If your company conducts business in Connecticut or targets Connecticut residents, and your product processes sensitive data from even one Connecticut consumer, the amended Connecticut Data Privacy Act may now apply, regardless of your Connecticut user count.
The Connecticut Data Privacy Act (CTDPA), Connecticut's comprehensive consumer data privacy law governing how companies collect, use, and share personal data about state residents, was amended by Public Act 25-113 (Substitute Senate Bill 1295), and the core provisions took effect July 1, 2026. The threshold change matters, but the bigger shift is that the amendments removed the consumer-volume floor for sensitive-data processing entirely. One Connecticut consumer whose sensitive data your product processes can be enough to bring your company within the law's reach, regardless of size.
For many covered startups, the privacy notice update is the most urgent practical item. The amendments require a privacy notice to state whether the company collects, uses, or sells personal data for the purpose of training large language models. That duty applies to data controllers generally, and Connecticut has no mandatory cure period before the Attorney General can pursue penalties. The notice has to make the company's position clear either way.
What Changed
Public Act 25-113 (signed June 24, 2025, effective July 1, 2026) rewrites the CTDPA's coverage test to reach a much wider set of startups. One scope point matters before applying the screen. The CTDPA does not cover every data point connected to Connecticut. The threshold analysis applies to companies that conduct business in Connecticut or produce products or services targeted to Connecticut residents, and the law's consumer concept generally excludes individuals acting in a commercial or employment context. The first question is not only "do we have Connecticut data?" but "do we have Connecticut consumer data in a covered role?"
The new applicability test has three prongs, joined by OR:
- The company processes the personal data of 35,000 or more Connecticut consumers (down from the prior 100,000 threshold), OR
- The company processes the sensitive data of any Connecticut consumer, regardless of volume, OR
- The company offers consumers' personal data for sale in trade or commerce.
The sensitive-data category list expanded. The additions that most often pull a new company into scope are neural data (information generated by measuring a person's central nervous system, newly added to Connecticut law under the amended CTDPA definitions), government-issued identification numbers, financial account credentials, and status as nonbinary or transgender. Biometric data also needs to be checked against the amended sensitive-data definition rather than carried forward from an older privacy notice. Check 1 below carries the full working list.
The LLM-training disclosure is new and affirmative. Connecticut General Statutes Section 42-520(b)(1)(H) requires a privacy notice to include a statement disclosing whether the controller collects, uses, or sells personal data for the purpose of training large language models. In practice, silence is the problem: the notice should make the company's position clear either way, and the company should confirm whether user or customer data feeds model training, through its own systems or a third-party AI vendor.
Effective dates are split. The threshold change, the sensitive-data expansion, and the LLM-training disclosure are all in effect as of July 1, 2026. A separate impact-assessment requirement, for profiling that produces a legal or similarly significant effect on a consumer, applies to processing created or generated on or after August 1, 2026.
Enforcement: no cure period. The original CTDPA's cure window ended December 31, 2024, and Public Act 25-113 does not bring it back. The Connecticut Attorney General enforces the law as an unfair trade practice under the Connecticut Unfair Trade Practices Act (CUTPA), with civil penalties of up to $5,000 per willful violation. There is no private right of action.
For context, California's AB 2013 (effective January 1, 2026) addressed AI training data earlier, but it targets AI developers and asks them to publish their training-dataset information. Connecticut's disclosure duty runs to data controllers generally, a broader sweep than a developer-only rule.
Why Does This Matter for My Business?
The practical effect: the set of covered companies just got much larger, and the most visible gap, a missing LLM-training disclosure, is exactly what an enforcement inquiry, a customer audit, or a diligence review finds first.
Coverage scope shifted faster than most startups noticed. A health-tech company with a handful of Connecticut users, a fintech collecting financial account credentials, a SaaS product collecting gender identity data: each can now be in scope under the sensitive-data prong, regardless of user count. The old 100,000-consumer threshold let startups treat Connecticut privacy law as someone else's problem, and that read is wrong now for any product processing sensitive data of Connecticut consumers.
The privacy notice gap is not a back-office issue. A privacy notice lives on the company website. It is the first document a customer's procurement team or an acquirer's counsel will pull, and a missing LLM-training disclosure reads as a compliance gap at a glance, because the statement is either there or it is not.
The risk shows up in two places. Regulatory enforcement is one exposure. Commercial friction is the other, and it tends to arrive sooner. An enterprise customer in Connecticut will ask whether your privacy notice is current, whether your data processing addendum reflects CTDPA processor obligations, and whether you use its data to train AI models. A vendor that cannot answer cleanly loses ground at renewal.
CTDPA Founder Compliance Screen
Use this screen to size up your exposure and what needs to change. Each check is yes-or-no; plan on about 15 minutes and a short task list. The screen tells you whether the CTDPA likely applies; your specific duties then depend on whether you act as a controller (the entity that determines the purpose and means of processing personal data), a processor (a vendor or service provider that processes data on a controller's behalf), or both.
Part 1: Coverage Triggers
Check 1: Does your product process the sensitive data of any Connecticut consumer?
Sensitive data now includes health and mental health data, financial account credentials, biometric identifiers, genetic data, neural data, precise geolocation, government-issued identification numbers, immigration status, sexual orientation, status as nonbinary or transgender, racial and ethnic origin, religious beliefs, and personal data of a child.
- If yes: the CTDPA likely applies as of July 1, 2026, regardless of user count. Determine which obligations apply to you as a controller, processor, or both.
- If no: proceed to Check 2.
- Owner: Founder or General Counsel, with input from Head of Product.
Check 2: Does your company sell or offer to sell consumers' personal data?
A sale is any exchange of personal data for monetary or other valuable consideration. Offering consumers' personal data for sale in trade or commerce is enough to trigger coverage.
- If yes: treat the CTDPA as applicable, and determine which obligations apply to you as a controller, processor, or both.
- If no: proceed to Check 3.
- Owner: Founder or Head of Business Development.
Check 3: Does your product process the personal data of 35,000 or more Connecticut consumers?
If you were below the prior 100,000-consumer threshold, recalculate; the floor is now 35,000.
- If yes: treat the CTDPA as applicable, and determine which obligations apply to you as a controller, processor, or both.
- If no, and you answered no to Checks 1 and 2: the CTDPA does not currently apply. Re-run the screen as your Connecticut user base or data collection grows.
- Owner: Founder or Head of Engineering.
Part 2: Compliance Gap Audit
Run this section if you answered yes to any Part 1 check.
Gap 1: Does your current privacy notice include an LLM-training disclosure?
The notice should state whether your company collects, uses, or sells personal data for the purpose of training large language models. Silence is the problem; the statement should be there either way.
- If no: update the notice before the next enterprise customer renewal. It is publicly visible and easy for a regulator or customer to check.
- If yes: confirm the statement is accurate and reflects your current product and vendor stack, including any third-party AI tools that receive user data.
- Timing: in effect since July 1, 2026. For a covered company, this is already due.
- Owner: Founder or General Counsel to draft; Head of Product to verify technical accuracy.
Gap 2: Does your privacy notice reflect the expanded sensitive-data category list?
Check whether your notice now accounts for neural data, government-issued identification numbers, status as nonbinary or transgender, and any other categories not in your prior version. Omitting a category you actually process is a separate gap.
- If no: update alongside the LLM-training disclosure.
- Owner: General Counsel.
Gap 3: For B2B SaaS founders: does your data processing addendum (DPA) template reflect CTDPA processor obligations?
If you process enterprise customer data on their behalf, you act as a processor under the CTDPA. Your DPA should specify that you process data only on the controller's written instructions, assist with consumer rights requests, delete or return personal data when the contract ends, provide audit support, and bind any subcontractors you engage. A DPA template that predates July 1, 2026 likely needs revision.
- If not CTDPA-ready: update before the next enterprise customer renewal or new enterprise sale.
- Owner: Head of Sales and General Counsel.
Gap 4: Do you have DPAs in place with every third-party vendor that processes personal data on your behalf?
This covers AI tools, analytics platforms, cloud infrastructure, and any vendor that receives personal data from your systems. A controller should hold a written contract with every processor; if you send a vendor your user data, that vendor is a processor and a DPA is required.
- If no: identify the vendors and put DPAs in place, starting with the AI tools that receive personal data.
- Owner: Head of Engineering to identify vendors; General Counsel to establish agreements.
A related timing issue: New Jersey. New Jersey creates a related timing issue worth a calendar note, not a fire drill. The New Jersey Data Privacy Law took effect January 15, 2025, and the state's Division of Consumer Affairs says its notice-and-cure period runs only until July 1, 2026. Some secondary summaries describe the sunset as July 15, 2026. Either way, a company subject to the New Jersey law should not assume a meaningful correction window remains.
Decision Framework
1. Does our product touch any of the expanded sensitive-data categories? Run your data flows against the current Connecticut definition. Neural data and government-issued identification numbers are newer additions common in identity-verification or behavioral products. If you are not sure, that uncertainty is itself a finding.
2. Does our privacy notice say anything about LLM training right now? Pull your live published privacy notice and search for any mention of AI, machine learning, LLM, or model training. No statement means a gap to close.
3. Are we a controller, a processor, or both? A startup collecting its own user data is a controller; one processing enterprise customer data on the customer's behalf is a processor. Plenty of B2B SaaS companies are both, and the obligations differ by role. This is the question that turns "the CTDPA applies" into a concrete task list.
4. Does our DPA template reflect what enterprise customers will ask for after July 1, 2026? If your DPA template does not cover CTDPA processor obligations, you will get redlines you are not ready to turn around. Better to find that out from your own review than a customer's counsel.
5. Do our other state privacy obligations assume correction windows that are closing? Several state privacy laws are shifting from notice-and-cure toward direct enforcement, New Jersey among them in 2026. A plan that says "we will fix it if we get a notice to cure" is worth revisiting.
Audience-Specific Implications
For Founders as Controllers
The privacy notice update is your most urgent item. The LLM-training disclosure is affirmative: the statement has to be in the notice whether your answer is yes or no, including when a third-party AI vendor receives your user data for model training. There is no compliant silence.
For Founders as Processors
If you handle enterprise customers' data on their behalf, those customers are controllers with CTDPA obligations of their own. They are reviewing their vendor stack now, and they will ask whether you have a CTDPA-ready DPA and whether your product uses their data to train AI models. The time to have your template ready is before the customer sends you theirs.
For Founders in Diligence
In a data room, a missing LLM-training disclosure is a day-one finding, and a clean notice plus a DPA template that reflects processor obligations takes it off the list. If your product processes newly defined sensitive-data categories (neural data, government-issued identification numbers, status as nonbinary or transgender) that are not on your data map, your representations and warranties may have gaps that surface in post-close indemnification.
Practical Takeaways
1. Pull your live privacy notice today and check for an LLM-training statement. If it is missing, add it before your next enterprise customer interaction. The answer goes in the notice either way, even when it is no.
2. Audit your data flows against the expanded sensitive-data category list. The categories that moved most for coverage include neural data, government-issued identification numbers, status as nonbinary or transgender, and biometric data that may need to be reassessed against the amended definition. If any run through your product and you were not already treating yourself as covered, update your coverage analysis now.
3. If you run a B2B SaaS product, update your DPA template before the next enterprise customer renewal. The CTDPA expects controller-processor contracts to address specific processor duties, listed in Gap 3 of the screen above. A DPA template that predates July 1, 2026 likely lacks at least some of them. Getting yours current now means you control the redline.
4. Settle your LLM-training answer for enterprise customers before they ask. If your product uses customer data for model training, your DPA needs to reflect that. If it does not, your DPA should say so explicitly. Your enterprise customers now carry their own CTDPA reason to know the answer.
5. If you operate in New Jersey, do not assume a correction window remains. New Jersey's notice-and-cure period sunsets in 2026. The Division of Consumer Affairs says July 1, 2026; some summaries say July 15. Confirm your New Jersey posture rather than relying on a grace period.
6. Document your coverage determination either way. If your analysis says you are not covered by the CTDPA, write down why, with a date. A one-page coverage memo, reviewed annually, is the floor for defending that position later.
Frequently Asked Questions
Does Connecticut's privacy law apply to my startup if I only have a few users there?
It may, depending on the type of data you process. Under the amended CTDPA, effective July 1, 2026, a company can be covered if it processes the sensitive data of even one Connecticut consumer, regardless of how many Connecticut users it has. Sensitive data includes health information, biometric identifiers, neural data, financial account credentials, government-issued identification numbers, and personal data of a child, among other categories. If your product touches any of those categories for Connecticut residents, the volume threshold is not the relevant question. The CTDPA Founder Compliance Screen in this article walks through the full coverage check.
What is the new Connecticut privacy notice requirement about AI and LLM training?
Connecticut General Statutes Section 42-520(b)(1)(H), added by Public Act 25-113 and effective July 1, 2026, requires a privacy notice to include a statement disclosing whether the company collects, uses, or sells personal data for the purpose of training large language models. The statement is required either way: you cannot leave it silent. If a third-party AI vendor receives your user data and uses it for model training, your notice should address that as well. The Connecticut Attorney General can enforce this requirement without providing a mandatory cure period first.
Does my SaaS company need to update its data processing addendum for Connecticut?
If you process personal data on behalf of enterprise customers, you act as a data processor under the CTDPA, and your DPA should reflect specific processor obligations. Those include processing data only on the controller's written instructions, assisting with consumer rights requests, deleting or returning data when the contract ends, providing audit support, and binding any subcontractors that receive the data. A DPA template drafted before July 1, 2026 may not cover all of these. Enterprise customers with CTDPA obligations will ask, and a gap in your template means you are negotiating from the customer's draft rather than your own.
What happens if Connecticut finds my company violated the privacy notice requirement?
Connecticut enforces the CTDPA as an unfair trade practice under the Connecticut Unfair Trade Practices Act (CUTPA), with civil penalties of up to $5,000 per willful violation. There is no private right of action, meaning individual consumers cannot sue directly. The original CTDPA's cure period ended December 31, 2024, and Public Act 25-113 does not restore it, so the Connecticut Attorney General can open an enforcement inquiry without first giving your company an opportunity to fix the problem.
When do these Connecticut privacy law changes take effect, and what do I need to do first?
The threshold change, the expanded sensitive-data categories, and the LLM-training disclosure requirement all took effect July 1, 2026. A separate requirement for impact assessments covering certain automated profiling decisions applies to processing created or generated on or after August 1, 2026. If you are in scope, the most immediate item is your privacy notice: check whether it includes a statement about large language model training and whether it reflects the expanded sensitive-data categories. If either is missing, updating the notice before the next enterprise customer interaction is the practical priority.
Closing Perspective
What changed on July 1 is not really a threshold number. It is the theory of who Connecticut's privacy law is for. The old version waited for a startup to reach scale; the new one follows the data category, not the company's size. One Connecticut consumer's sensitive data can be enough.
The LLM-training disclosure is the piece I think founders will underestimate. It is a short addition to a privacy notice, but it works as a forcing function: to answer it honestly, you have to map how your AI integrations and vendor data flows actually touch personal data. A lot of early-stage products wired in AI tools quickly without tracing where that data goes. Better to run that analysis now than because a customer audit forced it.
Privacy compliance that waits for the enforcement letter is compliance that has already cost you something. The question is whether it cost you a deal, a customer, or something larger.
Sources
Connecticut Public Act No. 25-113 (Substitute Senate Bill 1295), An Act Concerning Broadband Internet, Gaming, Social Media, Online Services and Consumer Contracts; approved June 24, 2025; privacy provisions effective July 1, 2026.
Connecticut General Statutes Chapter 743jj, Data Privacy and Security, as amended by Public Act 25-113, including Section 42-515 (definitions, including sensitive data and neural data), Section 42-516 (applicability), Section 42-520(b)(1)(H) (privacy notice and large language model training disclosure), Section 42-522 (data protection and impact assessments), and Section 42-525 (enforcement).
Connecticut General Statutes Section 42-110o(b), Connecticut Unfair Trade Practices Act, civil penalties of up to $5,000 per willful violation.
New Jersey Data Privacy Law, P.L. 2023, c. 266, and the New Jersey Division of Consumer Affairs Data Privacy FAQ (notice-and-cure period statement).
California Assembly Bill 2013, Chapter 817, Statutes of 2024, Generative Artificial Intelligence Training Data Transparency Act, effective January 1, 2026 (comparison point on AI developer training-data publication).
This article is for informational purposes only and does not constitute legal advice. Every company's situation is different, and you should consult with qualified legal counsel before making compliance decisions based on the developments discussed here.