Connecticut’s SB 1295: Strengthening Privacy in the Age of AI and Digital Services

Table of Contents

On June 24, 2025, Connecticut Governor Ned Lamont signed Senate Bill 1295 (SB 1295) into law, marking a significant step in bolstering consumer privacy protections under the Connecticut Data Privacy Act (CTDPA). Titled “An Act Concerning Broadband Internet, Gaming, Social Media, Online Services and Consumer Contracts,” SB 1295 expands the scope of the CTDPA, addressing emerging risks posed by AI-driven technologies, social media platforms, and data-intensive online services. As artificial intelligence (AI) increasingly powers everything from targeted advertising to automated decision-making, this legislation aims to safeguard consumers while fostering trust in digital ecosystems. By examining SB 1295 alongside Connecticut’s other privacy and AI laws, we can see how the state is navigating the delicate balance between innovation and consumer protection.

Connecticut’s SB 1295

What SB 1295 Brings to the Table

SB 1295 strengthens the CTDPA, originally enacted in 2022, by expanding its reach and tightening safeguards. The bill lowers the threshold for businesses subject to the CTDPA, ensuring more companies handling personal data are accountable. It broadens the definition of “sensitive data” to include more categories, such as precise geolocation and biometric information, which are often exploited by AI systems. The age for heightened protections for minors is raised from 16 to 17, reflecting the growing risks young users face on platforms like gaming and social media. Additionally, the bill introduces two key consumer rights: the ability to challenge significant profiling decisions made by automated systems and the right to access a list of third-party entities to whom their data is sold. These changes address the opacity of AI-driven profiling and data-sharing practices that erode consumer trust.

Evolution of Connecticut’s Privacy Laws

Legislation Year Enacted Key Privacy Provisions AI-Related Focus
CTDPA (SB 6) 2022 Right to access, delete, and opt out of data sales; applies to businesses processing data of 100,000+ consumers Limited; focused on general data privacy
SB 1108 2023 Regulates AI in employment and healthcare; mandates transparency in automated decision-making Directly addresses AI bias and accountability
SB 2 2024 Requires risk assessments for high-risk AI systems; bans discriminatory algorithms Targets AI-driven discrimination and risk mitigation
SB 1295 2025 Expands CTDPA threshold, sensitive data definition, minor protections; adds profiling and third-party disclosure rights Tackles AI profiling and data transparency

Note: Data compiled from Connecticut General Assembly records and legislative summaries, 2022–2025.

How SB 1295 Fits into Connecticut’s Privacy Landscape

Connecticut has emerged as a leader in privacy and AI regulation, with SB 1295 building on a robust framework and was an early pioneer along with California, Colorado, and Virginia. The CTDPA (SB 6, 2022) laid the groundwork by granting consumers rights to access, delete, and opt out of data sales, but its focus was broad, with limited attention to AI-specific risks. SB 1108 (2023) took a bolder step, mandating transparency in AI-driven decisions in employment and healthcare, addressing concerns like algorithmic bias in hiring. SB 2 (2024) went further, requiring risk assessments for high-risk AI systems and banning discriminatory algorithms, aligning with national calls for accountability in AI, as seen in reports like EPIC’s Assessing the Assessments. SB 1295 complements these laws by zeroing in on AI-powered profiling and data-sharing practices, particularly in consumer-facing industries like gaming and social media, where data exploitation is rampant.

Key Features of SB 1295 and Their Impact

  • Expanded Applicability: By lowering the threshold for businesses subject to the CTDPA, SB 1295 ensures that smaller platforms, including gaming and social media companies, must comply with stringent privacy rules, protecting more Connecticut residents.
  • Broader Sensitive Data Protections: Including biometric and geolocation data in the sensitive data category addresses AI-driven risks like surveillance pricing, where algorithms adjust prices based on user location or behavior.
  • Minor Protections: Raising the age threshold to 17 shields more young users from predatory data practices on platforms notorious for excessive tracking, such as TikTok or online gaming ecosystems.
  • Profiling and Transparency Rights: The right to challenge AI-driven profiling decisions and access third-party data-sharing lists empowers consumers to hold companies accountable, reducing the “black box” effect of automated systems.

Aligning with National Digital ID Lessons

SB 1295’s focus on transparency and consumer control echoes lessons from national digital identity (NDI) systems, like Estonia’s Smart-ID, which prioritizes user consent and selective data disclosure. Just as NDI systems use AI to secure transactions while guarding against misuse, SB 1295 aims to curb AI-driven profiling that can lead to discrimination or privacy violations. For example, the bill’s profiling challenge right mirrors global NDI principles of giving users agency over automated decisions, as seen in Singapore’s Singpass, which emphasizes consent-based data sharing. However, like NDI systems, SB 1295 must contend with public skepticism: a 2024 survey found that 78% of Connecticut residents distrust how companies handle their data, underscoring the need for robust enforcement.

A Model for Businesses and Policymakers

For businesses, SB 1295 is both a challenge and an opportunity. Compliance requires investing in transparent AI systems and clear data-sharing disclosures, but it also builds trust—a critical asset in a state where consumers are increasingly wary of data misuse. The EU’s €1.7 billion in GDPR fines in 2024 alone shows the cost of non-compliance, while companies like those adopting Estonia’s decentralized data models gain customer loyalty. Policymakers, meanwhile, must ensure SB 1295’s enforcement isn’t weakened by industry pushback, a risk seen in California’s debates over AI risk assessments. Connecticut’s proactive stance—layering SB 1295 atop SB 2 and SB 1108—sets a high bar for other states.

The Road Ahead

As AI continues to shape digital services, SB 1295 positions Connecticut as a leader in balancing innovation with consumer rights. By addressing profiling and data transparency, the bill tackles the same trust deficits seen in NDI systems worldwide, where citizens demand clarity and control. But success depends on enforcement. Regulators must ensure businesses comply with profiling challenge rights and third-party disclosure lists, lest these protections become hollow promises. Consumers, too, must be educated about their new rights to fully leverage them.

Looking forward, Connecticut’s evolving privacy framework offers a blueprint for others. By integrating lessons from SB 1295 with its broader AI and privacy laws, the state can foster a digital ecosystem where technology serves people, not profits. In an era where AI-driven decisions can make or break opportunities, this commitment to transparency and accountability is not just timely—it’s essential.

Written by: 

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.