On June 24, 2025, Connecticut Governor Ned Lamont signed into law Senate Bill 1295, “An Act Concerning Broadband Internet, Gaming, Social Media, Online Services and Consumer Contracts.” Amendments to the Connecticut Data Privacy Act were bundled into the Act and will become effective July 1, 2026.
Thresholds
The Act considerably lowers the applicability thresholds and adds two new prongs that are not tied to quantities:
| Current | Amended |
| Persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and that during the preceding calendar year:
(1) Controlled or processed the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data. |
Persons that:
(1) Conduct business in this state, or produce products or services that are targeted to residents of this state, and during the preceding calendar year controlled or processed the personal data of not fewer than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; (2) control or process consumers’ sensitive data, excluding personal data controlled or processed solely for the purposes of completing a payment transaction; or (3) offer consumers’ personal data for sale in trade or commerce. |
GLBA Exemptions
The Act removes the exemption for non-bank financial institutions subject to the Gramm-Leach-Bliley Act (“GLBA”) and replaces it with an exemption limited to banks and credit unions. The exemption for data subject to the GLBA remains.
This is the same GLBA amendment that was made to the Montana Consumer Data Privacy Act by Senate Bill 297, which goes into effect October 1, 2025.
Consumer Rights
- Right to Confirm – Currently, consumers have the right to confirm whether a controller is processing the consumer’s personal data and access such personal data. This is expanded to include “any inferences about the consumer derived from such personal data and whether a controller or processor is processing a consumer’s personal data for the purposes of profiling to make a decision that produces any legal or similarly significant effect concerning a consumer.”
- Right to Question Profiling Results – The Act adds the right to question the results of profiling if it was “in furtherance of any automated decision that produced any legal or similarly significant effect concerning the consumer.
- Right to Know Third Parties – An additional new right is the ability to “obtain from the controller a list of the third parties to which such controller has sold the consumer’s personal data.”
Privacy Notice
- Currently, a controller must identify the categories of personal data that it shares with third parties and the categories of those third parties. The Act replaces “shares” with “sells.”
- A privacy notice will need to disclose any processing or sale of personal data to a third party for the purpose of targeted advertising.
- The Act adds a requirement to disclose whether personal data is used or sold for the purpose of training large language models.
Impact Assessment
Current law requires a data protection assessment for processing that presents a heighted risk of harm to consumers, as defined. The Act adds a requirement to conduct an “impact assessment” for “any profiling for the purposes of making a decision that produces any legal or similarly significant effect concerning a consumer,” and outlines what must be included in the assessment.
This Member Alert is intended for members of the Receivables Management Association International, is for informational purposes only, and is in no way intended to provide legal advice. Members are encouraged to consult with an attorney of their choice for legal advice concerning this matter.