The amendments substantially broaden what qualifies as sensitive data to include mental and physical disability status, neural data, financial account information, government-issued IDs, and biometric inferences. New restrictions on minors' data are categorical: businesses cannot process minors' data for targeted advertising or sale, cannot deploy manipulative design features to increase usage, and must conduct impact assessments for any profiling of minors. Controllers must also update privacy notices to disclose profiling activities and whether data trains large language models, obtain separate consent for selling sensitive data, and ensure all collection is both reasonably necessary and proportionate to stated purposes.
The practical impact is immediate and broad. The threshold reductions mean many small businesses and digital platforms previously outside the law's scope now face compliance obligations. Violations carry civil penalties up to $5,000 each. Connecticut is one of three states—alongside Arkansas and Utah—implementing major privacy law changes on July 1, 2026. Any business collecting personal data from Connecticut residents or U.S. visitors generally should audit consent frameworks, privacy notices, and data handling practices now to avoid exposure.