Connecticut Data Privacy Act (CTDPA): what changed in 2026 and what it means for your website

Starting July 1, 2026, more businesses will fall under the Connecticut Data Privacy Act than ever before. Connecticut passed Public Act 25-113 in June 2025, making sweeping changes to its consumer privacy law that takes effect this July. The applicability thresholds are lower, the definition of sensitive data is broader, and there are new mandatory disclosures tied to AI and large language models (LLMs).

If your business operates in Connecticut or targets its residents, now is the time to check whether you are newly in scope and what you need to update before the deadline.

This post covers exactly what changed, who is now covered, and the specific website and privacy notice updates you need to make.

What is the Connecticut Data Privacy Act?

The Connecticut Data Privacy Act (CTDPA) is Connecticut's state consumer privacy law, enacted on May 10, 2022, and effective July 1, 2023. It grants Connecticut residents rights over their personal data, including the right to access, correct, delete, and opt out of the sale of that data and targeted advertising. The law is enforced by the Connecticut Attorney General, and violations can result in fines of up to $5,000 per violation under Connecticut's unfair trade practices statute.

In February 2024, the Connecticut Attorney General released a report on the law's first six months of enforcement. It confirmed that over a dozen businesses had received violation notices for issues including inadequate privacy policies and insufficient opt-out mechanisms. In June 2025, the legislature passed Public Act 25-113, which significantly expanded the law's scope. Those changes are effective July 1, 2026.

What changed under Public Act 25-113

The original CTDPA applied to businesses that processed data for a fairly large number of consumers. The amended law casts a much wider net.

Here is a direct comparison:

The two new no-threshold triggers are the biggest change. A business that handles sensitive data or sells personal data in any amount could now be in scope, regardless of how many consumers' records it processes. According to Wiley Law's analysis of the amendment, this expansion is designed to close gaps that allowed smaller data brokers and ad tech businesses to operate without CTDPA obligations.

Who does the CTDPA now apply to?

The CTDPA applies to businesses that conduct business in Connecticut or produce products or services targeted at Connecticut residents. From July 1, 2026, it applies if you meet any one of the following criteria:

• 35,000+ consumer records: You controlled or processed the personal data of at least 35,000 Connecticut consumers in the preceding calendar year, excluding data processed solely to complete a payment transaction.
• Any sensitive data: You process sensitive data of any Connecticut consumer in any amount. This includes health data, biometric data, neural data, government IDs, and financial account credentials.
• Any data sales: You offer personal data of any Connecticut consumer for sale in trade or commerce, regardless of the volume or revenue generated.

Importantly, several categories of organisations remain exempt from the CTDPA: government entities, nonprofit organisations, higher education institutions, and entities whose data processing is governed by federal laws such as HIPAA, GLBA, or COPPA.

New sensitive data categories under the CTDPA

PA 25-113 significantly expanded the definition of sensitive data. This matters because sensitive data triggers stricter obligations: you need explicit opt-in consent before processing it, and the amended law explicitly prohibits selling sensitive data without consumer consent.

If your business collects any of these data types, you will need explicit consent before processing, and you cannot sell this data without consent. This includes data collected through forms, health apps, biometric access systems, or any digital property that captures these categories.

New rules for minors: the age limit is now 18

The original CTDPA required opt-in consent before selling data or targeting advertisements at consumers aged 13 to 16. PA 25-113 raises the age cap to under 18.

From July 1, 2026, if your business engages in targeted advertising or sells personal data, you must obtain opt-in consent from any consumer who is, or whom you have reason to believe is, under 18 years old. This aligns Connecticut with a broader national trend toward stronger youth data protections, reflected in laws such as the California Age-Appropriate Design Code.

For businesses running advertising campaigns or audience targeting on digital properties with mixed-age users, this is a significant operational change. You will need to assess whether your current age verification and consent flows are updated to capture this wider group.

New privacy notice requirements: LLM disclosure and update timestamps

The 2026 amendments introduce two new mandatory requirements for privacy notices.

1. Disclose whether you use personal data to train AI or LLMs

If your organisation uses personal data to train large language models, AI models, or other machine learning systems, your privacy notice must explicitly say so. This places Connecticut among the first US states to mandate AI-related disclosures in consumer privacy documentation.

This is a change with teeth. If you use user data to train or fine-tune any AI model, including internal tools, customer-facing chatbots, or third-party AI vendors you share data with, you need to say so clearly in your privacy notice. Bryan Cave Leighton Paisner's analysis of the amendment notes that this requirement may significantly affect businesses that have quietly incorporated AI into their data pipelines without updating their public disclosures.

2. Display the month and year your privacy notice was last updated

Your privacy notice must now prominently display the month and year it was last updated. This is not just good practice. It is a legal requirement under the amended law.

If you use Clym to manage your privacy and cookie policy, you will need to review your notice in the Control Center. Go to Manage, then Data Privacy, then open the Legal documents section. From there, you can add the required AI disclosure and make the last-updated timestamp visible on your published policy.

What your website needs to do before July 1, 2026

Here is a practical checklist for getting your website and data practices ready for the amended CTDPA.

1. Check if you are now in scope. Run through the three applicability triggers: 35,000+ consumers processed, any sensitive data handled, or any data sold. If any of these apply to you, you are in scope.
2. Audit your sensitive data. Review your data inventory against the expanded sensitive data list. Pay particular attention to health data, biometric data, neural data, government IDs, and financial account credentials.
3. Update your consent flows for sensitive data. Any sensitive data you collect requires explicit opt-in consent. If you do not have this in place, update your consent management setup before July 1.
4. Review your age verification and consent for minors. If you run targeted advertising or sell data, ensure your opt-in consent process now covers anyone under 18.
5. Update your privacy notice with the last-updated date. Add the month and year your policy was last updated, displayed prominently.
6. Add an AI/LLM training disclosure if applicable. If your organisation uses personal data to train AI or LLM models, add a clear disclosure to your privacy notice.
7. Audit your data sales practices. If you sell personal data, review your disclosure, consent, and opt-out mechanisms. The law now prohibits selling sensitive data without explicit consent.
8. Expand your DSAR process. Review your data subject access request workflow to ensure it supports the full range of consumer rights under the amended law.

How Clym supports your CTDPA programme

Clym is updating its platform to support the expanded requirements under PA 25-113. Here is what is being built in for users operating in Connecticut.

Updated applicability logic

Clym’s ReadyCompliance^® framework is designed to support organizations as regulations evolve. For the CTDPA, the applicability logic is being updated to reflect the lower 35,000-consumer threshold and the new triggers related to sensitive data processing and data sales.

Expanded DSAR support

The Clym widget will support expanded Data Subject Access Requests to reflect the broader consumer rights available under the amended CTDPA.

Privacy notice management

To support the new AI disclosure and last-updated timestamp requirements, Clym users can review and update their privacy notice in the Clym Control Center. Navigate to Manage → Data Privacy → Legal Documents. From there, you can add AI-related disclosures and update the policy timestamp as needed.

Conclusion

Connecticut's 2026 privacy law updates are a meaningful expansion of an already serious piece of legislation. With lower thresholds, broader sensitive data definitions, stronger minors' protections, and a first-of-its-kind AI disclosure requirement, the amended CTDPA now covers a wider range of businesses and introduces stricter obligations for those that were already in scope.

The businesses most at risk of being caught off guard are those that previously sat below the old 100,000-consumer threshold and those using personal data to train AI systems without disclosing it. Both groups need to act before July 1, 2026.

Start with a scope check: review your data volumes, your data sales activities, and your sensitive data inventory. Then work through your privacy notice, because the AI disclosure requirement is a change many businesses will not be ready for. The good news is you do not have to work through this alone.