Connecticut Data Privacy Act and AI Training Disclosure

The Connecticut Data Privacy Act took effect on July 1, 2023, and Senate Bill 1295, effective July 1, 2026, widened its reach to any business that controls or processes the data of at least 35,000 Connecticut consumers, processes any sensitive data at all, or offers consumers' personal data for sale. It follows the omnibus model of notice, rights, and appeal, but the Connecticut Attorney General has enforced it more actively than most, so a covered business should read it more closely than a generic summary allows.

The baseline notice describes the categories of personal data processed, the purposes, whether and why data is shared with third parties, and how a consumer exercises rights, and it has to name a working appeal path for denied requests. As with every omnibus law, accuracy comes from operating facts rather than abstract category lists, so the business has to know what the site collects, which vendors receive it, which targeted advertising tools are live, and how the rights workflow runs, because a notice built on guesses falls apart once a request or a complaint arrives.

The Attorney General's office has treated the law as more than background disclosure, and its reporting has singled out children's and teens' online safety, connected vehicles and geolocation data, gaming platforms, chatbots, and data brokers. A business with youth facing products, location features, automated tools, or rich behavioral data should treat Connecticut as a live risk rather than one more line in a multistate chart.

Senate Bill 1295 adds the piece that sets Connecticut apart, a disclosure requirement when personal data trains large language models, which is separate from the standard notice categories. A business can have a solid rights table and still underdisclose if it uses customer messages, uploads, behavioral data, or account information to train AI systems without saying so plainly, so any company building AI into support, search, recommendations, content generation, or moderation has to describe that use when the law requires it and confirm in its data map that the use is happening.

The biggest risk in Connecticut is the distance between how the product works and how the policy reads, so if the site targets minors, collects precise location, relies on chatbots, or uses personal data in AI systems, those facts should drive the disclosure from the start. A Connecticut review examines the product features next to the standard clauses, because a general template can state rights in a technically complete way and still miss the issues the Attorney General is most likely to pursue.