Login
  • Client Advisory
  • Diana James

Connecticut Amends Privacy Law: New Rules for Sensitive Data, Profiling, and Consumer Rights Take Effect July 1, 2025

Print Article
SHARE

On June 6, 2025, Connecticut Governor Ned Lamont signed Public Act No. 25-113 into law, amending the Connecticut Data Privacy Act (CTDPA) with significant new provisions aimed at enhancing consumer protection in light of emerging technologies and evolving business practices. The amendments will take effect July 1, 2025, and require action from both data controllers and processors to ensure compliance.

Connecticut’s new rules position the state as one of the most forward-looking jurisdictions in the country, particularly with respect to biometric data, consumer profiling, and high-impact automated decision-making.

Key Changes in Public Act No. 25-113

  1. Expanded Definition of Biometric Data and Sensitive Information

The amendment clarifies and expands the scope of biometric data, now explicitly including “an image or recording of a person from which a biometric data identifier template can be extracted,” as well as “data generated by automatic measurements of a person’s biological characteristics”. Sensitive data has been broadened to include precise geolocation, pregnancy status, and the personal data of a known child, with an emphasis on affirmative consent before processing.

Controllers must now obtain consent to collect or process sensitive data, including:

  • Personal data revealing pregnancy status, mental or physical health diagnosis, and immigration status.
  • The processing of a known child’s personal data.
  • Biometric identifiers and data used for identification purposes.

2. Stronger Restrictions on Profiling and Automated Decision-Making

The law introduces explicit rights related to profiling, including:

  • A right to opt out of profiling of decisions that produce legal or similarly significant effects, such as access to financial services, housing, education, or employment opportunities.

The amendments also add nuanced provisions:

  • Controllers may process personal data for profiling in furtherance of automated decisions only if the processing is strictly limited to detecting or correcting bias, is necessary for that purpose, and the data is deleted immediately after the task.
  • Such internal uses must comply with security and privacy safeguards, such as pseudonymization, strict access controls, and non-transmission to third parties.

3. New Obligations for Data Processors and Vendors

Connecticut’s amendments align with privacy-by-design principles and require contracts between controllers and processors to address:

  • Restrictions on de-identified data use and reuse.
  • Reasonable data security safeguards consistent with industry standards.
  • Documentation of data processing activities, including independent audits and cooperation with assessments.
  • Expanded responsibilities for subcontractors and obligations regarding children’s data.

4. Youth Data Protections

Controllers are explicitly prohibited from processing the personal data of children under 18 for targeted advertising, selling data, or profiling in furtherance of decisions with legal or similarly significant effects without verifiable parental or guardian consent.

The law reflects growing state-level momentum for minor-specific protection, following trends in California, Maryland, and other states.

5. Attorney General Enforcement and Rulemaking Authority

The Connecticut Attorney General retains exclusive enforcement authority and may seek injunctive relief, civil penalties, and other remedies. The amended CTDPA empowers the AG to adopt regulations on the processing of sensitive data, profiling, and children’s data, and clarifies that guidance or rules issued will have the force of law once finalized.

Implications for Telecommunications, AdTech, and AI Vendors

These amendments will be especially relevant for:

  • Telecom & VoIP providers use call detail records, location data, or behavioral analytics for customer profiling.
  • AdTech firms and data brokers engaged in targeted advertising, especially involving youth or sensitive attributes.
  • AI vendors offering scoring, eligibility assessment, or predictive modeling tools must now ensure transparency, fairness, and opt-out capabilities.

Next Steps for Clients

  • Conduct a CTDPA-Specific Gap Analysis: Identify gaps between current data practices and the new requirements, especially profiling and consent.
  • Update Privacy Notices: Ensure all required disclosures, particularly around profiling, sensitive data, and children’s data—are included.
  • Review and Amend Contracts: Vendor and processor agreements must be updated to reflect new requirements on data use, audits, and security.
  • Implement Profiling Opt-Out Tools: Update systems to allow consumer opt-outs from profiling, including through customer-facing tools with clear instructions.

The CommLaw Group Can Help

Our privacy and telecom compliance team are closely tracking the implementation of Connecticut’s amendments and similar developments across the U.S. We offer tailored audits, data mapping, and contract support to help clients meet new legal obligations with confidence.

Susan Duarte – sfd@commlawgroup.com

Diana James – daj@commlawgroup.com

Brian Alexander – bal@commlawgroup.com

Sign Up To Receive Our Advisories and Compliance Alerts
Marashlian & Donahue, The CommLaw Group

1430 Spring Hill Road, Suite 310
Tysons, Virginia 22102
(703) 714-1300

Linkedin-in Envelope
Important Links
News

IMPORTANT TAX UPDATE: Colorado Private Letter Ruling Clarifies “Prepaid Plans” With Unlimited Voice Minutes Do Not Qualify as “Prepaid Wireless” for Tax Purposes

California DOJ Announces $1.55 Million CCPA Settlement with Healthline Over Unauthorized Sharing of Health Data

Senate Overwhelmingly Rejects AI Regulation Moratorium

Supreme Court Upholds Universal Service Fund Contribution Scheme; Congressional Reform Efforts Intensify

Resources
Proud Member of:
Cloud Communications Alliance

Copyright 2024 Marashlian & Donahue, PLLC | Disclaimers | Privacy Policy | Terms and Conditions

Ask An Attorney

Disclaimer: Please be advised that contacting our law firm through this contact form does not establish an attorney-client relationship. While we appreciate your interest in our services, we cannot guarantee the confidentiality of any information shared until an attorney-client relationship has been formally established. Therefore, we kindly request that you refrain from submitting any confidential or sensitive information through this form. Any information provided through this form will be treated as general inquiries and not as privileged or confidential communications. Thank you for your understanding.