Connecticut Data Privacy Law Expands July 1: Lower Threshold Catches More Small Teams

If you thought Connecticut's data privacy law did not apply to your small team, check again. Starting today, July 1, 2026, Connecticut's SB 4 (now Public Act 26-64) dramatically expands who must comply with the Connecticut Data Privacy Act. The threshold drops by more than half, two new no-threshold triggers kick in, and a sweeping set of new obligations rolls out across three separate effective dates through 2027.

This is not a hypothetical future requirement. It is in effect now.

What Changed and When

Connecticut's SB 4 is not a single effective date. It is a staged rollout with four distinct compliance windows. Here is the full timeline:

July 1, 2026 (today):

• Coverage threshold drops from 100,000 to 35,000 Connecticut residents
• Two new no-threshold triggers: any entity that processes sensitive data or sells personal data is now covered regardless of volume
• Updated privacy notice requirements apply
• New consumer rights provisions take effect

October 1, 2026:

• Precise geolocation sale ban takes effect
• Expanded sensitive data categories become enforceable
• Data broker registration framework activates
• Facial recognition and genetic testing protections apply
• Surveillance pricing rules take effect

January 1, 2027:

• Data brokers must be registered with the Connecticut Department of Consumer Protection
• Initial registration fee: $2,500 (annual renewal also $2,500)

October 1, 2028:

• Consumer deletion request mechanism goes live
• Registered data brokers must honor deletion requests within 45-day cycles

The July 1 changes are the ones that catch small teams off guard. The threshold cut and the no-threshold triggers mean thousands of companies that were previously exempt are now covered before breakfast.

Am I Now Covered? A Decision Tool

Work through these questions in order. If you answer yes to any of them, you are subject to the CTDPA as of July 1, 2026.

Question 1: Do you process personal data of 35,000 or more Connecticut residents per year?

This is the primary threshold. "Process" includes collecting, storing, using, disclosing, or otherwise handling personal data. If your product or service has Connecticut customers and you handle their data in any of these ways, count them. If the count is 35,000 or above, you are covered.

Note: the prior threshold was 100,000. If you previously evaluated coverage and concluded you were exempt because you had fewer than 100,000 Connecticut users, you need to rerun that calculation today.

Question 2: Do you process personal data of 25,000 or more Connecticut residents AND derive more than 25 percent of gross revenue from selling personal data?

This trigger was already in the original CTDPA and remains unchanged. Businesses straddling the old threshold via this revenue-linked test are still covered.

Question 3: Do you process sensitive data about Connecticut residents, regardless of volume?

This is a new no-threshold trigger effective July 1. If you process any of the following categories about Connecticut residents, you are covered with no minimum volume:

• Health and medical data
• Racial or ethnic origin
• Religious beliefs
• Mental or physical disability or treatment (newly added)
• Sexual orientation
• Nonbinary or transgender status (newly added)
• Citizenship or immigration status
• Genetic data
• Neural data (newly added)
• Biometric data used for identification
• Financial account information (newly added)
• Government-issued identification numbers such as Social Security numbers, driver's licenses, or passports (newly added)
• Precise geolocation data (location accurate within 1,750 feet)
• Personal data of a known child

If your AI tools process any of these categories about Connecticut users -- even a handful -- you are covered as of today.

Question 4: Do you sell personal data about Connecticut residents, regardless of volume?

This is the second new no-threshold trigger. "Sell" means exchanging personal data for monetary or other valuable consideration. If your business model involves selling any personal data to third parties, you are now covered in Connecticut regardless of how many Connecticut residents are in your dataset.

If you answered no to all four questions, you are not subject to the CTDPA. Keep this on record and re-evaluate whenever your user base or data practices change.

What You Must Do If You Are Covered

Update Your Privacy Notice

The CTDPA requires a privacy notice that includes, at minimum:

• Categories of personal data you process
• Purposes for processing
• How consumers can exercise their rights (opt-out, access, deletion, correction, portability)
• Categories of personal data you share with third parties and the identity of those third parties
• An active email address or online mechanism for submitting consumer rights requests

If you updated your privacy notice to cover the original CTDPA thresholds, check whether your current draft captures the new sensitive data categories and the updated opt-out triggers. If you are newly covered as of July 1, you need a compliant notice now.

Honor Consumer Rights Requests

Connecticut residents have the right to:

• Access: Know what personal data you hold about them
• Correction: Fix inaccurate personal data
• Deletion: Request you delete their personal data
• Portability: Receive their data in a portable format
• Opt-out: Opt out of targeted advertising, the sale of personal data, and profiling used to make decisions with legal or similarly significant effects

You have 45 days to respond to consumer rights requests, with a single 45-day extension allowed when reasonably necessary. The CTDPA does not set a maximum penalty per violation in the statute but grants the Connecticut Attorney General exclusive enforcement authority with civil penalties up to $5,000 per willful violation.

Conduct a Data Inventory Focused on New Categories

The no-threshold sensitive data trigger makes a data inventory urgent. You need to know whether any Connecticut resident data you process falls into the newly added categories: mental/physical disability, nonbinary/transgender status, neural data, financial accounts, or government IDs. Many teams have this data without realizing it. HR software, benefits platforms, and AI tools that ingest employee or customer data frequently touch these categories.

Practical steps:

1. List every tool that collects or processes data from Connecticut users or employees
2. For each tool, identify whether it processes any newly covered sensitive data category
3. If yes, confirm you have a legal basis for processing (consent for sensitive data is required)
4. Update vendor contracts to include data processing agreements where missing

Review AI Tool Data Flows

If you use AI tools -- and most small teams do -- check whether those tools process Connecticut user data. Under the CTDPA, you are a controller and your AI vendor is a processor. That relationship requires a data processing agreement. The CTDPA mandates that processor agreements include:

• Instructions for processing
• Nature and purpose of processing
• Type of personal data involved
• Duration of processing
• Rights and obligations of both parties

Many AI vendor agreements do not include all of these terms by default. The vendor privacy comparison table in our article on AI vendor data retention policies lists which major vendors have compliant DPA language and which require negotiation.

What Is Coming October 1, 2026

Mark your calendar for three additional obligations that activate in 90 days.

Geolocation Sale Ban

Starting October 1, selling a Connecticut resident's precise geolocation data (location accurate within 1,750 feet) is prohibited without express opt-in consent. This affects mobile apps, location-based services, advertising technology, and any platform that sells location signals to data brokers or ad networks. Review your third-party data sharing agreements now.

Sensitive Data Processing Restrictions Tighten

The expanded sensitive data categories listed above become fully enforceable on October 1. While the no-threshold coverage trigger is already live as of July 1, the specific processing restrictions -- including the requirement that processing be "reasonably necessary" for the stated purpose -- become enforceable in 90 days. Use this window to document your lawful basis for any sensitive data processing.

Data Broker Framework Activates

If your business sells or licenses personal data to third parties as a primary activity, you likely qualify as a data broker under SB 4. The registration framework activates October 1, with the actual registration deadline of January 1, 2027. Start now:

1. Determine whether your business meets the SB 4 definition of a data broker
2. Identify the Connecticut Department of Consumer Protection as the registration authority
3. Budget $2,500 for the initial registration fee plus $2,500 annually
4. Prepare the required disclosures: how consumers can exercise CTDPA rights, which personal data categories you collect, and your regulatory exemptions under FCRA, GLBA, or HIPAA if applicable

How This Stacks Against Other State Laws

Connecticut SB 4 is part of a broader wave of state privacy law tightening in 2026. For context:

• Colorado: The original Colorado AI Act (SB 205) was replaced by SB 26-189 signed May 14, 2026. The new Colorado law focuses on employer AI notice and disclosure obligations, with a January 1, 2027 effective date. See our Colorado SB 26-189 guide.
• Connecticut SB 5 (AI law): Separate from SB 4, Connecticut's AI-specific law covers automated employment decision tools and has its own October 2026 requirements. See our Connecticut SB 5 checklist.
• Multi-state compliance: If you have users in multiple states, the CTDPA joins California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), and a growing list of states with active consumer data rights laws. The multi-state compliance strategy guide covers how to build a single framework that covers the common requirements across all of them.

Action Checklist Before End of Day

Today (July 1, 2026):

• Run the four coverage questions above. Document your answer and the data that supports it.
• If covered: confirm you have a compliant privacy notice live on your website
• If covered: confirm you have a mechanism for consumers to submit rights requests (email or web form)
• If covered: confirm at least one person owns the CTDPA response queue

This week:

• Audit AI tool vendor agreements for CTDPA-compliant DPA language
• Identify any data flows touching newly expanded sensitive data categories
• For sensitive data processing: document the legal basis (consent is required for most categories)

Before October 1, 2026:

• Review and update any geolocation data sharing or selling arrangements
• Complete sensitive data processing documentation
• Evaluate whether your business qualifies as a data broker

Before January 1, 2027:

• If you are a data broker: register with the Connecticut Department of Consumer Protection and pay the $2,500 fee

Related Reading

• AI Data Privacy for Small Teams
• Multi-State AI Compliance Strategy 2026
• Connecticut AI Law (SB 5) Compliance Checklist
• Connecticut SB 5 October 2026 Employer Checklist
• GDPR AI Fines 2026: Enforcement Cases
• State AI Law Private Right of Action Guide