Connecticut has enacted significant amendments to the Connecticut Data Privacy Act (CTDPA), expanding its scope and introducing new compliance obligations for businesses that collect, use, share, or sell personal information. Now, many businesses, including employers that may not think of themselves as “data companies,” could have new compliance obligations.
What Is the Connecticut Data Privacy Act?
The CTDPA, which originally took effect in 2023, is Connecticut’s comprehensive consumer privacy law. Similar to privacy laws enacted in states such as California, Virginia, and Colorado, it regulates how certain businesses collect, use, store, share, and sell consumers’ personal information.
Under the original law, the CTDPA generally applied only to businesses that met specific data-processing thresholds, such as controlling or processing the personal data of large numbers of Connecticut residents. Covered businesses were required to:
- Provide consumers with privacy notices explaining how their data is collected and used;
- Allow consumers to access, correct, delete, and obtain copies of their personal information;
- Give consumers the ability to opt out of certain data processing activities, including targeted advertising and the sale of personal data; and
- Implement reasonable safeguards to protect personal information.
Because the law was aimed primarily at larger businesses engaged in significant consumer data processing, many employers assumed it did not apply to them.
What’s Changing?
Recent amendments dramatically expand the CTDPA. While many of the original consumer privacy rights remain, the amendments:
- Broaden the law’s reach so more organizations are covered;
- Create an entirely new regulatory framework for data brokers;
- Add new protections for sensitive personal information;
- Restrict how businesses use personal data to determine individualized prices;
- Prohibit the sale of precise geolocation information;
- Regulate certain uses of facial recognition technology; and
- Expand protections for genetic information and consumer health data.
The changes take effect in phases over the next several months, giving businesses time to review and update their privacy practices.
Why Employers Should Pay Attention
Although much of the amended law focuses on consumer privacy, employers should not assume they are exempt.
Employers routinely collect and maintain sensitive personal information during recruiting, hiring, onboarding, payroll administration, benefits administration, and other HR functions. Depending on how that information is collected, shared, or monetized, portions of the expanded CTDPA may apply.
Organizations that collect government-issued identification numbers, financial information, health information, biometric data, genetic information, or precise geolocation data should evaluate whether their current privacy practices comply with the amended law.
Sensitive Data and Expanded Compliance Obligations
The amended CTDPA places particular emphasis on sensitive data. Unlike some provisions that apply only after certain business-size thresholds are met, obligations relating to sensitive data may apply based exclusively on the type of information being processed.
Sensitive data includes:
- Government-issued identification numbers;
- Financial account information;
- Health information;
- Citizenship or immigration status;
- Biometric identifiers;
- Genetic information;
- Precise geolocation data; and
- Information revealing race, ethnicity, religion, or sexual orientation.
For employers, sensitive data may include information maintained in personnel files, benefits records, leave documentation, accommodation requests, and other HR-related records. Employers should evaluate how such information is collected, stored, accessed, and shared. Privacy notices should accurately describe the categories of data collected, the purposes for processing, and any third-party disclosures.
New Requirements for Data Brokers
One of the most significant additions is the creation of a new regulatory framework for data brokers.
The amended CTDPA defines a data broker as a business, or part of a business, that sells or licenses “brokered personal data.” This includes direct identifiers, such as names and addresses, as well as information that could reasonably identify an individual when combined with other data.
Because this definition is broad, organizations that monetize personal information should carefully evaluate whether they qualify.
Data Broker Registration and Deletion Obligations
Beginning January 1, 2027, covered data brokers must register annually with the Connecticut Department of Consumer Protection (CDCP), pay a registration fee, and maintain a compliant privacy policy.
The law also establishes a centralized deletion mechanism similar to California’s Delete Act. Connecticut residents will be able to submit one deletion request requiring all registered data brokers to delete their personal information. Registered brokers must regularly access the system, determine if a relevant request has been made, and honor verified requests.
Restrictions on Surveillance Pricing
The amendments regulate “surveillance pricing,” meaning the use of personal data to determine individualized prices. For example, using a customer’s browsing history or location data to determine what price to charge that customer verses any other consumer may constitute surveillance pricing.
Businesses that use automated processing to increase prices must disclose that practice. Certain retailers and third-party delivery services are prohibited from engaging in surveillance pricing except in limited circumstances.
Ban on Selling Precise Geolocation Data
The amended law prohibits the sale of precise geolocation data, defined as information identifying an individual’s location within approximately a 1,750-foot radius. Businesses collecting location information should review their practices to ensure compliance.
New Facial Recognition Requirements
Businesses using facial recognition technology for security or fraud prevention must provide clear notice and maintain a publicly available policy describing that use.
The law also restricts facial recognition systems that compare individuals against publicly available or third-party databases.
Enhanced Protections for Genetic Data
The amendments strengthen protections for consumers using direct-to-consumer genetic testing services by requiring:
- Clear disclosures;
- Affirmative consent for certain uses of genetic information;
- Appropriate security safeguards; and
- Procedures allowing consumers to access or delete their genetic information and biological samples.
When Do the Changes Take Effect?
July 1, 2026
Beginning July 1, 2026, the law:
- Expands its applicability threshold, potentially bringing more organizations within its scope;
- Eliminates the automatic opportunity to cure violations before enforcement;
- Enhances consumers’ rights regarding profiling and automated decision-making; and
- Imposes new requirements for businesses handling children’s data and consumer health information.
October 1, 2026
Additional provisions take effect that:
- Require greater transparency regarding automated decision-making;
- Regulate “surveillance pricing,” or using personal data to determine individualized prices; and
- Impose additional disclosure obligations on businesses using certain automated technologies.
January 1, 2027
Businesses that qualify as data brokers must:
- Register annually with the CDCP;
- Pay a registration fee;
- Maintain a compliant privacy policy; and
- Comply with Connecticut’s new centralized data deletion system.
What Employers Should Do Now
Although many of the Act’s new requirements do not take effect until later this year and into 2027, employers should begin evaluating their current data privacy practices now. In particular, employers should review:
- The categories of personal information they collect, use, and retain;
- Whether they collect or process sensitive personal data;
- What employee information is shared with payroll providers, benefits administrators, and other third-party service providers, and whether those disclosures are necessary, consistent with applicable privacy laws, and supported by appropriate contractual privacy and security protections;
- Whether existing privacy notices and internal policies accurately reflect their data collection, use, retention, and disclosure practices; and
- Whether agreements with third-party service providers contain appropriate data processing, confidentiality, privacy, and information security provisions.
Employers should also conduct appropriate due diligence before engaging third-party service providers and periodically evaluate whether those providers maintain adequate privacy and security practices. While employers may rely on third-party vendors to process employee information, doing so does not eliminate their own obligations under applicable privacy laws. Accordingly, employers should ensure that vendors are appropriately vetted and that agreements include appropriate requirements for protecting personal information.
In addition, organizations should evaluate whether their use of artificial intelligence or automated decision-making tools triggers any additional disclosure requirements or necessitates updates to existing policies and procedures under the amended law.
Taking these proactive steps now can help employers identify potential compliance gaps and better prepare for Connecticut’s expanded privacy requirements as they take effect.
Conclusion
The amendments to the Connecticut Data Privacy Act represent a significant expansion of Connecticut’s privacy laws. While the original CTDPA focused primarily on businesses engaged in large-scale consumer data processing, the expanded law reaches a broader range of organizations and creates substantial new compliance obligations.
Employers and businesses should review their data collection, privacy policies, vendor relationships, and internal data governance practices now to ensure they are prepared before the various provisions take effect.
Brody and Associates regularly advises management on compliance with the latest local, state, and federal employment laws. If we can assist your organization in preparing for these changes, please contact us at info@brodyandassociates.com or (203) 454-0560.