Clym Logo

Connecticut Cut Its Privacy Law Threshold by 65%. Arkansas and Utah Added New Rules of Their Own.

Published
AS
AuthorAdam Safar
10 min read

2026 Connecticut, Arkansas, Utah privacy law changes

Connecticut cut its privacy threshold 65% on July 1, 2026. Arkansas added teen privacy rules; Utah added a right to correct data. 20 states now regulate privacy.

Summarize full article with:

State privacy changes 2026

On July 1, 2026, Connecticut cut the number of residents' data a business can process before the state's privacy law applies to it by 65%, from 100,000 consumers down to 35,000. For any company with a website that draws Connecticut traffic, that is a much lower bar to clear.

Connecticut was not the only state moving that day. Arkansas activated the first state law in the country to extend core children's privacy protections to teenagers, and Utah added a right that most other states already had: the ability for residents to correct inaccurate personal data.

This article breaks down the 2026 state privacy law changes in Connecticut, Arkansas, and Utah: what changed, who is newly covered, and what to check first in your own compliance program.

Key takeaways
  • Connecticut cut its privacy law threshold by 65%, from 100,000 to 35,000 residents, effective July 1, 2026.
  • Businesses that process sensitive data or sell personal data in Connecticut now have no consumer minimum at all.
  • Arkansas became the first U.S. state to extend children's privacy protections to teenagers up to age 16.
  • Utah added a right to correct inaccurate personal data, with a 45-day response window for businesses.
  • Twenty U.S. states now have comprehensive privacy laws in effect, covering more than half the population.
  • None of the three states let individual consumers sue; enforcement runs through each state's attorney general.

What is a privacy law applicability threshold?

An applicability threshold is the number of a state's residents whose personal data a business must process in a year before that state's privacy law applies to it. Most state privacy laws set this threshold somewhere between 25,000 and 100,000 consumers.

Connecticut's amended law removes the threshold completely for businesses that process sensitive data or sell personal data, no matter how many residents they reach.

Connecticut: a lower bar and a broader definition of sensitive data

Connecticut's amendment, Senate Bill 1295, updates the Connecticut Data Privacy Act (CTDPA) with extensive changes that go beyond the threshold. The list of information the state classifies as sensitive data, which requires a consumer's explicit opt-in consent before a business can collect it, grew to include neural data collected by wearable and neurotech devices, information about disability status and treatment, a person's nonbinary or transgender status, and financial account credentials.

The state also raised its age threshold for children's data protection from 16 to 18 and closed a consent loophole. Previously, a business could sell a minor's data or use it for targeted advertising if it obtained consent. Under the new rules, that is prohibited outright for anyone under 18, regardless of consent.

New in 2026: disclosing AI and large language model training

Connecticut's amendment also added a provision with no real precedent in other state privacy laws: businesses must now tell consumers whether their personal data is being used to train large language models. Legal analysts note this makes Connecticut the first state to fold AI training disclosure directly into its consumer privacy law, a detail worth watching as more states update their laws through 2026 and beyond.

Penalties and enforcement

None of this comes with a grace period. Connecticut's attorney general has had the authority to enforce the CTDPA without offering businesses a chance to fix a violation first since the law's 60-day cure period sunset on December 31, 2024. Violations can run up to $5,000 each under the Connecticut Unfair Trade Practices Act, counted per consumer affected, not per incident.

The office brought its first CTDPA enforcement action in 2025: an $85,000 settlement with TicketNetwork over a privacy notice the state called largely unreadable.

Arkansas: the first state to extend privacy protections to teens

Arkansas's Children and Teens' Online Privacy Protection Act, signed in April 2025 and effective July 1, 2026, makes it the first state to expand core federal children's privacy protections beyond kids under 13 to include teenagers. Varnum LLP, which tracked the bill through the legislature, calls it a first-of-its-kind law nationally.

Two-tier consent: kids under 13 vs. teens 13 to 16

The law splits consent into two tiers. Parental consent is required to collect a child's personal information. Either a parent or the teen can consent for users aged 13 to 16. Operators are not required to verify age, but they are expected to comply once they have actual knowledge of a user's age.

The law bars targeted advertising to minors using their personal data and limits collection to what is necessary for the service being provided.

Age-tiered consent flows like this are difficult to build and maintain by hand, especially alongside Connecticut's separate under-18 rules.

Enforcement rests exclusively with the Arkansas attorney general, who can pursue civil penalties of up to $10,000 per knowing and willful violation.

Utah: a smaller change with a longer runway

Utah's update to the Utah Consumer Privacy Act (UCPA) is narrower but closes a real gap. Starting July 1, 2026, under House Bill 418, residents gained the right to correct inaccurate personal data a business holds about them. Before this change, Utah and Iowa were the only two comprehensive privacy law states without a correction right. Iowa is now the only one left.

How the 45-day correction window works

Utah businesses have 45 days to respond to a correction request once they receive one. That is the same standard most other correction-right states use, which makes this an easier addition for businesses that already have a data subject request process in place for other states. Violations can bring civil penalties of up to $7,500 each.

Why the scale matters for small businesses

Connecticut's threshold change is the one most likely to catch small businesses off guard, because 35,000 residents is a low bar for any company with a website that draws Connecticut visitors. Small businesses make up 99.4% of all businesses in the state and employ 726,097 people, or 48.1% of Connecticut's workforce, according to the U.S. Small Business Administration's 2025 state profile.

Many of those businesses now have to check whether routine tools, like analytics platforms or ad pixels that share data with third parties, count as a sale of personal data under the law's broad definition.

Nationally, the SBA counts more than 36.2 million small businesses, employing 62.3 million people, or 45.9% of the private-sector workforce. Under most state privacy laws, including Connecticut's, Arkansas's, and Utah's, it does not matter where a business is headquartered. What matters is where its customers live.

The bigger picture: 20 states now regulate consumer privacy

Connecticut, Arkansas, and Utah are not isolated changes. As of July 2026, 20 U.S. states have comprehensive consumer privacy laws in effect, each with its own thresholds, consumer rights, and penalties. That is exactly why Clym's state-by-state compliance map tracks obligations by visitor location rather than company address: a business with no physical presence in Connecticut, Arkansas, or Utah can still be fully in scope of all three laws if its customers live there.

Connecticut, Arkansas, and Utah: what changed on July 1, 2026

State

What changed

Penalty per violation

Effective date

Connecticut

Threshold cut from 100,000 to 35,000 consumers; no threshold at all for businesses that process sensitive data or sell personal data; new AI training disclosure requirement

Up to $5,000

July 1, 2026

Arkansas

New Children and Teens' Online Privacy Protection Act requires parental or teen consent to collect minors' personal data

Up to $10,000

July 1, 2026

Utah

New right to correct inaccurate personal data; businesses have 45 days to respond

Up to $7,500

July 1, 2026

Sources: TrueVault legal analysis of SB 1295; Varnum LLP analysis of HB 1717; Utah House Bill 418; Connecticut Attorney General's office. As of July 2026.

Quick applicability check: what to do before your next compliance review

  1. Check your Connecticut consumer count. If you process data on 35,000 or more Connecticut residents, or process any sensitive data, or sell data in any form, you are covered.

  2. Review your minors' data practices. Confirm your consent flows match Arkansas's two-tier model and Connecticut's under-18 prohibition on selling minors' data.

  3. Build a correction-request process. Utah residents can now ask you to fix inaccurate data, and you have 45 days to respond.

  4. Audit your marketing stack. Analytics tools and ad pixels that share data with third parties may count as a data sale under Connecticut's broad definition.

  5. Check whether you disclose AI training use. If you use website visitor data to train or fine-tune large language models, Connecticut now requires you to say so.

Common mistakes businesses make when state privacy laws change

Most compliance gaps after a round of amendments like this one come down to a handful of avoidable assumptions.

  • Assuming the threshold is about company size, not customer count. A five-person company with 40,000 Connecticut customers is covered; a 500-person company with 10,000 is not, unless it processes sensitive data or sells data.
  • Treating “children's privacy” as a policy for under-13 users only. Arkansas and Connecticut both now reach into the teenage years.
  • Overlooking marketing and analytics tools when checking for a data “sale.” A pixel that shares data with an ad network can trigger Connecticut's broadest coverage rule even without a traditional sale.
  • Building a correction-request process from scratch instead of extending an existing data subject request workflow to cover Utah.
  • Waiting for a complaint instead of checking the rules now. None of these three states offer a grace period in 2026.

How Clym can help you keep up with multi-state privacy changes

Tracking one state's threshold is manageable. Tracking 20, each with its own thresholds, consent rules, and correction workflows, each changing on its own schedule, is a different problem. Clym's consent and privacy management platform is built to help with exactly that: geo-targeted consent banners that apply rules based on where a visitor is located, age-gated consent flows for minors, and data subject request tools that can be configured for correction requests alongside access and deletion requests.

Clym does not replace legal advice, and no platform can guarantee compliance outcomes on its own. What it can do is reduce how much of this you have to track by hand as Connecticut, Arkansas, Utah, and other states keep amending their rules.

Conclusion

Connecticut, Arkansas, and Utah’s July 1, 2026 changes point in the same direction: lower thresholds, broader sensitive data definitions, stronger protections for teenagers, and more consumer rights.

None of these updates came with a grace period. They also apply based on where your customers live, not where your business is headquartered.

For businesses, the next step is to review actual traffic, data collection, consent flows, and consumer rights processes against each state’s current requirements, instead of assuming last year’s privacy program still covers this year’s rules.

Frequently asked questions

SB 1295 is the 2026 amendment to the Connecticut Data Privacy Act. Effective July 1, 2026, it lowers the law's applicability threshold from 100,000 to 35,000 consumers and removes the threshold entirely for any business that processes sensitive personal data or sells personal data, regardless of size.

All three changes took effect on July 1, 2026: Connecticut's amended threshold and consent rules, Arkansas's new Children and Teens' Online Privacy Protection Act, and Utah's new right to correct inaccurate personal data.

If your business processes the personal data of 35,000 or more Connecticut residents in a year, it is covered. If your business processes any sensitive personal data, such as health, biometric, neural, or precise geolocation data, or sells personal data for money or anything of value, there is no consumer minimum at all.

Effective July 1, 2026, it is the first U.S. state law to extend core children's privacy protections to teenagers, not just kids under 13. It requires parental consent to collect a child's data, parental or teen consent for users age 13 to 16, and bars targeted advertising to minors using their personal data.

Starting July 1, 2026, Utah residents can ask a business to correct inaccurate personal data it holds about them. Businesses have 45 days to respond. Utah joins nearly every other comprehensive privacy law state in offering this right; Iowa is now the only state that does not.

Yes. Like most state privacy laws, it applies based on where the affected children and teens live, not where the business is headquartered. A business anywhere in the country that knowingly collects personal data from Arkansas minors falls under the law.

Connecticut penalties run up to $5,000 per violation, counted per consumer affected, with no cure period since December 31, 2024. Arkansas penalties run up to $10,000 per knowing and willful violation. Utah penalties run up to $7,500 per violation. All three enforce exclusively through the attorney general's office.

As of July 2026, 20 U.S. states have comprehensive consumer privacy laws in effect, covering more than half the U.S. population. Each state sets its own thresholds, consumer rights, and penalties, creating a patchwork that businesses operating online must track state by state.

Adam Safar

Head of Digital Marketing

Adam is the Head of Digital Marketing at Clym, where he leverages his diverse expertise in marketing to support businesses with their compliance needs and drive awareness about data privacy and web accessibility. As one of the company’s original team members, Adam has been instrumental in shaping its journey from the very beginning. When he’s not diving into marketing strategies, Adam can be found cheering on his favorite sports teams or enjoying fishing.

Find out more about Adam