CTDPA impact assessments, workplace app hacks, and Alabama’s new data privacy law

Key Takeaways for Businesses

  • Impact assessments (IAs) are mandatory when covered businesses employ profiling on or after August 1, 2026, that causes a legal or significant effect for any consumer, or for any profiling of minors, regardless of severity of effect
  • IAs cover the purpose of the profiling, risks, data use, performance, transparency, and monitoring
  • IAs may be required in addition to pre-existing data protection assessments obligations for any type of processing that presents a heightened risk of harm
  • Businesses should educate employees around app safety for their personal devices when those devices are used for business matters
  • Businesses that conduct interstate commerce should be aware that Alabama has joined the nationwide patchwork of comprehensive consumer data privacy laws

Steps for Businesses Preparing for Impact Assessments

  1. Audit existing profiling activities to determine which trigger impact assessments 
  2. Create an impact assessment template with the help of internal stakeholders and privacy counsel
  3. Update the company’s internal protocols and procedures and internal governance frameworks to prompt impact assessments when necessary 
  4. Educate and train employees on impact assessment protocols

New Impact Assessment Requirements

With changes to the Connecticut Data Privacy Act (CTDPA) set to take effect on July 1, 2026, covered businesses that engage in profiling should prepare for the new impact assessment requirements.

What is Profiling?

Under the CTDPA, profiling is any form of automated processing done on personal data to evaluate, analyze, or predict personal aspects related to an individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. If you are using a software application, AI tool, or similar technology to help you evaluate, track, or make judgments about a consumer, you are likely profiling.

What is an Impact Assessment?

An impact assessment (IA) is a documented evaluation required when a covered business uses profiling to make decisions that produce legal or significant effect(s), or when profiling involves minors. IAs must outline the purpose of the profiling, analyze risks to consumers, and describe the data inputs and outputs, safeguards, transparency measures, and ongoing monitoring to track the profiling system’s post-deployment behavior. IAs can be required in addition to existing data protection assessment obligations for processing that presents a heightened risk of harm to consumers.

When are Impact Assessments Required for Connecticut Businesses?

Connecticut businesses and service providers that engage in profiling to make decisions that produce a legal or similarly significant effect concerning a consumer will now be required to complete an impact assessment for all profiling activities created or generated on or after August 1, 2026.

A decision that produces a legal or similarly significant effect includes any decision to provide or to deny services such as:

  • Financial or lending services
  • Housing
  • Insurance
  • Education enrollment opportunities
  • Criminal justice
  • Employment opportunities
  • Healthcare services

Examples of Profiling Triggers for an Impact Assessment

  • Financing, Credit or Billing Decisions: Any profiling used to approve/deny customer credit, payment plan terms, or financing
  • Fraud detection: Profiling that flags consumer transactions as fraudulent and automatically suspends or restricts service access
  • Hiring or Promotion Decisions: Automated screening of job applicants or internal tools used for hiring, promotion, or workforce decisions
  • Employee Evaluation: Behavioral or productivity profiling of employees
  • Dynamic Pricing: Dynamic pricing or personalized offers based on profiling may trigger an IA if the price differences are considered significant

Additional Data Protections for Minors

The amended CTDPA adds profiling protections for minors (those under 18 years old). If a product or service profiles minors, an impact assessment may be required even if the profiling does not produce a legal or similarly significant effect.

Examples of Profiling Triggers for an Impact Assessment for Minors

  • Geolocation Data: Use of precise geolocation data to profile a minor’s movements and limit participation in location-based promotions or events
  • Access: Monitoring a minor’s activity, engagement patterns, and in-app behavior to determine whether to restrict, promote, or limit their access to certain features (e.g., monetization tools)

How can you create an Impact Assessment?

Under the CTDPA, a covered business or “controller” must include the following seven items in its impact assessment:

  1. Purpose and Benefits. A statement disclosing the purpose, intended use cases, deployment context, and benefits afforded by the profiling.
  2. Risk Analysis. An analysis of whether the profiling poses any known or reasonably foreseeable heightened risk of harm to a consumer. If there is risk:
    • The nature of the heightened risk of harm to the consumer
    • The steps taken to mitigate the heightened risk of harm
  3. Data Inputs and Outputs. A description of:
    • The main categories of personal data processed for the profiling
    • The outputs the profiling produces
  4. Customization Data. An overview of the main categories of personal data used if the controller uses data to customize profiling activities.
  5. Performance and Limitations. The metrics used to evaluate the performance of the profiling activities, and its known limitations.
  6. Transparency Measures. A description of any transparency measures taken concerning the profiling activities, including any measures taken to disclose to consumers that the controller is engaged in profiling while such profiling occurs.
  7. Post-Deployment Monitoring and Safeguards. A description of post-deployment monitoring and user safeguards, including the oversight, use, and learning processes established by the controller to address issues arising from the profiling.

How does an Impact Assessment differ from a Data Protection Assessment?

It is important to note that these changes add to, and do not replace, controllers’ existing obligations to complete data protection assessments (DPAs). A data protection assessment is a risk-benefit analysis that must be conducted when processing activities present a heightened risk of harm to consumers (regardless of whether a profiling system is involved). The DPA addresses the processing risk. The IA addresses the profiling decision system itself. An IA is more specific, technical, and carries an ongoing monitoring obligation. The two assessments stack. A controller that engages in covered profiling will almost certainly have to conduct both an IA and a DPA. 

Next Steps for Businesses Preparing for Impact Assessments

With August 1, 2026, rapidly approaching, companies subject to the CTDPA should act now to assess their compliance readiness when it comes to IAs:

  1. Audit existing profiling activities to determine which trigger impact assessments
  2. Create an impact assessment template with the help of internal stakeholders and privacy counsel
  3. Update the company’s internal protocols and procedures and internal governance frameworks to prompt impact assessments when necessary
  4. Educate and train employees on impact assessment protocols

Alleged Government-Funded, Fake WhatsApp Points to the Dangers of Utilizing Personal Employee Phones for Business

Many employers encourage or allow employees to use their personal devices such as cell phones, tablets or computers for work use. However, employers who allow personal device use for business must be aware of the heighted security risks they produce.

Fake apps that contain spyware recently came into the news as WhatsApp accused Italian spyware maker SIO of creating and deploying a fake version of its app. WhatsApp issued a warning to approximately 200 users who installed the fake app, which was allegedly used by Italian governmental spy agencies for surveillance. Although this story sounds like it comes out of a Hollywood script, personal devices face a wide array of cybersecurity threats, which in turn can expose business data.

Key Takeaways for Businesses

To help employees navigate personal device safety, review and revise BYOD policies and train employees to install apps only from verified app stores (never install an app from a link in a message, even if the message looks official), to keep their device updated, and to be wary of premium or free versions of popular apps when conducting company-wide cybersecurity training.

Alabama Personal Data Protection Act Signed into Law

Although Alabama is the 22nd state to have joined the Union, it just became the 21st state to have passed a comprehensive consumer data privacy law. Governor Kay Ivey signed House Bill 351, the Alabama Personal Data Protection Act (APDPA), into law on April 16, 2026. The legislation, which passed unanimously in the state legislature, establishes a comprehensive consumer privacy framework that takes effect on May 1, 2027. 

How does Alabama’s Data Privacy Law Compare with Other State Laws?

The APDPA combines many aspects of other state data privacy laws and adds its own nuances. Like Connecticut- and Virginia-style laws, it grants consumers core rights to access, correction, deletion, and opt-out of targeted advertising, sales, and certain profiling, and imposes corresponding duties on controllers and data processors. The APDPA parts ways from other states in that it:

  • Creates the nation’s lowest coverage threshold: processing involving 25,000 or more data subjects
  • Imposes coverage for the sale of a single Alabamian’s personal data
  • Exempts small businesses (fewer than 500 employees) and small nonprofits (fewer than 100 employees) that don’t sell personal data

Overall, the APDPA has a compliance-oriented focus that reduces litigation exposure and regulatory burden and is less extensive than more restrictive regulations like those in the California model. 

Concluding Considerations

For covered Connecticut businesses, the priority is clear: prepare for the CTDPA regulations set to take effect July 1 (or on August 1, for the IA requirements). Rather than remaining static, data privacy legislation in the state will continue to broaden and mature. For instance, the current legislative session has several bills on the docket that could add/clarify more requirements surrounding data privacy, some with potential effective dates in October 2026.

Meanwhile, as Alabama joins the widening U.S. state data privacy law patchwork, it becomes more and more likely that still other states will have comprehensive data privacy regulations in the future.

Stay tuned to Pulse on Privacy for the latest data privacy news.

For future guidance on how the Connecticut Data Privacy Act Amendments might impact your business, please contact:

Sherwin M. Yoder, CIPP/US, CIPP/E and CIPM
Partner
203.784.3107
[email protected]

Upcoming Events

Is your business ready for Connecticut’s new AI and Data Privacy rules?

Tuesday, May 5, 2026: 12:00 – 1:30 PM
Chamber of Commerce of Eastern Connecticut
To register, click here.

Connecticut’s New AI and Data Privacy Rules

Thursday, May 14, 2026: 8:30 – 10:00 AM
Greater New Haven Chamber of Commerce
To register, click here.

Carmody’s Technology & Data Privacy lawyers advise companies on the strategic adoption of emerging technologies, including artificial intelligence, social media, cloud platforms, IoT, and data analytics, while guiding cybersecurity risk management and the responsible collection, use, and protection of corporate and personal data.

This information is for educational purposes only to provide general information and a general understanding of the law. It does not constitute legal advice and does not establish any attorney-client relationship.