Concord Privacy News: 8/20/2025

Connecticut expands data privacy protections; as privacy policy heats up, lawmakers should heed Gen Z’s preferences; US federal court filing system breached in sweeping hack.

Connecticut Expands Data Privacy Protections

On June 24, 2025, Connecticut passed SB 1295, making significant updates to the Connecticut Data Privacy Act (CTDPA). Most provisions take effect July 1, 2026, with new impact assessment rules starting August 1, 2026.

Key changes include:

Broader scope: The CTDPA now applies to more businesses, including those processing personal data of 35,000+ consumers, sensitive data (with limited exceptions), or selling personal data.
Expanded sensitive data definition: Now includes disability or treatment, nonbinary or transgender status, neural data, and more.
Strengthened consumer rights: Access rights now cover inferences, and companies can no longer disclose certain high-risk identifiers in responses.
Profiling rules: Opt-out rights now apply to all automated decisions with legal or significant effects, not just “solely” automated ones. Profiling of minors faces stricter limits, and impact assessments are required.
Data minimization updates: Data collection must be both necessary and proportionate to stated purposes, with new consent rules for sensitive data sales.
Stronger protections for minors: Ban on targeted ads and data sales to minors, plus restrictions on features that prolong use.
New transparency rules: Privacy notices must disclose profiling, LLM training, and targeted ad practices, be accessible, and highlight material changes.

What to do now: Organizations should begin reviewing data governance, especially around profiling, sensitive data, and consumer rights processes.

‍

Other Privacy News of Note

US Federal Court Filing System Breached in Sweeping Hack, Politico Reports

The U.S. federal judiciary's electronic case filing system has been compromised in a sweeping hack that is believed to have exposed sensitive court data in several states, Politico reported, citing two people with knowledge of the incident. Politico said the incident had affected the judiciary’s federal case management system, which includes the Case Management/Electronic Case Files, or CM/ECF, which legal professionals use to upload and manage case documents; and Public Access to Court Electronic Records, or PACER, which provides the public with pay-for access to some of the same data. Read more.

As Privacy Policy Heats Up, Lawmakers Should Heed Gen Z’s Preferences

We are in the midst of an ambitious legislative moment for data privacy regulation. But as lawmakers debate legal frameworks that will shape the future of online interactions, one question remains underexplored: what should privacy regulators learn from the habits and preferences of younger generations? Read more.