Connecticut’s amended Data Privacy Act took effect today, and if your business collects personal data from Connecticut residents and uses it to train AI models, you are now legally required to say so. Explicitly. In your privacy policy.
This is not a hypothetical future regulation. It is in force as of July 1, 2026.
What the Law Actually Requires
Public Act No. 25-113, signed by Governor Lamont on June 25, 2025, amended the Connecticut Data Privacy Act (CTDPA) to include a mandatory disclosure requirement that goes further than anything seen at the state level in the US.
Controllers subject to the CTDPA must now include in their consumer-facing privacy notices a clear and conspicuous statement disclosing whether they collect, use, or sell personal data for the purpose of training large language models.
The disclosure must be “reasonably accessible, clear and meaningful” and kept current. This is not a one-time update. If your AI practices change, your privacy notice must change with them.
Several requirements are easy to misread, so worth spelling out clearly:
The disclosure applies regardless of how the data is used. Whether your company is training models internally, fine-tuning a third-party model with customer data, or selling data to an AI vendor, all of it is covered.
The requirement also applies to vendors acting on the controller’s behalf. If your technology partner is the one doing the model training, you are still responsible for the disclosure.
Organizations must affirmatively state whether they do or do not train LLMs on personal data. This means companies that do not use customer data for AI training also have to say so. Silence is not an option.
Who Is Affected
The CTDPA applies to businesses that process personal data from Connecticut residents above a certain volume. The 2026 amendments also lowered the applicability threshold from 100,000 consumers to 35,000, which significantly expands the range of smaller businesses now subject to the law.
If your business targets Connecticut residents or processes their data at any meaningful scale, you are likely covered.
The Enforcement Picture
The Connecticut Attorney General enforces the CTDPA with fines up to $5,000 per violation. The 2025 amendments eliminated the 60-day cure period that previously allowed companies to fix problems before facing penalties. Connecticut joins California, Colorado, Oregon, and Maryland in removing that buffer.
This matters. Previously, if the AG found a violation, companies had two months to course-correct. That window is gone. The AG can now move directly to enforcement action. For businesses that have not yet updated their privacy policies, the risk is no longer theoretical.
The Part Nobody Has Defined
The law requires disclosure regarding training of “large language models” but does not define what qualifies as a large language model. Legal counsel reviewing the amendment consistently recommends a conservative approach: if you are using personal data to train any AI system that could plausibly be described as an LLM, treat the disclosure requirement as applying.
This includes:
- Fine-tuning or retrieval augmentation using customer emails, chat logs, or behavioral data
- Sending customer data to third-party AI vendors for model improvement
- Building internal chatbots or assistants trained on company data that includes personal information
When in doubt, disclose.
What This Means for Business
Connecticut is the first state in the US to require companies to explicitly disclose whether they use personal data to train AI systems. But it will not be the last.
The state-by-state patchwork of AI regulation that many businesses have tried to navigate case by case is consolidating around a few common themes: transparency, consent, and accountability for automated decision-making. The CTDPA amendment adds data training practices to that list.
For businesses already subject to California’s CCPA, Colorado’s CPA, or Virginia’s CDPA, adding a Connecticut-specific disclosure is an incremental compliance task. For smaller companies newly pulled into scope by the lowered 35,000-consumer threshold, this may be their first substantive interaction with state-level AI regulation.
Three immediate steps apply regardless of company size:
First, audit your AI practices. Identify every context in which personal data from customers, employees, or users flows into an AI training process. This includes vendor contracts where the AI vendor may be training models on your data as part of the service terms.
Second, update your privacy policy. Add a disclosure section that directly addresses LLM training. Make it clear and unambiguous. If you do not use personal data for LLM training, say so explicitly.
Third, review vendor agreements. Determine whether any vendors are training on data you provide them, and whether your agreements adequately address disclosure and consent.
The Bigger Picture
Connecticut’s CTDPA amendment signals a shift that enterprise leaders should track closely. Until now, AI governance conversations inside companies have centered on what AI produces: biased outputs, hallucinated information, discriminatory hiring recommendations. This law focuses on what AI consumes: personal data.
As AI systems become more deeply embedded in products and operations, the data they were trained on becomes a compliance question in itself. The question is no longer just “does our AI behave appropriately?” but “were we allowed to train it on this data in the first place?”
Businesses building AI systems or deploying AI tools that learn from customer data need to treat data lineage and consent as core engineering and legal concerns, not afterthoughts.
For teams looking to get ahead of this, Enterprise DNA’s advisory work helps organizations build AI systems with governance baked in from the start, not retrofitted after a regulator comes knocking. The goal is to build AI that works and that the people whose data it touches can trust.