New rules expand Connecticut’s data privacy law and test small-business readiness

Hartford Business Journal – Monday, November 3, 2025
By Harriet Jones

A little over two years ago, Connecticut rolled out its own Data Privacy Act — giving residents the right to know how companies are storing and using their personal information, and setting strict new rules for businesses on handling data.

It was just the fifth state to enact such a measure at the time.

Attorney General William Tong hailed it as one of the nation’s strongest consumer privacy laws, granting Connecticut residents new rights to access, correct and delete their data, and to opt out of the sale of personal information and targeted advertising.

Now, two years later, the law is entering a pivotal phase. As enforcement ramps up and new amendments take effect in 2026, Connecticut businesses — from small retailers to major tech firms — are facing tighter compliance rules and higher scrutiny over how they collect and use personal data.

The changes highlight a growing tension between consumer privacy rights and the costs and complexity for companies navigating an expanding web of state regulations.

The privacy section within the Connecticut Attorney General’s office oversees compliance and investigates consumer complaints about data mishandling.

“We’re continuing to get a steady stream of those complaints, and it’s actually been really impressive to us, the time that folks will put in, trying to exercise their privacy rights,” said Michele Lucan, chief of the privacy section. “For us, that makes clear, people care about this law.”

In the last year, she says, the department has received 57 complaints about issues that were covered under the Data Privacy Act.
New threshold

Connecticut’s original data privacy law applied to companies holding data on more than 100,000 people. Those businesses were required to limit the personal information they collected, be transparent about how it was used and secured, and obtain consumer consent before gathering sensitive details such as precise location, biometric data or health information.

Beginning in 2026, those rules will get tougher. Amendments to the law will lower the compliance threshold to 35,000 data records and place new restrictions on how companies use artificial intelligence to profile customers. If a business handles sensitive information such as health data, there will no longer be a minimum threshold on the number of data records — a shift that has consumer health apps and fitness-tracking companies scrambling to prepare.

For companies hoping to stay compliant, a clear and current privacy policy is essential, legal experts say.

“I do think it’s an overstatement to say that companies generally comply,” said attorney William Roberts, co-chair of Day Pitney’s data privacy and cybersecurity practice, and an adjunct professor of data privacy law at the University of Connecticut School of Law.

He said larger corporations with legal and compliance teams tend to keep up with evolving requirements, but midsize and smaller firms face a steeper challenge.

He points to the much more familiar HIPAA health privacy law as an analogy, where healthcare providers still struggle with compliance after decades of enforcement.

Large national or multinational companies, he added, often view Connecticut’s law as one piece of a much larger compliance puzzle that now includes similar rules in about 20 states, as well as Europe’s General Data Protection Regulation.

“Where companies get hung up the most tends to be on the easiest stuff, to be honest,” Roberts said. “Having a privacy notice with links that aren’t broken. Having a privacy notice that’s readable. Having a privacy notice that’s kept up to date.”

Keeping those notices accurate and consistent, Roberts said, is an ongoing concern — and a growing cost of doing business.

Smaller businesses face bigger risks

The coming changes to Connecticut’s privacy law have raised concerns over whether they’ll create new burdens for smaller companies.

Opinions vary: Some attorneys believe most companies that already operate near the existing thresholds — or do business in other states with stricter rules — are already adapting.

But others worry local businesses may be caught off guard by the lower 35,000-record threshold.

Russell Anderson, an attorney at Pullman & Comley, said many purely Connecticut-based companies could soon find themselves subject to the law for the first time.

“If you’re a business that has most of the population of your town in your database, all of a sudden you’re subject to all of the requirements of the law. And you would have no reason to realize that,” Anderson said. “A grocery store, a restaurant chain, car dealerships.”

He also believes that smaller businesses will have a difficult time figuring out the relatively new “universal opt-out” provision of the law, a right that went into effect in January of this year. It allows consumers to prohibit the sale or use of their personal data for targeted advertising through a browser setting or privacy tool.

“A lot of businesses are going to get tripped up on the universal opt-out requirement,” Anderson said.

For Roberts, website cookies remain one of the biggest compliance risks. He said many companies fail to ensure that their privacy policies match what their websites actually collect or share — especially when third-party vendors sell user data that the business itself can’t fully control.

Expanding definition of sensitive data

The most sweeping change under the 2026 amendments involves how “sensitive data” is defined — particularly when it comes to minors and health information.

For minors, companies currently must obtain a parent’s or child’s consent to sell personal data, engage in targeted advertising or create a profile. Starting next year, that permission will no longer matter: companies will be prohibited from selling or using a minor’s data altogether.

The new definition also broadens what counts as health information, covering data that consumers routinely log through fitness apps and wearable devices such as smartwatches. For those businesses, there will be no minimum data threshold — meaning even small app developers or niche health companies will be required to comply.

“Almost all of the questions we’re getting, almost all the action we’re seeing is on the healthcare side,” Roberts said. “There’s ​a ​lot ​of ​companies that were ​nowhere ​near ​the ​threshold for state laws broadly, so ​they ​don’t ​have ​any ​compliance ​program.”

“That will be a game changer,” agrees Lucan at the Attorney General’s office.

In fact, she believes the entire law should have no lower thresholds for the number of records that trigger compliance with the state’s privacy requirements.

“We shouldn’t have to play a numbers game there. We should be able to protect Connecticut residents,” she said.

Up until January of this year, the Attorney General’s office could send non-compliant companies a “cure” notice, giving them a grace period to work toward compliance. That no longer applies.

Now, Lucan says, when the office receives a consumer complaint or notices a potential violation, it moves straight to an investigation. She says currently there are “dozens” of open investigations over a wide range of issues.

Even so, Lucan says her office uses discretion when dealing with small businesses that might struggle with compliance, to ensure they aren’t unduly burdened.

The most high-profile case to date involved TicketNetwork, which was fined $85,000 in July. The attorney general’s office said the company’s privacy notice was largely unreadable and lacked key information about data rights. The state first flagged the issues to the company in November 2023.

The extra investigative work has required more oversight, and the privacy office has grown from two attorneys a decade ago to six now, with a legal investigator also part of the team. Lucan says they’re currently hiring for a paralegal.

“My work was so different 10 years ago than it is now,” she said. “The nature of the cases, the diversity of the cases, the different technologies we’re looking at, everything has changed.”

AI oversight

Meantime, artificial intelligence represents the next frontier in Connecticut’s data-privacy enforcement. While lawmakers — and Gov. Ned Lamont — have been hesitant to pass sweeping AI-specific legislation, the 2026 amendments to the Connecticut Data Privacy Act will, in effect, regulate certain AI uses.

Specifically, companies that use algorithms to build customer “profiles” will need to give consumers the right to opt out.

“I think this was a recognition that even without a broader bill, AI is here. It’s a really pressing issue,” Lucan said.

Another change she sees on the horizon is a growing movement among the states to coordinate their efforts on data privacy. Connecticut recently announced it will work with Colorado and California to implement and enforce “universal opt-out” provisions — just one effort to reduce the patchwork of privacy laws companies must follow across state lines.

Roberts, of Day Pitney, said he hears complaints from companies about the ongoing costs of data privacy provisions, particularly when those businesses say they receive very little feedback from customers about their new rights. But he urges a different philosophy.

“It’s sort of like car insurance,” he said. “Thank goodness, I don’t use car insurance on a day-in, day-out basis. But when I need it, I want it there.”

Access this article at its original source.