A crazy summer for normal folks is one full of vacations, cruises, adventures, and trying to figure out what else to do with your borderline feral children who are bored.
A crazy summer for us folks running a Privacy Policy Generator is one where two new privacy laws go into effect, Australia proposes changes to its largest privacy law, and even the United Kingdom is changing its UK DPA (basically the ctrl. C, ctrl V version of GDPR).
Oh yeah, and then there’s Connecticut.
In June 2025, Connecticut’s Governor signed SB1295, a bill that amends Connecticut’s existing privacy law. These changes take effect July 1, 2026.
Reminder: Your business doesn’t have to be located in Connecticut for the law to apply to you. That’s why businesses should prepare now in case these changes do apply to your website.
Table of Contents
Key Changes Under SB1295
1) Revised Definition of Significant Decisions
The law now clarifies what counts as “decisions that produce legal or similarly significant effects,” making it more precise as to when automated decision-making falls under law. (Page 24)
2) Neural Data Is Now Protected
The law now includes neural data—biometric and brain-computer interface data—as protected personal information. (Page 25)
3) Expanded Definition of Sensitive Data
New categories have been added to strengthen what qualifies as sensitive data and expand what businesses must treat with extra care. (Page 28)
4) Applies to More Businesses
The law will now apply to more businesses by reducing the number of consumers a company must process data for. It now applies to businesses that (during the preceding calendar year) processed the data of 35,000 customers (previously 100,000).
It also applies if a business sells personal data or processes sensitive data, regardless of volume. (Pages 29–30)
5) Stronger Protections Around Profiling
If businesses use personal information for profiling, consumers will now receive enhanced rights and transparency. (Page 34)These additional rights allow consumers to:
- Question the result of such profiling;
- Be informed of the reason that such profiling resulted in such a decision;
- Review the personal data that were processed for the purposes of such profiling; and
- If the profiling decision concerned housing, taking into account the nature of the personal data and the purposes for which such personal data were processed, allow the consumer to correct any incorrect personal data that were processed for the purposes of such profiling and have the profiling decision reevaluated based on the corrected personal data
6) Limits on Data Disclosures in Privacy Requests
Certain personal information cannot be disclosed when responding to consumer privacy requests, adding a layer of protection against unintended exposure (Page 37). This data includes the consumer’s:
- Biometric data
- Social Security number
- Driver’s license number, state identification number, or other government-issued ID
- Financial account number
- Health insurance or medical ID number
- Password
- Security question or answer
7) More Detailed Privacy Policy Requirements
Privacy Policies must clearly explain:
- How consumers can exercise their rights
- The categories of personal data sold and the categories of third parties to whom the personal data is sold (if any)
- Whether data is used or sold for targeted advertising
Whether personal data is used to train AI models like large language models (Page 40)
8) Improved Privacy Policy Display Requirements
The law adds clarity about how Privacy Policies must be presented to consumers, ensuring easier access and readability (Page 40). According to the changes, a Privacy Policy must be displayed:
- Through a conspicuous hyperlink that includes the word “privacy” and is located:
- On the home page of the controller’s website
- On the application store page or download page
- On the application’s settings menu or in a similarly conspicuous and accessible location
- Through a medium in which the controller regularly interacts with consumers, including, but not limited to, mail, if the controller does not maintain a website
- In each language in which the controller provides a product or service
- In a manner that is reasonably accessible to, and usable by, individuals with disabilities.
9) Connecticut-specific Policies
Policies don’t have to be specific to Connecticut as long as the required disclosures can be found within your policies. (Page 41)
That’s it! If you’d like to read the full bill, you can read about SB1295 here.
Sick of keeping up with all these changes?
We created Termageddon to help businesses keep up with the wild world of privacy laws. Our Privacy Policy Generator can create all the policies your website needs to comply with modern laws. Plus, we auto-update our policies whenever laws change or new laws go into effect.
This makes our product the only set-it-and-forget-it option (besides keeping an attorney on retainer).
Spoiler: We’re much more affordable than that ($112/year or $19/month).
