controllers must conduct detailed impact assessments for profiling, including use cases, risks, and transparency measures.

• Special rules apply to profiling involving minors.

• Controllers may use sensitive data for bias auditing without consent to ensure fairness in automated systems.

Children’s Privacy Protections

• Prohibits the sale of personal data and targeted advertising to anyone under 18, regardless of consent.

• Requires impact assessments for profiling minors.

• Redefines “heightened risk of harm to minors” to include harassment, violence, and exploitation.

Privacy Notices

• Must include (1) The date of the most recent update, (2) Whether personal data is used to train large language models (LLMs), and (3) Clear disclosures about data sales and targeted advertising.

• Must be accessible via a “privacy” link on websites and apps, in all business languages, and accessible to individuals with disabilities.

• Retroactive changes require consumer notification and an opportunity to withdraw consent.

Net Equality Program: Launching October 1, 2026, this program ensures affordable broadband access for low-income households, capped at $40/month with minimum speed requirements.

Gaming and Lottery Oversight

• Expands licensing and reporting requirements for vendors and employees.
• Introduces penalties for noncompliance and mandates prompt incident reporting.

Consumer Contracts and Renewals

• Requires clear disclosures for auto-renewing contracts.
• Mandates easy online cancellation options.

Connected Vehicle Protections: Allows survivors of domestic violence to disable abuser access to connected vehicle services within two business days.

Source References

• Connecticut SB 1295 – An Act Concerning Broadband Internet, Gaming, Social Media, Online Services And Consumer Contracts

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.