The Connecticut Data Privacy Act (CTDPA) has been in effect since July 2023, but a significant set of amendments takes effect on July 1, 2026. Together, these changes expand the law's reach and introduce new operational requirements for organizations already subject to the law.
The amendments lower the primary applicability threshold from 100,000 consumers to 35,000 consumers. They also introduce two new triggers with no minimum volume requirement. An organization may now fall under the law if it processes sensitive data or offers consumers' personal data for sale, even if it does not meet the 35,000-consumer threshold.
For privacy teams, this changes the first compliance question from "How many Connecticut consumers do we process?" to "What types of data do we process and how do we use it?"
A regional business processing sensitive health information, a software provider handling government-issued identifiers, or a company participating in data-sharing arrangements may find itself within scope even if it previously sat outside the law's thresholds.
Before July 2026, organizations should reassess applicability rather than relying on earlier CTDPA analyses.
Sensitive Data Requirements Continue to Expand
In addition to existing categories, sensitive data now includes certain government-issued identifiers, Social Security numbers, financial account information, consumer health data, neural data, and other protected categories.
The changes also strengthen expectations around how this information is handled. Organizations must continue obtaining consent before processing sensitive data. Beginning July 2026, they must also ensure that processing is reasonably necessary for the disclosed purpose. In addition, sensitive data cannot be sold without consumer consent.
Consider a company that collects driver's license information during account verification or stores financial account details as part of a service offering. Data that may previously have been treated as standard personal information may now fall within the expanded sensitive data framework and require additional governance controls.
The challenge is often operational. Organizations need to know where sensitive data exists, how it is used, and whether existing consent and retention practices align with the amended requirements.
Consumer Rights Expand Beyond Access and Deletion
The July 2026 amendments also broaden consumer rights, particularly in relation to profiling and automated decision-making.
Consumers gain new rights to question profiling outcomes that produced any legal or similarly significant effect concerning the consumer, understand the reasoning behind decisions, review data used in those decisions, and in some circumstances request corrections and reevaluation.
The amendments also establish a new right to obtain a list of third parties to whom personal data has been sold.
At the same time, existing access and knowledge rights expand to include inferences derived from personal data and certain profiling-related information.
These changes create new expectations around transparency and traceability. For example, if an organization uses profiling to support decisions related to lending, insurance eligibility, or other significant outcomes, it may need to explain how data contributed to a decision and support requests for additional review.
Meeting these obligations requires more than a privacy notice. Organizations need visibility into decision-making processes, data sources, and downstream data flows.
Connecticut Creates a New AI Governance Intersection
One of the most notable aspects of the amendments is how they bring privacy compliance and AI governance closer together. The Connecticut updates combine three requirements that often appear separately across privacy and AI regulations.
First, privacy notices must disclose whether personal data is collected, used, or sold to train large language models (LLMs).
Second, consumers receive expanded rights related to profiling and automated decision-making.
Third, organizations must conduct impact assessments when profiling is used to make decisions that produce legal or similarly significant effects. This requirement applies to relevant processing activities created or generated on or after August 1, 2026, and is not retroactive.
Taken together, these obligations create a more structured governance framework around AI-enabled decision-making.
A financial services organization using machine learning models to support eligibility decisions may need to disclose relevant data uses, support profiling-related consumer rights requests, and document risk assessments for qualifying activities.
Privacy, AI governance, and consumer rights programs increasingly depend on the same underlying capabilities: data visibility, transparency, documentation, and oversight.
Youth Data and Privacy Notices Receive New Attention
Under the current law, organizations must obtain opt-in consent before selling personal data or engaging in targeted advertising for individuals between 13 and 16 years old.
Beginning July 2026, the protected age range expands to consumers between 13 and 17 years old. The amendments also prohibit targeted advertising and the sale of personal data where the organization has actual knowledge, or willfully disregards, that the consumer falls within that age range.
Privacy notices are also becoming more prescriptive. Organizations must disclose whether they use or sell personal data for LLM training, include specific information about consumer rights, maintain accessible notice formats, and provide mechanisms for notifying consumers about material changes.
A gaming platform, digital publisher, or online service used by teenagers may need to reassess advertising practices, consent workflows, and privacy notice content simultaneously.
Preparing for July 2026
The Connecticut amendments touch nearly every aspect of a privacy program, from scope assessments to AI governance.
Organizations should start by reassessing whether they fall within the law's expanded applicability criteria, particularly where sensitive data processing or data sales are involved.
Privacy notices should be reviewed to address new disclosure requirements, including LLM training activities and expanded consumer rights.
Teams responsible for profiling and automated decision-making should evaluate whether impact assessments, governance processes, and consumer request workflows need updating.
Organizations should also review youth data practices, sensitive data controls, and third-party data-sharing arrangements to ensure they align with the amended requirements.
The organizations best positioned for July 2026 will be those that connect legal requirements to operational processes before enforcement expectations take effect.
The Connecticut amendments expand the scope of the CTDPA while introducing new requirements across sensitive data, profiling, youth data, privacy notices, and AI governance.
For many organizations, the most significant change is not a single obligation but the combination of expanded applicability and more detailed operational expectations. Programs that were designed around traditional privacy compliance now need stronger governance around data use, automated decision-making, and transparency.
For deeper analysis of the CTDPA amendments and other US privacy developments, explore OneTrust DataGuidance.
To see how organizations are operationalizing privacy rights, assessments, privacy notices, and AI governance requirements, learn more about OneTrust Privacy Automation.
Key Questions on Connecticut's 2026 Privacy Amendments