Issue link: https://nebusinessmedia.uberflip.com/i/1540922
HARTFORDBUSINESS.COM | NOVEMBER 3, 2025 21 FOCUS | CYBERSECURITY William Roberts is co-chair of Day Pitney's data privacy and cybersecurity practice. HBJ Photo | Steve Laschever Data Divide New rules expand Connecticut's data privacy law and test small-business readiness much larger compliance puzzle that now includes similar rules in about 20 states, as well as Europe's General Data Protection Regulation. "Where companies get hung up the most tends to be on the easiest stuff, to be honest," Roberts said. "Having a privacy notice with links that aren't broken. Having a privacy notice that's readable. Having a privacy notice that's kept up to date." Keeping those notices accurate and consistent, Roberts said, is an ongoing concern — and a growing cost of doing business. Smaller businesses face bigger risks The coming changes to Connecticut's privacy law have raised concerns over whether they'll create new burdens for smaller companies. Opinions vary: Some attorneys believe most companies that already operate near the existing thresholds — or do business in other states with stricter rules — are already adapting. But others worry local businesses may be caught off guard by the lower 35,000-record threshold. Russell Anderson, an attorney at Pullman & Comley, said many purely Connecti- cut-based companies could soon find them- selves subject to the law for the first time. "If you're a business that has most of the population of your town in your database, all of a sudden you're subject to all of the requirements of the law. And you would have no reason to realize that," Anderson said. "A grocery store, a restaurant chain, car dealerships." He also believes that smaller businesses will have a difficult time figuring out the relatively new "universal opt-out" provision of the law, a right that went into effect in January of this year. It allows consumers to prohibit the sale or use of their personal data for targeted advertising through a browser setting or privacy tool. "A lot of businesses are going to get tripped up on the universal opt-out requirement," Anderson said. For Roberts, website cookies remain one of the biggest compliance risks. He said many companies fail to ensure that their privacy policies match what their websites actually collect or share — especially when third-party vendors sell user data that the business itself can't fully control. Expanding definition of sensitive data The most sweeping change under the 2026 amendments involves how "sensitive data" is defined — partic- ularly when it comes to minors and health information. For minors, companies currently must obtain a parent's or child's consent to sell personal data, engage in targeted advertising or create a profile. Starting next year, that permission will no longer matter: companies will By Harriet Jones hjones@hartfordbusiness.com A little over two years ago, Connecticut rolled out its own Data Privacy Act — giving resi- dents the right to know how companies are storing and using their personal information, and setting strict new rules for businesses on handling data. It was just the fifth state to enact such a measure at the time. Attorney General William Tong hailed it as one of the nation's stron- gest consumer privacy laws, granting Connecticut residents new rights to access, correct and delete their data, and to opt out of the sale of personal information and targeted advertising. Now, two years later, the law is entering a pivotal phase. As enforce- ment ramps up and new amendments take effect in 2026, Connecticut busi- nesses — from small retailers to major tech firms — are facing tighter compli- ance rules and higher scrutiny over how they collect and use personal data. The changes highlight a growing tension between consumer privacy rights and the costs and complexity for companies navigating an expanding web of state regulations. The privacy section within the Connecticut Attorney General's office oversees compliance and investi- gates consumer complaints about data mishandling. "We're continuing to get a steady stream of those complaints, and it's actually been really impressive to us, the time that folks will put in, trying to exercise their privacy rights," said Michele Lucan, chief of the privacy section. "For us, that makes clear, people care about this law." In the last year, she says, the depart- ment has received 57 complaints about issues that were covered under the Data Privacy Act. New threshold Connecticut's original data privacy law applied to companies holding data on more than 100,000 people. Those businesses were required to limit the personal information they collected, be transparent about how it was used and secured, and obtain consumer consent before gathering sensitive details such as precise location, biometric data or health information. Beginning in 2026, those rules will get tougher. Amendments to the law will lower the compliance threshold to 35,000 data records and place new restrictions on how companies use arti- ficial intelligence to profile customers. If a business handles sensitive infor- mation such as health data, there will no longer be a minimum threshold on the number of data records — a shift that has consumer health apps and fitness-tracking companies scrambling to prepare. For companies hoping to stay compliant, a clear and current privacy policy is essential, legal experts say. "I do think it's an overstatement to say that companies generally comply," said attorney William Roberts, co-chair of Day Pitney's data privacy and cybersecurity practice, and an adjunct professor of data privacy law at the University of Connecticut School of Law. He said larger corporations with legal and compliance teams tend to keep up with evolving requirements, but midsize and smaller firms face a steeper challenge. He points to the much more familiar HIPAA health privacy law as an analogy, where healthcare providers still struggle with compliance after decades of enforcement. Large national or multinational companies, he added, often view Connecticut's law as one piece of a Continued on next page Russell Anderson