Connecticut Enacts Privacy Law Update, Aims to 'Keep Pace' With Tech
Connecticut will amend its privacy law again with what some lawyers say are significant changes. Gov. Ned Lamont (D) on Wednesday signed an omnibus (SB-1295) that contained the language of a bill (SB-1356) by Sen. James Maroney (D) updating the state’s 2022 privacy law (see 2506050004). Changes to the Connecticut Data Privacy Act (CTDPA) will take effect July 1, 2026.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
“Our laws place Connecticut at the forefront of consumer data privacy, and this year’s updates ensure that our statutes keep pace with evolving technology and threats,” said Connecticut Attorney General William Tong (D) in a statement emailed to Privacy Daily.
The privacy amendments bill makes a variety of changes, including refining the law’s data-minimization requirements and tightening an exemption for the Gramm-Leach-Bliley Act to a data-level carve-out from an entity-level one. Many changes responded to recommendations in an AG report.
It would also lower applicability thresholds to cover businesses that process data of at least 35,000 consumers, down from 100,000 in the current law, and add neural and financial account data to the definition of sensitive data (see 2505140067). Additionally, the privacy legislation would now cover kids younger than 18, up from 16 previously. The CTDPA was previously amended in 2023 to cover health and children’s data.
"Perhaps one of the most significant developments is not contained in the bill at all," Husch Blackwell privacy lawyers David Stauss, Shelby Dolen and Marlaina Pinto blogged Wednesday. "As part of the budgeting process, Senator Maroney secured an increase in funding for the Attorney General’s office to hire more enforcers."
The Connecticut law contains tweaked data-minimization language that doesn't go as far as controversial provisions in Maryland's privacy law. However, the Husch Blackwell lawyers argued that the provisions provide the state AG "with ample language to enforce against controllers the office believes are engaging in inappropriate data collection and processing activities."
Under Connecticut's amended law, "the collection has to be necessary and proportionate to the purposes for which the data are processed as disclosed to the consumer," the lawyers said. "Ultimately, this means that controllers need to be careful and thoughtful about what they say in their privacy notices."
On secondary purposes, the amended law says that "if controllers want to process data for 'any material new purpose' that are not necessary or compatible with the purposes disclosed to the consumer, they must obtain consent or ensure that those purposes are, for example, consistent with consumer expectations, the relationship with the consumer, and the context of the collection," said the attorneys: "In so doing, the Connecticut law borrows concepts from" California.
"The Connecticut amendments also try to address the concern with relying on consumer consent for the processing of sensitive data by adding the requirement that the processing also must be 'reasonably necessary in relation to the purposes for which such sensitive data are processed,'" the lawyers wrote. "In so doing, the amendments attempt to create a standard that controllers can understand rather than using terms such as 'strictly necessary' that are so ambiguous they arguably could never be enforced."
All together, the amendments bill makes the CTDPA “one of the strongest privacy laws” in the U.S., said privacy attorney Sheri Porath Rockwell of Sidley Austin in a LinkedIn post Wednesday.
However, Consumer Reports hopes it’s not “the end of the story” for updating the Connecticut law, policy analyst Matt Schwartz said in an email. “We support a lot of the improvements to the CTDPA in this amendment package and are glad to see them signed into law. However, there is still a lot of work remaining to ensure that Connecticut’s privacy law is as protective of consumers as it should be.”