For organizations covered by the Connecticut Data Privacy Act (CTDPA) amendments, it is critical to begin updating internal operational, governance, and documentation practices to achieve compliance by the July 1 deadline. 

Key Internal Processes to Update

  • Employee-facing policies, procedures, and training
  • Vendor contracts and Data Processing Agreements (DPAs)

Employee-Facing Policies, Procedures, and Training

With the CTDPA Amendments, covered organizations should plan to update their employee-facing policies and employee handbook provision concerning the privacy and security of personal information. 

Next Steps for Businesses

  • Assemble your privacy team. Gather representative stakeholders from executive leadership, HR, operations, sales/marketing, IT, and legal (lean on outside legal counsel if needed) to identify and prioritize gaps in organizational policies and procedures impacted by the CTDPA.
  • Map personal data. Know how personal data is stored and flows through the organization, including what technology platforms or software solutions process the data and whether such data is used to train large language models.
  • Update policies / employee handbook. Review and update policies to conform with CTDPA amendments, being sure to:
  • Clarify what categories of personal data are collected, for what limited purposes they are collected, where they are stored, for how long they are stored, who has access, how they are deleted, and how they are secured. This process is easiest when a company commits to collecting only essential data.
  • Specify how to handle certain types of personal data, especially sensitive data. For instance, the targeted advertising to and sale of personal data related to minors must be strictly prohibited.
  • Draft or update policies around acceptable use of AI solutions and automated decision-making software, expressly addressing usage in the creation of consumer profiles or in assisting in decision making around a person’s suitability for hiring/promotion, lending, renting, and purchasing or receiving services.
  • Establish roles and procedures for responding to consumer requests to exercise their CTDPA rights, including opt-out and/or opt-in mechanisms.
  • Identify third parties or vendors with whom the organization shares personal data and develop a policy around vendor management for CTDPA compliance purposes.
  • Outline penalties or sanctions for employee noncompliance.
  • Solicit and incorporate employee feedback during and after the drafting and revision process to promote employee awareness and buy-in, and to ensure the policies comport with operational realities.
  • Review cybersecurity. Review and update written information on the organization’s security program and cybersecurity procedures to account for any tightened safeguards required by the organization’s new CTDPA compliance commitments.
  • Minimize data. Determine what consumer data is essential to collect. Avoid storing consumer data indefinitely by implementing automated deletion or anonymization procedures.
  • Monitor for compliance. Set up internal monitoring or an audit system to ensure compliance.
  • Conduct trainings. Conduct trainings for all employees on new procedures based on feedback.
  • Run impact assessments. Conduct impact assessments to evaluate and to document risks and risk mitigations around consumer profiling, automated decision-making, personal data sales, and targeted advertising (we will dive deeper into this topic in an upcoming post.)

Vendor Contracts and Data Processing Agreements (DPAs)

Under the CTDPA, companies are responsible for ensuring that their vendors (referred to as “processors”) handle personal data in compliance with the new requirements.

Vendor contracts or Data Processing Agreements (DPAs) must:

  • Be in the form of a written contract (no handshake agreements).
  • Clearly outline the nature, purpose and duration of the processing.
  • Specify the types of personal data involved, particularly sensitive data.
  • Require that the vendor follow your documented instructions whenever processing data.
  • Prohibit vendors from selling or using the data for any purpose not included in the contract terms, including the training of artificial intelligence or machine-learning systems (Connecticut’s Attorney General William Tong recently made it clear that AI usage or training is covered by the CTDPA).
  • Require vendors to maintain appropriate security safeguards and notify the company of any breaches promptly or if any instructions appear inconsistent with the CTDPA.
  • Vendor’s consumer data privacy policies should align with the company’s (we will cover this more in a future post).

Next Steps for Businesses

Identify covered vendors. Assemble your privacy team (see above). Identify third parties or vendors with whom the organization shares personal data. Develop or update a policy around vendor management for CTDPA compliance purposes.

Update agreements. Review existing vendor relationships, update standard contract templates, and renegotiate or amend agreements where necessary. Fashioning a DPA as an addendum to the existing contract can be a straightforward way to achieve compliance.

Understand large vendor policies. Some vendors, such as industry-standard cloud service providers, do not offer negotiable service agreements or DPAs. However, they often publish detailed policies and offer tech features to support customers’ unique data privacy compliance needs. Familiarize yourself with such policies and any optional compliance features that you should deploy. 

National Updates: California Data Privacy Law Enforcement and Oklahoma’s Privacy Bill Signed Into Law

California Data Privacy Law Enforcement

Last month, California Attorney General Rob Bonta announced that the Walt Disney Company (Disney) has agreed to pay $2.75 million in civil penalties, the largest settlement reached under the California Consumer Privacy Act (CCPA) since the law took effect in 2020, for its failure to honor consumer opt-out requests to prevent the sale or sharing of their data across several streaming platforms including Disney+, Hulu, and ESPN+. Under the CCPA, businesses are prohibited from engaging in deceptive and unduly burdensome practices that interfere with a consumer’s ability to regulate their personal data (e.g., requiring consumers to navigate separate opt-out requests for each of a business’s individual services, or from each individual device used to access a service or services).

Oklahoma’s Privacy Bill Signed Into Law

By an overwhelming majority, the Oklahoma legislature approved its amended privacy bill (Senate Bill 546), which Governor Kevin Stitt recently signed into law, capping a legislative process that started in 2020. The Oklahoma Data Privacy Act (OKDPA) will take effect January 1, 2027. On the spectrum of restrictiveness, the OKDPA lands in the middle, comparable to the Virginia Consumer Data Protection Act.

The law provides basic consumer rights and covers businesses that control or process the personal data of at least 100,000 Oklahomans (or that of at least 25,000 while deriving at least 50% of gross revenue from personal data sales). However, it falls short of requirements we’ve seen in other states, like recognition of universal opt-out mechanisms and enhanced privacy protections for children. 

Key Takeaways for Businesses

The record CCPA settlement underscores the importance of implementing clear, unified, and effective mechanisms to honor consumer opt-out requests to avoid regulatory scrutiny and significant penalties. Stay tuned to Pulse on Privacy for more information on developing successful opt-out strategies.  

The six-year journey that led Oklahoma to become the 20th state to pass a comprehensive consumer data privacy law and the most recent round of CTDPA amendments reflect a slow but steady march toward nationwide data privacy regulation. Businesses everywhere will serve themselves well to stay abreast of developments as these laws continue to expand and to mature.  

Concluding Considerations

The July 1 CTDPA deadline is rapidly approaching, but there’s still time to bring your organization into compliance.

California’s data privacy enforcement should be a warning to business leaders that “don’t have time” for data privacy management. Hoping that the Connecticut Attorney General simply won’t notice your business is a risky move that could lead to a complicated and expensive legal entanglement.

For organizations struggling to find the time or resources to think about data privacy, outside legal counsel can offer support and streamline the process.

For guidance on how the Connecticut Data Privacy Act Amendments might impact your business, please contact:

Sherwin M. Yoder, CIPP/US, CIPP/E and CIPM
Partner
203.784.3107
[email protected]

Join us for a complimentary Business Briefing Lunch

Is your business ready for Connecticut’s new AI and Data Privacy rules?

Tuesday, May 5, 2026: 12:00 – 1:30 PM
Chamber of Commerce of Eastern Connecticut
To register, click here.

If you have topics you would like to see discussed, please email us with your ideas. We’d love to hear from you.

Carmody’s Technology & Data Privacy lawyers advise companies on the strategic adoption of emerging technologies, including artificial intelligence, social media, cloud platforms, IoT, and data analytics, while guiding cybersecurity risk management and the responsible collection, use, and protection of corporate and personal data.

This information is for educational purposes only to provide general information and a general understanding of the law. It does not constitute legal advice and does not establish any attorney-client relationship.