On June 11, 2025, Connecticut passed Senate Bill 01295 (SB 01295). If signed by the governor, SB 01295 will amend the existing Connecticut Data Privacy Act (CTDPA) in several important ways, with the amendments going into effect on July 1, 2026.
Expanded Scope: In what is seen as a general trend, SB 01295 broadens the reach of the CTDPA by lowering exemption thresholds: The law will apply to organizations that control or process the personal data of 35,000 consumers or more, controls or processes any sensitive data, or engage in the sale of personal data. The bill also expands the definition of sensitive data, thereby increasing the number of covered entities.
Signaling another important trend, the amendment would remove the entity-level exemption for financial institutions under the Gramm-Leach-Bliley Act (GLBA), and instead only exempt data subject to the GLBA. Notably, however, certain types of financial institutions may continue to enjoy entity-level exemptions.
Stricter Regulations for Minors: Social media platforms and online services targeting minors (individuals under 18) would also be subject to heightened obligations and standards, including restrictions related to processing minors’ personal data related to certain risks and automated decisions.
Additional Changes: Additionally, the amended changes would include additional responsibilities placed on data controllers, including those related to consumer rights requests, data protection assessments and privacy notices and disclosures.
***
Although this legislative season has not seen revolutionary new laws passed, amendments in states like Connecticut, Colorado, and Montana are important reminders that changes to existing laws can have significant impacts–both in broadening the scope of their application and in current compliance regimes.