In late June 2025, Connecticut lawmakers passed a statute making significant amendments to the Connecticut Data Privacy Act (“CTDPA”). The amendments strengthen the CTDPA and make it applicable to almost every business that collects and/or processes consumer personal data. Here are a couple of the notable changes.

More businesses covered by the CTDPA

In the original version of the CTDPA, covered businesses were defined in the usual manner: those that controlled or processed personal data for at least 100,000 Connecticut consumers, OR those that controlled or processed the personal data of at least 25,000 consumers and derived 25% or more of their gross revenue from the sale of personal data. The original definition was used in similar statutes.

However, Connecticut legislators have blazed a new trail. Now the CTPDA applies to businesses that:

• Control or process the personal data of at least 35,000 consumers OR
• Control or process the sensitive data of ANY consumers (excluding data processed solely for payment purposes) OR
• Offer consumer personal data for sale

The new definition gives greater importance to the distinction between personal data and sensitive data. Most similar statutes make the distinction, but the distinction does not matter too much. Personal data generally means data that can be used to identify a person, but is not particularly intrusive into privacy questions. On the other hand, sensitive data is defined as including data about race, religion, sexual orientation, gender, gender fluidity, biometric data, neural data, and more.

Regulations on profiling are strengthened

The most recently enacted consumer data privacy statutes have highlighted privacy issues related to profiling. Consumer data can be used to identify personal characteristics (like race or sexuality) that can be used for targeted advertising. The same data can also be used as part of a company’s automated evaluation of an individual for services and products (like access to credit or other financial products).

The revised CTDPA gives consumers new rights with respect to their data when used for automated decision-making. First, the revised CTDPA allows consumers to opt out of having their data processed for any automated decision-making, not just circumstances where the data was processed SOLELY for automated decision-making.

Second, Connecticut consumers now have the right to know whether personal data is being used for automated decision-making, AND what inferences are being used by the company when the data is used for profiling in this manner. In the original version of the CTDPA, Connecticut consumers were given the right to know what data is/was being collected, how the data was processed, to whom it was sold, etc. The list has now been expanded

Third, the revised CTDPA clarifies that consumer rights and protections apply not only when a covered business is making automated decisions, but also when automated decisions are being made “on behalf of” a controller. Thus, affiliated and third parties are now covered.

Finally, the revised CTDPA mandates that companies that use profiling for automated decision-making must provide certain appeal rights. More specifically, consumers must be given a mechanism for:

• Challenging or questioning the decision
• Obtaining an explanation of how the decision was made and how/why the result were reached
• Examining the personal data that was used in the profiling
• Correcting inaccurate data and asking for a re-evaluation (applies only in housing-related circumstances)

Practical Compliance Implications for Businesses

The 2025 amendments to the Connecticut Data Privacy Act represent more than an incremental update — they signal a broader legislative trend toward tighter data regulation that businesses operating in Connecticut, or collecting data from Connecticut residents, must take seriously. Below is a deeper look at what these changes mean operationally, and how similar developments are unfolding across the country.

What “Sensitive Data” Actually Covers

Because the amended CTDPA now sweeps in any business that processes sensitive data from even a single Connecticut consumer, understanding the definition is critical. Under the revised statute, “sensitive data” includes:

• Personal data revealing racial or ethnic origin, religious beliefs, or mental or physical health condition or diagnosis
• Data concerning sexual orientation or gender identity
• Genetic or biometric data processed for the purpose of uniquely identifying a natural person
• Personal data collected from a known child
• Precise geolocation data (meaning data that identifies a consumer’s location within a radius of 1,750 feet)
• Neural data — a new category reflecting legislative concern over brain-computer interface and neurotechnology products

This means that a relatively small wellness app, a mental health platform, a religious organization’s website, or any business collecting biometric data faces coverage even if it processes data from only a handful of Connecticut residents.

What Businesses Must Do Now

Companies newly covered by the amended CTDPA — or companies already covered that must now comply with the expanded profiling provisions — should take the following compliance steps:

• Data mapping and inventory. Identify every category of personal and sensitive data your organization collects, the purpose of collection, where it is stored, who can access it, and whether it is sold or shared with third parties. Without a current data map, meaningful compliance is impossible.
• Update privacy policies. Connecticut consumers must be informed of their rights under the CTDPA, including the new rights related to automated decision-making. Privacy policies must be updated to reflect the full scope of what data is collected, how it is used for profiling, and how consumers can exercise their rights.
• Build opt-out mechanisms. The amended CTDPA requires that consumers be able to opt out of profiling for automated decision-making. This requires more than a checkbox; it requires a functional mechanism that is linked to your data processing systems.
• Audit third-party data processors. The expanded coverage of third parties acting “on behalf of” a controller means that vendor contracts must include data processing addenda and that vendor compliance must be periodically audited.
• Implement appeal procedures. For automated decision-making in housing-related contexts (and the broader right to challenge and question decisions), businesses must build mechanisms that allow consumers to request review of automated decisions, obtain explanations, and submit corrections.

The National Landscape: Connecticut Is Not Alone

The CTDPA amendments are part of a national wave. As of 2025, more than 20 states have enacted comprehensive consumer privacy statutes, and at least five more have legislation pending. The California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 et seq.), as amended by the CPRA, remains the most expansive, but statutes in Virginia (VCDPA, Va. Code Ann. §§ 59.1-575 et seq.), Colorado (CPA, C.R.S. §§ 6-1-1301 et seq.), Texas (TDPSA, Tex. Bus. & Com. Code §§ 541.001 et seq.), and others create a patchwork that businesses operating nationally must navigate simultaneously.

The enforcement landscape is also sharpening. The Connecticut Attorney General has actively enforced the original CTDPA, and the 2025 amendments include increased penalty provisions. Violations can result in civil penalties of up to $5,000 per willful violation, and class action exposure under related consumer protection statutes adds further financial risk.

Businesses operating across multiple states should consider a unified data governance framework — one built around the most restrictive requirements — rather than attempting to maintain jurisdiction-by-jurisdiction compliance silos. Contact the Consumer Data Privacy and Compliance attorneys at Revision Legal to assess your current compliance posture and prepare for the expanded CTDPA requirements.

Contact The Consumer Data Privacy and Compliance Attorneys At Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.