What HR Teams Should Do Before July 1 

The Connecticut Data Privacy Act’s (CTDPA’s) amendments are set to take effect on July 1, 2026. Many more Connecticut businesses will be covered and face new obligations around artificial intelligence, profiling, and consumer privacy notices. Even though the CTDPA does not regulate employee data, HR is on the front lines of putting compliance into practice.

Why HR Should Care About a Consumer Privacy Law

The CTDPA protects “consumers,” Connecticut residents acting in an individual or household capacity. It excludes employees and job applicants acting in those capacities. Only California treats employee data as in-scope under its consumer privacy law.

So why is this an HR issue? Because HR usually owns the systems that turn legal requirements into daily workforce practice by way of the employee handbook, acceptable use policies, training programs, vendor onboarding, and incident response. If your business is covered, HR will likely help operationalize the rules, even when the data in question belongs to customers, not staff.

Is Your Business Covered?

The amended CTDPA reaches for-profit businesses that meet any one of three thresholds:

• Control or process the personal data of 35,000 or more Connecticut consumers in a calendar year;
• Control or process the sensitive data of even one Connecticut resident; or
• Sell or exchange personal data for money or other valuable consideration.
• Confirm whether the lowered thresholds bring the business in scope;
• Convene a privacy team that includes HR, IT, legal, marketing, and operations;
• Map where consumer personal data lives and how it flows to vendors and AI tools;
• Update the public-facing privacy notice, the employee handbook, and acceptable use policies; and
• Build training that reaches everyone who handles consumer data.

The amended sensitive-data threshold will catch most businesses by surprise. Sensitive data now includes government-issued IDs, payment and/or online account login information, precise geolocation, health information, race or ethnicity, sex life/orientation/nonbinary/transgender status, immigration status, biometric data, criminal history, neural data, and data of children under 13. A single Connecticut customer is enough to bring the business in.

What HR Will Help Operationalize

Update the employee handbook and policies. Covered businesses need clear policies on how the company collects, uses, stores, shares, and deletes consumer personal data. Acceptable use policies should address AI tools and automated decision-making technology, and should expressly prohibit feeding consumer personal data into public large language models (LLMs) without authorization.

Train your workforce. Every employee who touches consumer data (e.g., sales, marketing, customer service, IT, finance) needs training on the new rules. HR usually designs and delivers that training.

Coordinate vendor diligence. Under the CTDPA, the business is responsible for how its vendors handle consumer personal data. Every vendor that processes consumer data must have a written data processing agreement. The agreement must restrict the vendor’s use of the data, prohibit using it to train AI or machine-learning models without permission, and require prompt breach notification. Connecticut Attorney General William Tong has publicly stated that AI training is covered. HR teams that procure benefits, payroll, recruiting, and learning platforms will need to coordinate with legal on these agreements.

Prepare for new privacy notice disclosures. Public-facing privacy notices must now disclose more about how the business uses personal data, including whether it feeds personal data into LLMs or other AI systems.

Help identify profiling and automated decision-making. If the business uses profiling or automated decision-making that produces a “legal or similarly significant effect” on a consumer (e.g., tech-driven assessments used to grant or deny services like credit, lending, insurance, housing, education, or fraud detection), it must document an impact assessment. These obligations apply to profiling activity created on or after August 1, 2026. Consumer-facing AI tools often live across departments. HR can help identify them.

A Word on Enforcement

Most CTDPA enforcement to date has followed data breaches. According to the Office of the Attorney General’s 2025 Enforcement Report, one settlement reached last year required a $105,000 payment to the state plus injunctive relief. Penalties for non-compliance can climb quickly.

What to Do Now

July 1 is approaching. Covered businesses should:

HR will not own every piece of CTDPA compliance. But without HR’s help, much of it will not get done.

Authors:

Sherwin M. Yoder, CIPP/US, CIPP/E, CIPM, is a partner at Carmody Torrance Sandak & Hennessey LLP where he leads the firm’s Technology & Data Privacy practice.

Brice K. Ashford, is an associate at Carmody Torrance Sandak & Hennessey LLP in the firm’s Technology & Data Privacy practice.

What HR Teams Should Do Before July 1

re July 1