You all know that I follow local politics pretty closely but this got by me and I think a lot of other people also.
Did you know that Connecticut passed a law banning the sale of sensitive personnel information on the internet including us in...
It sound innocuous enough but it has a little gem inside.
[(38)] (39) "Sensitive data" means personal data that includes (A) data revealing (i) racial or ethnic origin, (ii) religious beliefs, (iii) a mental or physical health condition, [or] diagnosis, disability or treatment, (iv) sex life, sexual orientation or status as nonbinary or transgender, or (v)citizenship or immigration status, (B) consumer health data, (C) [the processing of] genetic or biometric data [for the purpose of uniquely identifying an individual] or information derived therefrom, (D) personal data collected from [a known] an individual the controller has actual knowledge, or wilfully disregards, is a child, (E) data concerning an individual's status as a victim of crime, as defined in section 1-1k, [or] (F) precise geolocation data, (G) neural data, (H) a consumer's financial account number, financial account log-in information or credit card or debit card number that, in combination with any required access or security code, password or credential, would allow access to a consumer's financial account, or (I) government-issued identification number, including, but not limited to, Social Security number, passport number, state identification card number or driver's license number, of that applicable law does not require to be publicly displayed.
Okay, this is the first I saw this so... The National Law Review writes...
Who Is Now Covered?As of July 1, 2026, the CTDPA applies to any entity that conducts business in Connecticut, or targets products or services to Connecticut residents, and that during the preceding calendar year satisfied any one of the following:
- Controlled or processed the personal data of at least 35,000 consumers (reduced from 100,000), excluding data processed solely to complete a payment transaction;
- Controlled or processed consumers’ sensitive data, regardless of volume; or
- Offered consumers’ personal data for sale in trade or commerce, regardless of volume.
[...]What Counts as “Sensitive Data” under the CTDPA?Your company is swept in if, during the past year, it collected or processed any of the following, no matter how few Connecticut residents were involved:cticut residents were involved:– Data revealing racial or ethnic origin– Data revealing religious beliefs– Data revealing a mental or physical health condition, diagnosis, disability, or treatment– Data revealing sex life, sexual orientation, or status as nonbinary or transgender– Data revealing citizenship or immigration status– Consumer health data– Genetic or biometric data, or information derived therefrom– Precise geolocation data
You got That?
The Bottom LineConnecticut has shifted from a threshold-based law that mostly affected large companies to an expansive framework that can capture smaller organizations – particularly those that touch sensitive data, rely on ad-tech and targeted advertising, share data in ways that may count as a “sale,” or offer online features used by minors. With the Connecticut Attorney General’s cure period gone and enforcement already active, the cost of waiting has risen. Companies with any nexus to Connecticut should consider the following steps:
- Reassess whether you are in scope. Given that the sensitive data and sale triggers under the amended CTDPA have no volume threshold, assume you may be in scope until confirmed otherwise.
- Map your data. Inventory what personal and sensitive data you collect, how it is used, and with whom it is shared – including via tracking pixels and list exchanges.
- Refresh privacy notices and consent flows. Disclose profiling, targeted advertising, and any use of personal data to train LLMs, and ensure notices are conspicuous, multilingual, and accessible.
- Review profiling and automated decision-making. Build compliant processes to honor opt-out requests, provide explanations for how decisions were reached, and complete the new impact assessment for activities on or after August 1, 2026.
- Strengthen protections for minors. Stop targeted advertising to, and sales of personal data of, individuals aged 13-17, and remove engagement-maximizing design features.