Connecticut Public Act 25-113 (SB 1295) CTDPA and profiling amendments
Effective date
Penalty
$5,000 per willful violation under CUTPA. AG exclusive enforcement. Cure period expired December 2024.
Obligations mapped
9 obligations
Legislative update
SB 1295 (Public Act 25-113) was signed June 24, 2025 and takes effect July 1, 2026. It is the most significant overhaul of Connecticut's data privacy framework since the original CTDPA in 2022.
Overview
If a Connecticut company uses automated systems to make decisions about you, like whether you get approved for something or how you are categorized, you have new rights starting July 2026. You can ask how the system works, why it reached its conclusion, and request a review. If you are applying for housing, you can ask for corrections. Where applicable, companies may need to assess the risks of their profiling systems and may be barred from selling minors' data or using it for targeted advertising. The law also calls on companies to disclose in their privacy notice whether your data is used to train AI models.
This is a privacy law with automated decision-making provisions.
See if this regulation applies to your company with the free exposure scan.
Who this applies to
This regulation applies to the following roles:
- Deployers and users of covered AI systems and tools
- Organizations operating in Connecticut
This regulation applies to companies that use or deploy AI tools and systems built by other vendors. If your company uses AI-powered products in the areas listed below, this regulation may apply to you.
SB 6
AI categories covered
- Consumer-facing AI
- Automated decision-making
- Algorithmic profiling
Specific AI use cases:
- Customer profiling and segmentation
- Credit scoring and risk assessment
What this requires you to do
9 obligations identified from statutory analysis.
SB 1295 bias auditing provision
Sec. 42-520(a)(1)(B) as amended by SB 1295 Sec. 5
Sec. 42-518(a)(6) as amended by SB 1295 Sec. 8
Sec. 42-518(a)(5) as amended by SB 1295 Sec. 8
Sec. 42-522
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.
Enforcement and penalties
$5,000 per willful violation under CUTPA. AG exclusive enforcement. Cure period expired December 2024.
Penalty amounts are based on statutory text and may be subject to adjustment, judicial interpretation, or enforcement discretion.
Legislative history
effective
Impact assessment requirements apply to new processing activities
effective
Most SB 1295 amendments take effect
guidance issued
AG enforcement report with recommended legislative changes
effective
UOOM requirement takes effect
cure period expired
60-day cure period expires
enforcement action
$85,000 CTDPA enforcement settlement for privacy notice deficiencies
effective
Minor-specific provisions take effect (opt-in consent for targeting, sale, geolocation)
effective
CTDPA takes effect
amended
First round of amendments: consumer health data and minors privacy provisions
Related regulations
- In EffectAI-Specific
Connecticut Government AI Procurement and Oversight (SB 1103)
First-in-nation state government AI procurement law. Requires state agencies to inventory AI systems, conduct impact assessments, prohibit discriminatory AI, and publicly post inventories. Applies to state agencies and contractors, not private sector employers.
Effective
- In EffectPrivacy ADM
Colorado Privacy Act (CPA profiling and ADM)
Colorado profiling rules define three tiers: Solely Automated Processing, Human Reviewed Automated Processing, and Human Involved Automated Processing. Consumer opt-out applies to tiers 1 and 2. Tier 3 gets enhanced disclosure instead of opt-out. Core profiling provisions effective July 1, 2023. Universal opt-out mechanism compliance required since July 1, 2024. The 60-day cure period for CPA violations expired January 1, 2025, so the Attorney General may pursue enforcement without a cure window (distinct from the Colorado AI Act cure rule). HB 24-1130 added biometric consent requirements effective July 1, 2025. SB 24-041 added minor protections effective October 1, 2025.
Effective
- UpcomingPrivacy ADM
CCPA/CPRA Automated Decision-Making Technology Regulations
California's ADMT regulations require businesses using automated decisionmaking technology for significant decisions (employment, finance, housing, education, healthcare) to provide pre-use notices, offer opt-out rights, respond to access requests, and conduct risk assessments with annual CPPA filing under penalty of perjury.
Effective
Connecticut AI regulation guide lists every tracked rule for this jurisdiction with timelines and obligation tallies.
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.