Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Data Privacy

Connecticut's CDPA Took Effect Last Tuesday: Financial Account Data Is Now Sensitive Data, the Threshold Dropped to 35,000, and There's No 60-Day Grace Period

Connecticut's expanded CDPA took effect July 1, 2026. It lowered the applicability threshold from 100,000 to 35,000 consumers, reclassified financial account information as sensitive data requiring consent before processing or sale, eliminated the guaranteed 60-day cure period, and stripped the entity-level GLBA exemption from fintechs and nonbank lenders. Here's what changed and what your program needs to address this week.

By Rebecca Leung · July 8, 2026 ·
Table of Contents

Eight days ago, your GLBA entity-level exemption stopped covering your Connecticut customers.

Most fintechs haven’t caught up.

The amendments to Connecticut’s Data Privacy Act (CTDPA) that took effect July 1, 2026 don’t make a small adjustment at the margins — they reclassify the core data asset of most fintech businesses as sensitive data requiring affirmative consent, cut the applicability threshold nearly in half, add two threshold triggers that have no volume requirement at all, and remove the guaranteed cure period that compliance teams relied on to absorb mistakes before enforcement attached.

Earlier coverage in May and June flagged this change as incoming — Connecticut and Montana narrowed GLBA exemptions and what that means for sensitive data addressed the trajectory across multiple states, and Minnesota’s MCDPA compliance breakdown walked through what that enforcement posture looks like in practice. Connecticut was always next on the list. It’s now live.

Here’s what specifically changed on July 1 and what your program needs to address this week.

TL;DR

  • Connecticut’s CDPA amendments took effect July 1, 2026, eliminating the entity-level GLBA exemption for fintechs and nonbank lenders — banks and credit unions retain their exemption
  • The applicability threshold dropped from 100,000 to 35,000 Connecticut consumers — and two new triggers (any sensitive data processing, any data sale) have no volume threshold at all
  • Financial account information is now classified as sensitive data, requiring affirmative consent before processing and prohibiting sale without consent
  • The guaranteed 60-day cure period was eliminated — the AG now has discretion to bring enforcement immediately
  • Profiling and automated decision-making impact assessments become required starting August 1, 2026 — three weeks away

The Structural Change: GLBA No Longer Covers Nonbanks

The most consequential change isn’t a specific new requirement — it’s the loss of the blanket protection that let nonbank financial institutions ignore Connecticut’s privacy law entirely.

Under the original CTDPA, any business subject to GLBA could claim an entity-level exemption. If you operated under GLBA’s Safeguards Rule and Reg P framework — even partially, through a bank partnership — Connecticut left you alone. That was a clean, simple exemption that many fintechs relied on without ever mapping exactly which of their data activities it covered.

As of July 1, 2026, the entity-level exemption exists only for:

  • State or federally chartered banks and credit unions
  • Affiliates of those banks and credit unions that are principally engaged in financial activities

Every other GLBA-covered entity — fintechs, nonbank mortgage companies, auto lenders, payment processors, money transmitters, credit counselors, payday lenders, buy now pay later providers — no longer qualifies.

The data-level exemption survives. Personal data processed specifically in connection with a GLBA-covered financial product or service (loan applications, account transactions, payment processing) remains exempt from the CTDPA. But any personal data outside that narrow definition — website behavioral analytics, mobile app usage data, customer service chat logs, marketing engagement data, loyalty program activity — is now subject to Connecticut’s requirements.

For a company whose core product is a financial service, that might sound like most of your data stays GLBA-exempt. Test that assumption carefully. Every email list, every ad pixel, every customer service transcript, every app analytics feed — those don’t originate from a financial product transaction. They’re now in scope.

Connecticut is now the fifth state with this position. California (CCPA/CPRA), Minnesota (effective July 31, 2025), Montana (effective October 1, 2025), and Oregon (effective January 1, 2026) all apply only data-level GLBA exemptions. If your fintech serves customers across multiple states, you’re now managing five separate state privacy compliance programs with overlapping but non-identical requirements.

The Threshold Shift: More Fintechs Are Now Covered

The original CTDPA applied to businesses that controlled or processed personal data for at least 100,000 Connecticut consumers in the preceding calendar year. The July 2026 amendments dropped that threshold to 35,000 consumers.

That change alone brings a significant slice of mid-market fintechs into scope that were previously exempt by volume. If you serve Connecticut customers and didn’t previously track whether you cleared 100,000, you need to run that number now — because the threshold is no longer 100,000.

But the more important change is the two new coverage triggers that carry no volume threshold at all:

Sensitive data trigger: Any entity that controls or processes sensitive data from any number of Connecticut consumers is covered by the CTDPA — zero volume requirement. If you process financial account information (see below) for one Connecticut customer, you’re covered.

Data sale trigger: Any entity that offers Connecticut consumers’ personal data for sale in trade or commerce is covered — regardless of how many consumers are involved.

The practical effect for most fintechs: once financial account information was added to the sensitive data definition, the 35,000-consumer threshold became functionally irrelevant. If you have Connecticut customers and you’re a fintech, you almost certainly process financial account information for some of them. That’s the trigger.

The Operational Earthquake: Financial Account Data Is Now Sensitive Data

This is the change with the most direct operational impact on fintechs.

The amended CTDPA’s sensitive data definition now includes financial account information and government-issued identification numbers, alongside existing categories like health data, biometric data, and precise geolocation.

What “financial account information” covers for a fintech:

  • Routing numbers and account numbers
  • Credit and debit card numbers
  • Account balances
  • Transaction histories and payment records
  • Any information from which account access credentials could be derived

For most fintechs, that’s the core data asset. Every payment transaction, every account aggregation, every linked bank account — that data is now sensitive data under Connecticut law for Connecticut residents.

Three compliance implications follow immediately:

Processing requires a lawful basis tied to specific consent. The CTDPA requires that sensitive data processing be based on affirmative consent and be reasonably necessary in relation to the purpose for which the data is processed. A general privacy policy disclosure that covers everything doesn’t satisfy the sensitive data consent standard. You need a specific, granular consent mechanism tied to the identified processing purpose.

Selling sensitive data is prohibited without consent. The July amendments added an express prohibition: sensitive data cannot be sold without the consumer’s affirmative consent. If your business model involves any form of data monetization — data licensing, data partnerships, aggregated analytics products that derive from individual account data — the consent requirement isn’t a checkbox. It’s a condition precedent to the revenue stream.

Data minimization applies with greater scrutiny. The CTDPA already required collecting only what is “reasonably necessary and proportionate to the disclosed purpose.” When financial account information is sensitive data, regulators and courts will scrutinize whether the data collected is actually necessary for each purpose, not just whether it could be useful someday.

Other New Sensitive Data Categories

Two additions beyond financial account information are worth noting:

Neural data — information generated by or derived from neurological monitoring or brain-computer interfaces — is now sensitive data in Connecticut. Most fintechs don’t encounter this today, but as behavioral biometrics, wearable finance tools, and physiological monitoring advance, this category will become relevant. If your product includes any neurological or physiological input beyond standard behavioral analytics, review this.

Nonbinary and transgender status is now sensitive data. For any fintech that captures gender identity beyond binary options, or that uses demographic profiling that could reveal gender identity, this creates additional consent and processing requirements.

No More 60-Day Grace Period

The original CTDPA gave businesses a statutory right: if the AG notified a business of a violation, the business had 60 days to cure before enforcement could proceed. Companies built their Connecticut compliance strategy around this safety net — knowing that a gap could be remediated before penalties attached.

That guaranteed period is gone.

The July 2026 amendments give the AG discretion to offer a cure opportunity but remove the statutory obligation to do so. The factors likely to drive immediate enforcement (no cure window):

  • Willful or intentional violations
  • Violations involving consumer harm
  • Repeat violations of the same provision
  • Violations of the sensitive data consent requirement

Civil penalties: up to $5,000 per willful violation, $2,500 per non-willful violation. The per-consumer framing matters — each affected consumer can constitute a separate violation. At $2,500 per non-willful violation across thousands of Connecticut customers, the enforcement math is significant.

Profiling and ADM Impact Assessments: Clock Starts August 1

Three weeks from today, a separate new requirement activates: a dedicated impact assessment for profiling and automated decision-making that makes legally significant decisions about consumers.

This is distinct from the CTDPA’s existing data protection assessment requirement. The new profiling impact assessment applies specifically to ADM processing activities “created or generated” on or after August 1, 2026. Existing processes already deployed before August 1 are not retroactively covered — but any new model deployment, material model update, or expanded use case launched from August 1 onward needs a completed impact assessment before it goes live.

What the assessment must document:

  • The purpose and intended use of the profiling
  • The potential benefits and foreseeable risks to consumer rights
  • How those risks will be mitigated
  • Whether profiling is used for legally significant decisions about consumers

For fintechs using credit scoring models, fraud risk models, AI-driven underwriting, or customer segmentation for Connecticut residents — this is a live operational requirement, not a future compliance consideration. If you’re launching any new ADM capability after July 31, build the impact assessment process into your pre-launch checklist now.

The Five-State Reality

Connecticut is the fifth state with narrow or no GLBA entity-level exemption for nonbanks:

StateEffective DateWho Gets the Entity-Level ExemptionThreshold
California (CCPA/CPRA)ExistingBanks and credit unions only100,000 consumers OR 50% gross revenue from data sale
Minnesota (MCDPA)July 31, 2025State/federal banks and credit unions only100,000 consumers OR 25,000 + 25% revenue from sale
Montana (MCDPA)October 1, 2025Banks and credit unions only25,000 consumers OR 15,000 + 25% revenue from sale
Oregon (OCPA)January 1, 2026Oregon Bank Act institutions only100,000 consumers OR 25,000 + 25% revenue from sale
Connecticut (CTDPA)July 1, 2026State/federal banks and credit unions only35,000 consumers OR any sensitive data processing OR any data sale

Running five separate state privacy programs — each with its own consumer rights schedule, sensitive data definitions, consent requirements, and enforcement regime — has become the compliance baseline for any fintech operating nationally. A single multi-state architecture (data inventory by state, consent flows by jurisdiction, DSAR routing by state) is no longer optional infrastructure.

State privacy law enforcement trends through 2026 shows how AG enforcement in California and Texas is developing — and how the Connecticut AG’s model is likely to follow. GLBA Reg P baseline requirements remain the federal floor that every multi-state fintech operates on top of.

So What? What Your Program Needs This Week

Audit your Connecticut data footprint. Map every category of personal data you process for Connecticut consumers. Flag anything that qualifies as sensitive data under the amended CTDPA — financial account information, health data, biometric data, government IDs, neural data. Determine which of that data falls within GLBA’s data-level exemption (connected to a GLBA financial product transaction) and which does not.

Review consent mechanisms. If you process financial account information for Connecticut consumers — and if you’re a fintech, you almost certainly do — your existing privacy disclosures need to support a sensitive data consent standard. A catch-all privacy notice is not sufficient. You need specific, purpose-tied consent tied to each sensitive data processing activity.

Audit data monetization. If your business model includes any data sale, licensing, or sharing arrangement, have counsel review whether the data involved includes sensitive data from Connecticut consumers. The prohibition on selling sensitive data without consent is categorical and applies regardless of aggregation or pseudonymization.

Build the ADM impact assessment workflow by July 31. Identify any new or modified automated decision-making process scheduled for deployment after July 31 that could affect Connecticut residents. Build a lightweight impact assessment template now so you can complete one before each new ADM launch.

Remove the 60-day cure assumption from your enforcement protocols. Update your incident and self-assessment protocols to treat Connecticut violations as requiring immediate response — not managed cure timelines.

The Data Privacy Compliance Kit includes the data inventory template, consent flow framework, DSAR response workflow, and state-by-state requirements comparison that form the operational foundation for this kind of multi-state compliance build. Running this assessment proactively — before an inquiry arrives — is materially different from building it in response to enforcement.


Sources: Foley & Lardner — Connecticut Dramatically Expands Its Data Privacy Act, Wiley Law — Major Changes to Connecticut’s Consumer Privacy Law Will Take Effect July 1, 2026, OneTrust — Connecticut’s 2026 Privacy Law Amendments, Orrick — Where Is the GLBA Entity-Level Exemption?, Benesch Law — Connecticut Broadens Data Privacy Act Requirements

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

Does Connecticut's CDPA apply to my fintech if we're already subject to GLBA?
Yes — as of July 1, 2026, Connecticut's CDPA removed the entity-level GLBA exemption for non-depository financial institutions. If your fintech is subject to GLBA but is not a state or federally chartered bank or credit union (or its affiliates), you are now subject to Connecticut CDPA requirements for any personal data you process that falls outside the strict scope of GLBA coverage — including website analytics, app behavior, customer service records, and marketing data collected outside a specific GLBA financial product or service. The data-level exemption survives: personal data processed specifically in connection with a GLBA-covered financial product (account data, loan data, payment data) remains exempt. Everything else is now in scope.
What counts as 'sensitive data' under the amended Connecticut CDPA, and why does this matter for fintechs?
As of July 1, 2026, sensitive data under the CTDPA includes racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, nonbinary or transgender status, immigration or citizenship status, national origin, biometric data processed for identification, genetic data, neural data, precise geolocation data, personal data of a known minor, financial account information, and government-issued identification numbers. Financial account information — routing numbers, account numbers, credit and debit card numbers, account balances, transaction histories — is at the core of most fintech business models. Processing any of this now requires affirmative consent, and selling it requires consent regardless of how it is aggregated or anonymized.
What does the elimination of the guaranteed 60-day cure period actually mean for enforcement risk?
Under the original CTDPA, any business receiving a notice of violation had a statutory right to a 60-day cure window before the Attorney General could bring an enforcement action. That guaranteed period is now gone. The AG has discretion — not an obligation — to allow cure. Factors likely to drive immediate enforcement without cure include willful or intentional violations, repeat violations of the same provision, consumer harm, and violations of the sensitive data consent requirement. Civil penalties of up to $5,000 per willful violation and $2,500 per non-willful violation apply. Each consumer affected can constitute a separate violation.
When does the profiling and automated decision-making impact assessment requirement take effect?
August 1, 2026 — three weeks from the date of this post. The new Connecticut CDPA requirement for a dedicated impact assessment for profiling and automated decision-making applies to processing activities created or generated on or after August 1. Existing ADM processes already deployed before August 1 are not retroactively covered, but any new model deployment, material model update, or expanded use case launched from August 1 onward requires a completed impact assessment before deployment. For fintechs using credit scoring, fraud risk models, customer segmentation, or algorithmic underwriting for Connecticut residents, this is an operational compliance requirement, not just a documentation exercise.
How does the Connecticut CDPA's youth data expansion affect financial services companies?
The July 2026 amendments expanded Connecticut's youth protections to cover consumers aged 13 to 17. Targeted advertising and data sales are categorically prohibited for this age group — regardless of consent — when the company has actual knowledge or willfully disregards that the consumer is in this age range. For fintech products with significant youth adoption (student loan platforms, teen savings accounts, student banking apps), this creates a hard prohibition on behavioral advertising and a data-sale bar that cannot be waived by consent. An easily bypassable age-gate mechanism creates the same liability as no age gate at all.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

Data Privacy Compliance Kit

Multi-state privacy compliance templates covering 19 state laws plus GLBA and CCPA.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.