Connecticut’s data privacy landscape is undergoing a significant transformation, with amendments to the Connecticut Data Privacy Act (CTDPA) taking effect on July 1, 2026. These changes expand the law’s reach, particularly impacting platforms and services that process personal data, including those in the adult industry, by lowering applicability thresholds and broadening the definition of sensitive data. The updated regulations introduce new compliance challenges for developers, engineers, and platform operators who handle user data from Connecticut residents.

The CTDPA, originally signed into law by Governor Ned Lamont on May 10, 2022, and effective July 1, 2023, established consumer rights over personal data and set privacy protection standards for data controllers. The upcoming amendments, enacted via Senate Bill 1295 in June 2025, significantly broaden the scope of entities subject to the law. This expansion means that a wider array of platforms, including many small and mid-sized operations, will now fall under the CTDPA’s jurisdiction, necessitating a review of their data processing practices and privacy policies.

How Do the CTDPA Amendments Expand Applicability for Data Controllers?

A primary change in the CTDPA amendments is the expansion of applicability triggers, which will bring more organizations under the law’s purview starting July 1, 2026. Previously, the CTDPA applied to entities that controlled or processed the personal data of at least 100,000 consumers in the preceding calendar year, or 25,000 consumers if at least 25% of revenue came from selling personal data. The amendments significantly lower the general processing threshold and introduce new "no-threshold" triggers tied to specific data activities.

Netbilling

Under the amended law, the CTDPA will apply to entities conducting business in Connecticut or targeting products or services to Connecticut residents that, during the preceding calendar year:

  • Controlled or processed personal data of at least 35,000 consumers, excluding data processed solely to complete payment transactions. This is a reduction from the previous 100,000-consumer threshold.
  • Controlled or processed consumers’ sensitive data, excluding data processed solely to complete payment transactions. This trigger has no volume floor.
  • Offered consumers’ personal data for sale. This trigger also has no volume floor.

The elimination of volume floors for processing sensitive data or selling any personal data means that even platforms handling a minimal amount of such data from Connecticut residents will be subject to the CTDPA. This shift is particularly relevant for adult industry platforms, which often handle sensitive user information and may engage in data sales or sharing for advertising or analytics. The previous 100,000-consumer floor allowed smaller data brokers and ad-tech firms to operate outside Connecticut privacy law, but that is no longer the case. Developers and platform operators must now assess their data processing activities more broadly to ensure compliance, even if their user base in Connecticut is relatively small.

What Constitutes "Sensitive Data" Under the New Regulations?

The amendments to the CTDPA broaden the definition of "sensitive data," imposing new restrictions on its processing and sale. This expanded definition now encompasses additional types of information that are often collected or processed by online platforms, including those in the adult industry. Understanding these changes is crucial for maintaining compliance and protecting user privacy.

The updated definition of sensitive data includes:

  • Certain government identifiers, such as driver’s license numbers and passport numbers.
  • Financial account-related elements.
  • Social Security numbers (SSNs).

In addition to the existing requirements, such as obtaining consent prior to processing sensitive data, the amendments now expressly prohibit the sale of sensitive data without explicit consumer consent. This means that platforms must implement robust consent mechanisms for any collection, processing, or sale of these newly defined categories of sensitive data. For adult industry platforms, which may collect government IDs for age verification, financial details for payment processing, or other personal identifiers, this expanded definition and the associated consent requirements necessitate a thorough review of data handling practices. The requirement to obtain opt-in consent for selling sensitive data, and for targeted advertising and data sales for individuals aged 13 to 17, further complicates data monetization strategies and requires granular consent management systems.

How Do Consumer Rights and Data Broker Regulations Evolve?

The CTDPA amendments introduce significant changes to consumer rights and establish new regulations concerning data brokers, further tightening the state’s privacy framework. These changes, particularly those related to automated profiling and data transparency, require platforms to enhance their data governance and user interaction mechanisms.

Consumers will gain new rights related to automated profiling decisions that have legal or similarly significant effects. These rights include the ability to question outcomes, be informed of the reasoning behind decisions, review the data used in the decision-making process, and in certain contexts, correct inaccurate data and request reevaluation of decisions. For platforms utilizing AI or machine learning for content recommendation, user moderation, or other automated processes, this introduces a requirement for greater transparency and explainability in their algorithms. Developers will need to consider how to provide users with access to the data used in profiling and how to implement mechanisms for challenging automated decisions.

Furthermore, consumers will now have the right to obtain a list of every specific third party to which their personal data has been sold. This necessitates meticulous record-keeping of data sharing activities and the ability to generate such reports upon request. Connecticut is also establishing a data broker registry and deletion mechanism under Senate Bill 4, which takes effect on October 1, 2026. This second legislative package will add a geolocation sales ban, data broker registration requirements, surveillance pricing restrictions, facial recognition rules, and genetic data protections. These combined changes underscore a broader, more aggressive privacy posture from Connecticut, requiring adult industry platforms to not only comply with the CTDPA amendments but also prepare for upcoming data broker regulations and other privacy-enhancing measures.

What Are the Implications for Privacy Notices and LLM Training Data?

Beyond expanded applicability and consumer rights, the CTDPA amendments also introduce new requirements for privacy notices and specifically address the use of personal data for training large language models (LLMs). These provisions highlight the increasing regulatory focus on transparency and the ethical use of AI technologies.

Controllers must now update their privacy notices to disclose whether they collect, use, or sell personal data to train large language models. This requirement, which Connecticut shares with Vermont, directly impacts platforms that leverage AI for various functionalities, such as content generation, chatbot interactions, or advanced analytics. For adult industry platforms exploring or already implementing LLMs, this means explicit disclosure in their privacy policies about how user data contributes to AI training. This necessitates a clear understanding of data flows into AI models and the ability to articulate these practices to users in an understandable manner.

Additionally, controllers are now expressly required to limit sensitive data processing to what is reasonably necessary in relation to the purposes for which such data is provided. This principle of data minimization, combined with the consent requirements for sensitive data, reinforces the need for platforms to adopt privacy-by-design principles. Developers and engineers must ensure that their systems are architected to collect only essential sensitive data, process it strictly for stated purposes, and obtain explicit consent for any broader use or sale. The cumulative effect of these amendments, along with the impending data broker registration and other privacy-focused legislation, signals a complex and evolving regulatory environment that demands continuous attention from technology leaders in the adult industry.