Yesterday, Attorney General William Tong released additional guidance to inform consumers and companies operating in Connecticut of adjustments made to the Connecticut Data Privacy Act (CTDPA), which went into effect on July 1st.
“For too long, Big Tech has treated our children like social media cash cows,” said Tong. “Connecticut is now taking matters into our own hands with protections that limit harmful data collection, curb addictive features, and give families the control they need to keep children safe online.”
Last summer, the General Assembly passed SB 1295, a bill that made several amendments to the CTDPA, which originally passed in 2022. Many of these changes focus on child safety; as of July 1, it is now illegal to sell or process minors’ personal data for the use of targeted advertising, use addictive design features to “significantly increase, sustain or extend any minor’s use of such online service, product or feature,” or collect minors’ precise geolocation data unless necessary to the function of the product or service (e.g. a maps service).
Additionally, companies must obtain consent before processing a minor’s personal data for profiling. The CTDPA defines profiling as being “any form of automated processing performed on personal data to evaluate, analyze or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”Direct messaging apps must also include default settings preventing adults from sending uninvited messages to minors.
As of July 1, the CTDPA will now apply to more businesses than ever before; before SB 1295’s passage, the CTDPA only applied to businesses that controlled or processed the personal data of at least 100,000 consumers, or those that controlled or processed the data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data. The language has now been simplified so that any business that controls or processes the data of 35,000 consumers or more must be CTDPA compliant.
Furthermore, CTDPA compliance has now been extended to any person or business that controls or processes sensitive data, with the exception of payment processors, or that sells personal data. The definition of sensitive data, which used to cover only medical, genetic, or biometric information, has also been expanded to include financial account data, government-issued private identifying data (e.g. SSNs, license numbers, etc.), neural data, and data that would identify someone’s status as a disabled, transgender, or nonbinary person.
Upon a Connecticut resident’s request, data holding entities must now provide requesters with lists of all third parties to which their personal data was sold, tell them what inferences were drawn from their personal data, and tell requesters if their data is being used to screen their access to financial, lending, insurance, educational, healthcare or criminal justice services, as well as housing, insurance, educational and employment opportunities.
In instances where profiling decisions are automated, consumers now also have the right to request from businesses thorough breakdowns of what factored into the decision-making process and review the personal data used to conduct it. When profiling is conducted for the purpose of making housing-related decisions, consumers will now have the right to correct any incorrect personal data used in the processing and have the decision re-evaluated.
Tong also highlighted additional protections for minors that were enacted by the passage of SB 5 last session. These protections, which will go into effect by 2028, include a ban on content algorithms without parental consent, the creation of a default setting for minors’ accounts that heightens privacy protections, sets time limits, and bars notifications between 9 p.m. and 8 a.m. Parents’ consent will be required to change those settings. It also requires a pop-up to be displayed whenever a minor opens social media, informing them of its potential mental health risks.
Once fully in effect, SB 5 will also require social media companies to submit annual reports to the Attorney General containing the number of minors on their platforms, how many have received parental consent for the enabling of content algorithms, and the average amount of time per day minors spend on the platform, sorted by age and time of day. These provisions were included in a bill proposed by Tong last May, which passed the House but died on the floor.
The bill also includes a provision barring any AI companion operator from engaging with minors until it can be made incapable of encouraging self-harm, discouraging them from seeking help, or attempting to offer mental health services to minors (unless it is clinically qualified to do so).
“Connecticut has one of the strongest data privacy laws on the books, and we will use every inch of our authority to protect our kids online,” said Tong. “We’re investigating Roblox and TikTok, we’ve sued Meta, and there should be no doubt that we are serious.”


