Connecticut Lowers Privacy Law Threshold to 35,000: Your Site Now Applies

Imagine running a small e-commerce site serving a niche audience in the Northeast, confident that your under-100,000 user base keeps you clear of state privacy laws. Now picture July 1, 2026: that same site suddenly falls under Connecticut's revamped Data Privacy Act (CDPA) because you've hit 35,000 Connecticut residents—or even processed a single piece of sensitive data. This isn't a distant hypothetical; it's the new reality for thousands of businesses, as Senate Bill 1295 slashes applicability thresholds and tightens rules on minors' data.¹ ² ³

These changes, signed into law on June 24, 2025, dramatically expand the CDPA's reach, pulling in smaller websites, apps, and online services that previously flew under the radar.¹ ⁴ If your operations touch Connecticut consumers—even indirectly—it's time to audit your compliance. This post breaks down the key shifts, who they affect, and practical steps to get ready before enforcement ramps up.

What Changed? A Breakdown of SB 1295's Core Updates

Connecticut's legislature passed SB 1295 to address gaps in the original CDPA, effective July 1, 2026 (with some profiling rules starting August 1).¹ ² The most disruptive tweak? Lowering the bar for who must comply.

Slashed Applicability Thresholds

Previously, the CDPA targeted larger players:

Businesses processing personal data of 100,000 or more Connecticut consumers (excluding payment-only data), or
Those processing data of 25,000 or more consumers and deriving >25% of revenue from data sales.² ⁵

From July 1, 2026:

Drops to 35,000 Connecticut consumers—no revenue tie-in needed.¹ ² ³ ⁴ ⁵ ⁶
Zero threshold if you process any sensitive data (e.g., precise geolocation, health info, financial logins).² ³ ⁵
Zero threshold if you sell any personal data of Connecticut residents.² ⁴ ⁵

Payment transaction data stays exempt from counts, but everything else—like tracking cookies or user profiles—counts.⁵ ⁶ This nets in mom-and-pop shops, local SaaS tools, and affiliate sites that dodged the old rules.³

Expanded Sensitive Data Categories

Sensitive data now triggers compliance regardless of volume. New additions include:

Mental health disabilities or treatments
Nonbinary or transgender status
Derived genetic/biometric data
Neural data
Financial account numbers, card details, or login credentials (with access info)⁷

Processing sensitive data requires consent, and it must be "reasonably necessary and proportionate" to stated purposes—stricter than the old "adequate, relevant" standard.¹ ⁵ Selling sensitive data demands separate consent.⁴

Heightened Protections for Minors

No more wiggle room here:

Total ban on selling personal data of minors under 18 (up from 16; no consent exception for 13-17).³ ⁴ ⁵
Prohibited targeted advertising to minors, consent or not.³ ⁵
Bans on design features that hook minors (e.g., infinite scrolls boosting engagement).⁵
Stricter profiling rules for minors, plus mandatory impact assessments.⁵

These echo kids' privacy laws like COPPA but integrate directly into CDPA obligations.

Other Key Tweaks

Profiling rights expand: Consumers can opt out of any profiling tied to automated decisions with "legal or similarly significant effects"—including third-party decisions.⁵
Privacy notices must disclose: Data sales categories, targeted ad processing, LLM training use, third-party buyers, and last update date. Material changes require consent withdrawal options.⁴
Universal opt-outs recognized from January 2026 (e.g., Global Privacy Control).³
No cure period for violations post-changes—straight to enforcement.²

Does This Hit Your Website or Business?

If you "conduct business in Connecticut or produce products/services targeted to its residents," you're in scope.² Targeting includes localized marketing, state-specific shipping, or IP-based personalization—common for e-com sites.

Quick self-assessment checklist:

Do you track >35,000 CT users via cookies, logs, or forms? (Yes = comply.)
Process any sensitive data (e.g., health quizzes, location services)? (Yes = comply.)
Sell data (e.g., to ad networks)? Even one CT record triggers it.² ⁴
Serve minors (knowingly or via age-gating gaps)? New bans apply universally.⁵

Small sites with 40,000 users nationwide might process 5,000 from CT alone—now over the line. Non-profits, B2B tools, and payment processors aren't automatically exempt; check thresholds excluding payments.⁵ ⁶

Compare to peers:

State Law	Old Threshold	New/Latest Threshold	Sensitive Data Trigger?
Connecticut (CDPA)	100k consumers	35k consumers (2026)	Yes, any amount ¹ ²
California (CCPA/CPRA)	100k consumers or 50k devices	No change	Partial (opt-out for sensitive)
Colorado (CPA)	100k consumers	No change	Yes, but higher bars
Virginia (VCDPA)	100k consumers	No change	Limited

CT's drop is among the steepest, rivaling expansions in Montana or Oregon.³

Actionable Steps: Comply Before July 1, 2026

Don't panic—many updates align with GDPR/CCPA best practices. Start now for a smooth rollout.

1. Audit Your Data Flows (2-4 Weeks)

Map personal data processing: Who, what, where? Use tools like data flow diagrams.
Count CT consumers: Review analytics (GA4, server logs) for state-specific traffic. Exclude pure payments.²
Flag sensitive/minors data: Scan forms, trackers for health, location, or kid-targeted content.⁷

Pro tip: If under 35k but selling data, you're in—audit ad pixels (e.g., Facebook Pixel often "sells" via sharing).⁴

2. Update Policies and Notices (1-2 Weeks)

Revise privacy policy with SB 1295 disclosures: Sales categories, ad processing, LLM use, update dates.⁴
Add minors' bans and consent withdrawal for changes.
Deploy cookie banners honoring GPC/universal opt-outs.³

Sample disclosure language:

"We sell personal data to ad networks for targeted advertising. Last updated: [Date]."

3. Implement Consumer Rights and Controls

Build/enhance portals for access, deletion, opt-out (profiling, sales, targeted ads).
For sensitive data: Gate with granular consent toggles.
Minors: Age gates + design audits to avoid engagement hooks.⁵

Numbered rollout plan:

Integrate opt-out buttons site-wide (e.g., "Do Not Sell/Target").
Test profiling blocks for automated decisions.
Train teams on "proportionate" collection—trim unnecessary trackers.¹

4. Conduct Required Assessments

Data protection assessments for high-risk processing (sales, profiling, sensitive).⁵
Impact assessments for minors/profiling (from Aug 2026).² ⁵
Document everything—enforcers love audit trails.

5. Tech and Vendor Check

Scan third-parties: Do they sell CT data? Update DPAs.
Cookie consent: Ensure it covers new sensitive categories; tools like OneTrust help.
Monitor for neural/genetic data creep (e.g., AI fitness apps).⁷

Budget 3-6 months if starting from scratch. Multi-state operators: Harmonize with CCPA (similar rights) but note CT's lower bar.³

Potential Pitfalls and Enforcement Risks

No cure period means fines from day one—up to $7,500 per violation via CT AG.² Early movers like Utah saw quick settlements; expect CT to follow.

Watch for:

Under-counting CT users: IP geofencing misses VPNs; use probabilistic matching.
Ad tech traps: "Selling" includes sharing for ads—common Pixel issue.⁴
Global overlaps: If GDPR-compliant (Art. 9 sensitive processing), you're ahead; align consents.⁵

Key Takeaways

Threshold crash: 100k → 35k CT consumers; zero for sensitive/sales.¹ ²
Minors locked down: No sales/ads to under-18s, ever.³ ⁴
Act now: Audit data, update notices, build opt-outs—July 1 looms.
Smaller sites: This is your wake-up. Compliance beats fines.

With proactive steps, you turn this into a trust-builder. Stay vigilant—privacy laws evolve fast.³

Connecticut Lowers Privacy Law Threshold to 35,000: Your Site Now Applies