Connecticut Pierces the GLBA Veil in Overhauling its Omnibus Privacy Law

The Connecticut Governor signed SB 1295 into law on June 25, 2025, again amending the Connecticut Data Privacy Act (CTDPA). 

This round of amendments significantly expands the applicability of the law by lowering data processing triggers and narrowing exemptions—including for organizations subject to the Gramm-Leach-Bliley Act (GLBA)—and broadens the substantive obligations on businesses, such as those in connection with profiling, “sensitive data,” individual rights, minors, and privacy policies. The bulk of the changes go into effect on July 1, 2026. Below, we highlight some of the most significant provisions in the amendments. 

Broadened Applicability

The law expands the entities to which it applies through the following main changes: 

Lowering Thresholds. With limited exceptions, as a result of the amendments, the CTDPA will apply to any person who: 

• conducts business in Connecticut or produces products or services that target its residents, and that within the preceding calendar year, controlled or processed the personal data of at least 35,000 consumers (reduced from 100,000), excluding personal data controlled or processed solely for the purpose of completing a payment transaction;
• controls or processes consumers’ “sensitive data” (with the same payment processing exclusion); or
• offers consumers’ personal data for “sale” (as is typical under state privacy laws, a “sale” of personal data under the CTDPA includes the exchange of personal data for monetary or other valuable consideration). 

While the lower consumer personal data processing threshold is not unique (Delaware, Maryland, Montana, New Hampshire, and Rhode Island have similar triggers), the CTDPA is the only omnibus state privacy law that applies to anyone who controls or processes any Connecticut consumer’s sensitive data or sells any Connecticut consumer’s personal data, significantly expanding the scope of the law’s reach. 

Narrowing Exemptions for Financial Institutions. Prior to amendment, the CTDPA provided a blanket, entity-level exception for any “financial institution” or “data” subject to the GLBA. While the amendments have retained the exemption for data subject to the GLBA, they have significantly clawed back the entity-level exemption for all financial institutions subject to GLBA, which is narrowed to:

• Banks or credit unions and their affiliates that (1) are only and directly engaged in financial activities as described in section 4(k) of the Bank Holding Act, 12 USC § 1843(k), (2) are regulated and examined by the Connecticut Department of Banking or an applicable federal bank regulatory agency, and (3) have established a program to comply with all applicable requirements of the Connecticut Banking Commissioner or the applicable federal bank regulatory agency concerning personal data;
• Certain insurers; or
• Agents, broker-dealers, investment advisers or investment adviser agents who are regulated by the Connecticut Department of Banking or the Securities and Exchange Commission.

As a result, financial institutions subject to GLBA that fall outside the above parameters—such as tax preparers, wire transfer service providers, peer-to-peer lending platforms or other non-bank lenders, credit counselors, debt collectors, auto dealers, certain retailers, travel agencies, real estate settlement service providers, check cashers, payday lenders, and other fintech companies—may need to carefully map the personal data that they collect and process to ensure that if it falls outside of GLBA, it is processed in compliance with the CTDPA. The CTDPA amendments reinforce the trend started by California, Minnesota, and Oregon, and most recently Montana, of moving away from an entity-based GLBA exemption. 

Expanded Substantive Obligations

Key changes to substantive requirements include the following: 

Right to Access

While consumers currently have the right to access their personal data, the amendments modify that right in the following ways: 

• Controllers may not disclose specified data (e.g., government-issued identification number, financial account number, account password) in response to access requests, but instead must inform the consumer with sufficient particularity that such data has been collected.
• Similar to the recent Colorado amendments, consumers have the right, with limited exceptions, to access any inferences about themselves derived from their personal data, and to obtain information as to whether a controller or processor is processing their personal data for the purposes of profiling to make a decision that produces any legal or similarly significant effect concerning a consumer.
• On request, controllers must also provide consumers with a list of all third parties to whom a controller has sold personal data. This is potentially narrower than comparable requirements in other states (Minnesota and Oregon), which provide consumers with a right to request a list of all third parties to whom a controller has disclosed personal data. 

Profiling

The amendments expand consumer rights regarding profiling in furtherance of automated decisions “that produce legal or similarly significant effects.” The existing right to opt out of such profiling is limited to solely automated decisions made by the controller, whereas under the amendments, the opt-out right will extend to any such automated decision–even if not entirely automated–made by or on behalf of the controller, thereby expanding this opt-out right to decisions made by processors as well. Further, similar to Minnesota’s privacy law (see our prior post here), the Connecticut amendments give consumers the right to know whether a controller or processor is engaging in profiling to make decisions with legal or similarly significant effects, and the right—if feasible—to challenge profiling results, understand the reasoning behind profiling decisions, and review the personal data used. For housing-related decisions, this includes the right to correct inaccurate personal data and request reevaluation of the decision.

While many state privacy laws, including the original CTDPA, require controllers to conduct data protection impact assessments for high-risk processing activities, beginning August 1, 2026, the CTDPA will also (uniquely among state comprehensive privacy laws) require controllers to conduct an “impact assessment” for any profiling used to make a decision with any legal or similarly significant effect concerning a consumer. Further, the amended law requires a controller that offers any online service, product, or feature to consumers whom the controller knows or willfully disregards are minors, and that engages in any profiling of them, to conduct an impact assessment. Depending on the type of profiling or age of the minors, this requirement will be in addition to a data protection impact assessment. 

The amendments prescribe what the impact assessments must cover, which are similar to the impact assessment requirements in a number of artificial intelligence (AI) laws, such as the Colorado AI Act. For example, the Connecticut amendments specify that assessments shall include (to the extent reasonably known by or available to the controller, and as applicable) the purpose and benefits of the profiling; analysis of whether the profiling presents a known or reasonably foreseeable heightened risk of harm and the steps taken to mitigate any such risk; the categories of personal data inputs for the profiling and the related outputs; metrics used to evaluate the performance and known limitations of the profiling; transparency measures taken concerning the profiling; and post-deployment monitoring and user safeguards concerning the profiling. 

Sensitive Data

The amended CTDPA expands the definition of “sensitive data” to include: 

• Data about a consumer’s disability or treatment, in addition to a mental or physical health condition or diagnosis;
• Data about a consumer’s nonbinary or transgender status;
• Any genetic or biometric data, or information derived therefrom;
• Personal data collected from an individual the controller has actual knowledge, or willfully disregards, is a child (under 13);
• Neural data (defined as “any information that is generated by measuring the activity of an individual’s central nervous system”);
• A consumer’s financial account number, financial account log-in information or credit card or debit card number that, in combination with any required access or security code, password or credential, would allow access to a consumer’s financial account; and
• A government-issued identification number. 

The amendments also change the law’s “publicly available information” exception to the definition of “personal data” to carve out biometric data that can be associated with a specific consumer and that was collected without the consumer’s consent—mirroring the California Consumer Privacy Act. Thus, if biometric data is collected without the consumer’s consent, it is still likely to be sensitive data, because it would not be deemed “publicly available.” These changes may be particularly consequential since the CTDPA can be triggered based on the processing of any sensitive data. 

Minors

Connecticut has been at the vanguard with respect to protecting the online privacy of minors. The CTDPA was already one of the strictest comprehensive state privacy laws regarding minors’ privacy since the Connecticut legislature adopted amendments in 2023 applicable to social media platforms and other online providers with knowledge they are providing an online product, service, or feature to minors. The 2023 amendments created heightened protections for minors (defined as consumers under 18), such as opt-in rights for targeted advertising, sales, and certain profiling, and restrictions regarding the use of geolocation, messaging features, or features to significantly increase or extend use of the service, product or feature. Under the most recent amendments, the CTDPA now contains even more restrictions, such as a blanket prohibition on targeted advertising or sale of personal data, regardless of consent, by a controller offering an online service, product or feature to consumers whom the controller has actual knowledge or willfully disregards are minors. While controllers may still engage in certain profiling of minors with consent, as noted above, they must conduct an impact assessment and implement a mitigation plan to address any identified risks. 

Privacy Policies

Many of the updated privacy policy requirements generally align with California’s and Colorado’s requirements, such as specifying how the privacy policy must be presented to consumers, and also require:

• A statement in the privacy policy disclosing whether a controller collects, uses, or sells personal data for the purpose of training large language models; and
• Notice of any retroactive “material changes” to the privacy policy and a reasonable opportunity for consumers to withdraw consent to any further and materially different processing (similar to requirements in Minnesota and Montana). 

Businesses should consider whether they need to update their privacy policies or user rights tools to comply with these obligations.

Connecticut Attorney General Enforcement

Laws are only as strong as their enforcement, and Connecticut’s Attorney General William Tong has taken an active role in enforcing the CTDPA since the law came into effect, with numerous publicly reported “privacy policy” sweeps and notices of violation (as reported here and here). In July, he announced the first CTDPA enforcement action, an $85,000 settlement with TicketNation (see our post here). 

Takeaways

Smaller businesses that process sensitive data and financial institutions, such as fintechs, that may have previously been outside the scope of the law should consider whether that remains the case under the law’s modified applicability standards. In addition, while many of the substantive obligations imposed by the amendments are in line with requirements in other states, particularly those that have enacted or amended their laws in recent years, the expanded obligations around profiling and minors warrant particularly close attention before July 2026.