Feature Data Privacy
Connecticut's CDPA Took Effect Last Tuesday: Financial Account Data Is Now Sensitive Data, the Threshold Dropped to 35,000, and There's No 60-Day Grace Period
Connecticut's expanded CDPA took effect July 1, 2026. It lowered the applicability threshold from 100,000 to 35,000 consumers, reclassified financial account information as sensitive data requiring consent before processing or sale, eliminated the guaranteed 60-day cure period, and stripped the entity-level GLBA exemption from fintechs and nonbank lenders. Here's what changed and what your program needs to address this week.
Table of Contents
Eight days ago, your GLBA entity-level exemption stopped covering your Connecticut customers.
Most fintechs haven’t caught up.
The amendments to Connecticut’s Data Privacy Act (CTDPA) that took effect July 1, 2026 don’t make a small adjustment at the margins — they reclassify the core data asset of most fintech businesses as sensitive data requiring affirmative consent, cut the applicability threshold nearly in half, add two threshold triggers that have no volume requirement at all, and remove the guaranteed cure period that compliance teams relied on to absorb mistakes before enforcement attached.
Earlier coverage in May and June flagged this change as incoming — Connecticut and Montana narrowed GLBA exemptions and what that means for sensitive data addressed the trajectory across multiple states, and Minnesota’s MCDPA compliance breakdown walked through what that enforcement posture looks like in practice. Connecticut was always next on the list. It’s now live.
Here’s what specifically changed on July 1 and what your program needs to address this week.
TL;DR
- Connecticut’s CDPA amendments took effect July 1, 2026, eliminating the entity-level GLBA exemption for fintechs and nonbank lenders — banks and credit unions retain their exemption
- The applicability threshold dropped from 100,000 to 35,000 Connecticut consumers — and two new triggers (any sensitive data processing, any data sale) have no volume threshold at all
- Financial account information is now classified as sensitive data, requiring affirmative consent before processing and prohibiting sale without consent
- The guaranteed 60-day cure period was eliminated — the AG now has discretion to bring enforcement immediately
- Profiling and automated decision-making impact assessments become required starting August 1, 2026 — three weeks away
The Structural Change: GLBA No Longer Covers Nonbanks
The most consequential change isn’t a specific new requirement — it’s the loss of the blanket protection that let nonbank financial institutions ignore Connecticut’s privacy law entirely.
Under the original CTDPA, any business subject to GLBA could claim an entity-level exemption. If you operated under GLBA’s Safeguards Rule and Reg P framework — even partially, through a bank partnership — Connecticut left you alone. That was a clean, simple exemption that many fintechs relied on without ever mapping exactly which of their data activities it covered.
As of July 1, 2026, the entity-level exemption exists only for:
- State or federally chartered banks and credit unions
- Affiliates of those banks and credit unions that are principally engaged in financial activities
Every other GLBA-covered entity — fintechs, nonbank mortgage companies, auto lenders, payment processors, money transmitters, credit counselors, payday lenders, buy now pay later providers — no longer qualifies.
The data-level exemption survives. Personal data processed specifically in connection with a GLBA-covered financial product or service (loan applications, account transactions, payment processing) remains exempt from the CTDPA. But any personal data outside that narrow definition — website behavioral analytics, mobile app usage data, customer service chat logs, marketing engagement data, loyalty program activity — is now subject to Connecticut’s requirements.
For a company whose core product is a financial service, that might sound like most of your data stays GLBA-exempt. Test that assumption carefully. Every email list, every ad pixel, every customer service transcript, every app analytics feed — those don’t originate from a financial product transaction. They’re now in scope.
Connecticut is now the fifth state with this position. California (CCPA/CPRA), Minnesota (effective July 31, 2025), Montana (effective October 1, 2025), and Oregon (effective January 1, 2026) all apply only data-level GLBA exemptions. If your fintech serves customers across multiple states, you’re now managing five separate state privacy compliance programs with overlapping but non-identical requirements.
The Threshold Shift: More Fintechs Are Now Covered
The original CTDPA applied to businesses that controlled or processed personal data for at least 100,000 Connecticut consumers in the preceding calendar year. The July 2026 amendments dropped that threshold to 35,000 consumers.
That change alone brings a significant slice of mid-market fintechs into scope that were previously exempt by volume. If you serve Connecticut customers and didn’t previously track whether you cleared 100,000, you need to run that number now — because the threshold is no longer 100,000.
But the more important change is the two new coverage triggers that carry no volume threshold at all:
Sensitive data trigger: Any entity that controls or processes sensitive data from any number of Connecticut consumers is covered by the CTDPA — zero volume requirement. If you process financial account information (see below) for one Connecticut customer, you’re covered.
Data sale trigger: Any entity that offers Connecticut consumers’ personal data for sale in trade or commerce is covered — regardless of how many consumers are involved.
The practical effect for most fintechs: once financial account information was added to the sensitive data definition, the 35,000-consumer threshold became functionally irrelevant. If you have Connecticut customers and you’re a fintech, you almost certainly process financial account information for some of them. That’s the trigger.
The Operational Earthquake: Financial Account Data Is Now Sensitive Data
This is the change with the most direct operational impact on fintechs.
The amended CTDPA’s sensitive data definition now includes financial account information and government-issued identification numbers, alongside existing categories like health data, biometric data, and precise geolocation.
What “financial account information” covers for a fintech:
- Routing numbers and account numbers
- Credit and debit card numbers
- Account balances
- Transaction histories and payment records
- Any information from which account access credentials could be derived
For most fintechs, that’s the core data asset. Every payment transaction, every account aggregation, every linked bank account — that data is now sensitive data under Connecticut law for Connecticut residents.
Three compliance implications follow immediately:
Processing requires a lawful basis tied to specific consent. The CTDPA requires that sensitive data processing be based on affirmative consent and be reasonably necessary in relation to the purpose for which the data is processed. A general privacy policy disclosure that covers everything doesn’t satisfy the sensitive data consent standard. You need a specific, granular consent mechanism tied to the identified processing purpose.
Selling sensitive data is prohibited without consent. The July amendments added an express prohibition: sensitive data cannot be sold without the consumer’s affirmative consent. If your business model involves any form of data monetization — data licensing, data partnerships, aggregated analytics products that derive from individual account data — the consent requirement isn’t a checkbox. It’s a condition precedent to the revenue stream.
Data minimization applies with greater scrutiny. The CTDPA already required collecting only what is “reasonably necessary and proportionate to the disclosed purpose.” When financial account information is sensitive data, regulators and courts will scrutinize whether the data collected is actually necessary for each purpose, not just whether it could be useful someday.
Other New Sensitive Data Categories
Two additions beyond financial account information are worth noting:
Neural data — information generated by or derived from neurological monitoring or brain-computer interfaces — is now sensitive data in Connecticut. Most fintechs don’t encounter this today, but as behavioral biometrics, wearable finance tools, and physiological monitoring advance, this category will become relevant. If your product includes any neurological or physiological input beyond standard behavioral analytics, review this.
Nonbinary and transgender status is now sensitive data. For any fintech that captures gender identity beyond binary options, or that uses demographic profiling that could reveal gender identity, this creates additional consent and processing requirements.
No More 60-Day Grace Period
The original CTDPA gave businesses a statutory right: if the AG notified a business of a violation, the business had 60 days to cure before enforcement could proceed. Companies built their Connecticut compliance strategy around this safety net — knowing that a gap could be remediated before penalties attached.
That guaranteed period is gone.
The July 2026 amendments give the AG discretion to offer a cure opportunity but remove the statutory obligation to do so. The factors likely to drive immediate enforcement (no cure window):
- Willful or intentional violations
- Violations involving consumer harm
- Repeat violations of the same provision
- Violations of the sensitive data consent requirement
Civil penalties: up to $5,000 per willful violation, $2,500 per non-willful violation. The per-consumer framing matters — each affected consumer can constitute a separate violation. At $2,500 per non-willful violation across thousands of Connecticut customers, the enforcement math is significant.
Profiling and ADM Impact Assessments: Clock Starts August 1
Three weeks from today, a separate new requirement activates: a dedicated impact assessment for profiling and automated decision-making that makes legally significant decisions about consumers.
This is distinct from the CTDPA’s existing data protection assessment requirement. The new profiling impact assessment applies specifically to ADM processing activities “created or generated” on or after August 1, 2026. Existing processes already deployed before August 1 are not retroactively covered — but any new model deployment, material model update, or expanded use case launched from August 1 onward needs a completed impact assessment before it goes live.
What the assessment must document:
- The purpose and intended use of the profiling
- The potential benefits and foreseeable risks to consumer rights
- How those risks will be mitigated
- Whether profiling is used for legally significant decisions about consumers
For fintechs using credit scoring models, fraud risk models, AI-driven underwriting, or customer segmentation for Connecticut residents — this is a live operational requirement, not a future compliance consideration. If you’re launching any new ADM capability after July 31, build the impact assessment process into your pre-launch checklist now.
The Five-State Reality
Connecticut is the fifth state with narrow or no GLBA entity-level exemption for nonbanks:
| State | Effective Date | Who Gets the Entity-Level Exemption | Threshold |
|---|---|---|---|
| California (CCPA/CPRA) | Existing | Banks and credit unions only | 100,000 consumers OR 50% gross revenue from data sale |
| Minnesota (MCDPA) | July 31, 2025 | State/federal banks and credit unions only | 100,000 consumers OR 25,000 + 25% revenue from sale |
| Montana (MCDPA) | October 1, 2025 | Banks and credit unions only | 25,000 consumers OR 15,000 + 25% revenue from sale |
| Oregon (OCPA) | January 1, 2026 | Oregon Bank Act institutions only | 100,000 consumers OR 25,000 + 25% revenue from sale |
| Connecticut (CTDPA) | July 1, 2026 | State/federal banks and credit unions only | 35,000 consumers OR any sensitive data processing OR any data sale |
Running five separate state privacy programs — each with its own consumer rights schedule, sensitive data definitions, consent requirements, and enforcement regime — has become the compliance baseline for any fintech operating nationally. A single multi-state architecture (data inventory by state, consent flows by jurisdiction, DSAR routing by state) is no longer optional infrastructure.
State privacy law enforcement trends through 2026 shows how AG enforcement in California and Texas is developing — and how the Connecticut AG’s model is likely to follow. GLBA Reg P baseline requirements remain the federal floor that every multi-state fintech operates on top of.
So What? What Your Program Needs This Week
Audit your Connecticut data footprint. Map every category of personal data you process for Connecticut consumers. Flag anything that qualifies as sensitive data under the amended CTDPA — financial account information, health data, biometric data, government IDs, neural data. Determine which of that data falls within GLBA’s data-level exemption (connected to a GLBA financial product transaction) and which does not.
Review consent mechanisms. If you process financial account information for Connecticut consumers — and if you’re a fintech, you almost certainly do — your existing privacy disclosures need to support a sensitive data consent standard. A catch-all privacy notice is not sufficient. You need specific, purpose-tied consent tied to each sensitive data processing activity.
Audit data monetization. If your business model includes any data sale, licensing, or sharing arrangement, have counsel review whether the data involved includes sensitive data from Connecticut consumers. The prohibition on selling sensitive data without consent is categorical and applies regardless of aggregation or pseudonymization.
Build the ADM impact assessment workflow by July 31. Identify any new or modified automated decision-making process scheduled for deployment after July 31 that could affect Connecticut residents. Build a lightweight impact assessment template now so you can complete one before each new ADM launch.
Remove the 60-day cure assumption from your enforcement protocols. Update your incident and self-assessment protocols to treat Connecticut violations as requiring immediate response — not managed cure timelines.
The Data Privacy Compliance Kit includes the data inventory template, consent flow framework, DSAR response workflow, and state-by-state requirements comparison that form the operational foundation for this kind of multi-state compliance build. Running this assessment proactively — before an inquiry arrives — is materially different from building it in response to enforcement.
Sources: Foley & Lardner — Connecticut Dramatically Expands Its Data Privacy Act, Wiley Law — Major Changes to Connecticut’s Consumer Privacy Law Will Take Effect July 1, 2026, OneTrust — Connecticut’s 2026 Privacy Law Amendments, Orrick — Where Is the GLBA Entity-Level Exemption?, Benesch Law — Connecticut Broadens Data Privacy Act Requirements
◆ Related template
Data Privacy Compliance Kit
Multi-state privacy compliance templates covering 19 state laws plus GLBA and CCPA.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
Does Connecticut's CDPA apply to my fintech if we're already subject to GLBA?
What counts as 'sensitive data' under the amended Connecticut CDPA, and why does this matter for fintechs?
What does the elimination of the guaranteed 60-day cure period actually mean for enforcement risk?
When does the profiling and automated decision-making impact assessment requirement take effect?
How does the Connecticut CDPA's youth data expansion affect financial services companies?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Data Privacy Compliance Kit
Multi-state privacy compliance templates covering 19 state laws plus GLBA and CCPA.
◆ Keep reading
Related posts.
Data Privacy
Biometric Data in Financial Services: The BIPA Exemption Isn't as Broad as Your Vendors Think
Financial institutions have a GLBA-based exemption from Illinois' Biometric Information Privacy Act — but courts are actively splitting on whether that exemption extends to your KYC and identity verification vendors. Two unsettled circuit questions, $100M+ in recent settlements, and what your vendor contracts need to say before the 7th Circuit decides.
Jul 5, 2026
Data Privacy
Minnesota's MCDPA Has Been Enforcing Since January — Your GLBA Exemption Doesn't Cover What You Think It Does
Minnesota's Consumer Data Privacy Act uses a data-level GLBA exemption, not an entity-level one. Non-bank fintechs have been exposed since January 31, 2026 — with no notice-to-cure period and $7,500-per-violation penalties.
Jul 2, 2026
Data Privacy
FTC Health Breach Notification Rule: What Non-HIPAA Health Data Holders Must Report and When
The FTC's 2024 amendments to the Health Breach Notification Rule dramatically expanded coverage to health apps, wellness platforms, and connected devices — with enforcement actions totaling $9+ million. Here's what every fintech and non-HIPAA health data holder needs to know.
Jun 30, 2026