Pulse on Privacy – July 1st Amendments to the Connecticut Data Privacy Act: Are You In?

We continue to unpack the top operational impacts of the looming July 1st amendments to the Connecticut Data Privacy Act (“CTDPA”).

Will the CTDPA amendments affect your organization?

Here are the Top Five Business Considerations and an update on the 2026 State Data Privacy Law Landscape.

1. Do You Conduct Business in Connecticut or Target Connecticut Residents?
   Physical presence in Connecticut is not necessarily required for an entity to conduct business in Connecticut. If your business markets, advertises, or otherwise targets Connecticut residents for the purposes of providing goods or services, even if exclusively online or from a remote location, your business may satisfy the jurisdictional requirement.
   
2. How Many Connecticut Consumers are there whose Personal Data You Control or Process?
   Review your businesses records and data from the preceding calendar year. If your organization controlled or processed personal data of 35,000 or more Connecticut consumers, you may meet the revised threshold. Consider, for instance, data collected through websites, mobile apps, customer accounts, loyalty programs, or other platforms. There is one narrow set of personal data that you may exclude from this count: personal information that the business controlled or processed solely for the purpose of completing payment transactions will not count towards the numerical threshold (i.e., you did not add the consumer to your marketing list; you did not use the transaction data to create or augment a consumer profile; etc.).
3. Do You Control or Process “Sensitive Data”?
   Forget the numerical threshold for a moment. If your business has controlled or processed the sensitive data of at least one Connecticut resident, you may be subject to the CTDPA. Consider whether your business collects data that would reveal, for example, the consumer’s:
   • Government-issued ID
   • Payment and/or online account login information
   • Race or ethnicity
   • Religious beliefs
   • Mental or physical health
   • Certain genetic/biometric information
   • Sex life
   • Sexual orientation
   • Nonbinary/transgender status
   • Immigration status
   • Criminal history
   • Precise geolocation
   • Neural data
   • Data of a child known to be under 13-years-old
     This list of examples is not exhaustive. We encourage you to examine closely the CTDPA’s definition of sensitive data.
4. Do You Sell or Offer to Sell Personal Data?
   Assess whether your personal data-sharing practices could qualify as a “sale” under the CTDPA. This includes exchanging personal data for money or other valuable consideration. Carefully review your marketing partnerships, data analytics arrangements, or advertising technology solutions. As with the processing of sensitive data, the sale of even one Connecticut resident’s personal data transforms the business into a covered entity under the CTDPA. 
5. Have Your Operations Expanded Recently?
   Businesses that have experienced growth, launched new digital services, expanded into e-commerce, or increased targeted advertising or other personal data uses should take a fresh look at whether their current operations trigger the CTDPA’s newer, expanded applicability thresholds. 

2026 State Data Privacy Law Landscape

Connecticut is not the only U.S. state to have passed comprehensive consumer data privacy laws. The following states either have data privacy laws or material amendments that take effect this year: 

• Connecticut: amended; effective July 1, 2026
• Indiana: effective January 1, 2026
• Oregon: amended; effective January 1, 2026
• Rhode Island; effective January 1, 2026
• Texas: amended; effective January 1, 2026
• Utah: amended; effective July 1, 2026

Although these laws may differ in terms of their exact applicability thresholds, the answers to the foregoing questions can help prepare your team to determine whether those other state laws or amendments apply to the business. 

Concluding Considerations

Covered businesses that do not comply with the CTDPA could face steep penalties. While most enforcement actions in Connecticut are the result of data breaches, according to the Office of the Attorney General’s 2025 Enforcement Report, one settlement reached last year consisted of injunctive relief and a $105,000 payment to the State to address its breach of the CTDPA. Determining whether your business is or will be covered by the CTDPA is the first line of defense for your business and your clients. Please look out for our next issue where we will focus on how to effectively update privacy notices. 

Please look out for our next issue where we will focus on how to effectively update privacy notices. 

For guidance on how the Connecticut Data Privacy Act Amendments might impact your business, please contact:

Sherwin M. Yoder, CIPP/US, CIPP/E and CIPM
Partner
203.784.3107
[email protected]

Join us for a complimentary Business Briefing Lunch

Is your business ready for Connecticut’s new AI and Data Privacy rules?

Tuesday, May 5, 2026: 12:00 – 1:30 PM
Chamber of Commerce of Eastern Connecticut
To register, click here.

If you have topics you would like to see discussed, please email us with your ideas. We’d love to hear from you.

Carmody’s Technology & Data Privacy lawyers advise companies on the strategic adoption of emerging technologies, including artificial intelligence, social media, cloud platforms, IoT, and data analytics, while guiding cybersecurity risk management and the responsible collection, use, and protection of corporate and personal data.

This information is for educational purposes only to provide general information and a general understanding of the law. It does not constitute legal advice and does not establish any attorney-client relationship.