The mid-year compliance deadline that privacy teams have circled for months has arrived. On July 1, 2026, three state privacy laws take effect: Connecticut’s substantial amendments to its Data Privacy Act under SB 1295, Arkansas’s Children and Teens’ Online Privacy Protection Act (HB 1717), and Utah’s amendments to the Utah Consumer Privacy Act under HB 418. Each carries its own operational demands, but one provision stands apart as genuinely novel in American privacy law: Connecticut now requires controllers to tell consumers whether their personal data is being used to train large language models.

That single sentence in a privacy notice will force many companies to answer a question they have never formally asked themselves: do we actually know which of our data flows feed AI training pipelines? This article walks through what each of the three laws requires, why the Connecticut amendments reach far more companies than the original CTDPA did, and what compliance teams should verify now that the effective date has arrived.

Connecticut SB 1295: The CTDPA Grows Teeth and Scope

Connecticut’s Data Privacy Act has been in force since July 2023, but the amendments effective July 1, 2026 change both who is covered and what coverage means. Three shifts matter most.

The Threshold Drops from 100,000 to 35,000 Consumers

The original CTDPA applied to businesses that controlled or processed the personal data of at least 100,000 Connecticut consumers annually. SB 1295 cuts that threshold to 35,000 consumers — pulling a large tranche of mid-size businesses, regional retailers, and niche digital services into scope for the first time.

More significantly, the amendments make volume irrelevant for two categories of activity. A business is now subject to the CTDPA regardless of how many consumers’ data it processes if it either:

  • processes sensitive data (other than for limited payment-transaction purposes), or
  • sells personal data.

This mirrors the structure Texas pioneered — scope keyed to conduct rather than scale — and it means a small analytics startup handling health-adjacent data, or a modest publisher selling audience segments, can no longer assume it is too small for Connecticut to reach.

Sensitive Data Now Includes Neural Data, Government IDs, and Financial Account Information

SB 1295 expands the CTDPA’s sensitive-data categories to include:

  • Government-issued identifiers (driver’s license numbers, passport numbers, and similar);
  • Financial account information;
  • Social Security numbers;
  • Neural data; and
  • certain biometric and genetic data beyond the original definitions.

The inclusion of neural data puts Connecticut alongside Colorado and California in extending sensitive-data treatment to information generated by brain-computer interfaces, neurotech wearables, and similar devices — a category we examined in our earlier compliance guide for brain-computer interfaces. Under the amended CTDPA, sensitive data cannot be sold without the consumer’s consent, and processing it requires opt-in consent in the first place. For companies that treated government IDs and bank account numbers as merely “confidential” rather than “sensitive” under state privacy law, the classification change cascades through consent flows, data protection assessments, and vendor contracts.

The LLM-Training Disclosure

The headline provision: controllers must now disclose in their privacy notices whether they collect, use, or sell personal data for the purpose of training large language models.

This is the first state-law disclosure obligation in the United States aimed squarely at the AI training supply chain, and its operational weight is heavier than its length suggests. To make the disclosure truthfully, a controller must know:

  1. Whether its own products train or fine-tune models on consumer data. That includes not just flagship AI features but support-ticket summarizers, chat assistants, and personalization models built on customer content.
  2. Whether its vendors do. If a SaaS provider’s terms permit it to use customer data to improve its models, and that data includes your consumers’ personal data, your disclosure analysis has to account for it.
  3. Whether it sells or licenses data into training datasets. Data licensing deals with AI developers — an increasingly common revenue line for publishers and data holders — are precisely what this provision is designed to surface.

The practical work is a data inventory extension: adding “AI/LLM training” as a processing purpose in your records of processing, interrogating vendor agreements for model-improvement clauses, and then writing a disclosure that is accurate today and maintainable tomorrow. A boilerplate “we may use data to improve our services” no longer answers the question Connecticut is asking. And because the statement sits in a public privacy notice, an inaccurate answer is not just a CTDPA violation — it is potential deception-theory material for the FTC and any state AG.

SB 1295 also expands the consumer’s opt-out right for profiling beyond decisions produced solely by automated processing, adds transparency obligations around automated decision-making, and layers in new protections for minors’ data — continuing the trajectory we tracked when the amendments were moving through the legislature in the March 2026 state privacy wave.

Arkansas HB 1717: A Children’s Privacy Law, Not a Comprehensive One

Arkansas’s contribution to the July 1 deadline is narrower than some early commentary suggested. HB 1717, the Children and Teens’ Online Privacy Protection Act, is not a comprehensive consumer privacy statute. It is a minors-focused law in the mold of an expanded COPPA, and it applies to for-profit operators of websites, apps, and online services that are directed at minors or that collect personal data from minors.

Its core requirements:

  • Two-tiered consent. For children 12 and under, verifiable parental consent is required before collecting personal data. For teens 13 to 16, consent may come from either the teen or a parent — a structure closer to the state comprehensive laws’ treatment of adolescent data than to classic COPPA.
  • A flat ban on targeted advertising to minors. Targeted advertising based on a minor’s personal data is prohibited — not opt-in, not consent-gated. Prohibited.
  • Data minimization. Collection and retention of minors’ data are restricted to what is reasonably necessary for the service provided.

Enforcement sits exclusively with the Arkansas Attorney General; there is no private right of action. That will limit litigation exposure, but AG-only enforcement has not meant dormant enforcement elsewhere — Texas’s experience under its minors-focused laws demonstrates that a motivated AG office can make a state statute nationally relevant.

For companies that already built age-assurance and minors’ advertising controls for Texas, Florida, and the wave of state age-appropriate design and app-store laws, Arkansas is largely an exercise in extending existing controls to another jurisdiction. For companies that have been betting those laws would all be enjoined, the bet keeps getting more expensive: HB 1717’s consent and advertising provisions are the kind of data-privacy rules that have generally fared better in court than content-moderation and access-restriction mandates.

Utah HB 418: Correction Rights and Social Media Portability

Utah’s original Consumer Privacy Act was the most business-friendly of the early state laws — notably, it omitted a right to correct. HB 418 closes that gap as of July 1, 2026:

  • Right to correct. Utah consumers can now require controllers to correct inaccurate personal data, bringing the UCPA in line with every other comprehensive state law and eliminating the last major carve-out companies relied on to skip building correction workflows for Utah residents.
  • Social media data portability and interoperability. Social media platforms face new obligations to give users the ability to port their data — and, more ambitiously, to support interoperability in how that data can be moved and used across services.

The portability and interoperability provisions are the ones to watch. Data portability as a consumer right has existed since GDPR, but Utah’s framing pushes toward functional interoperability between platforms — a concept that overlaps as much with competition policy as with privacy. Platforms in scope should be assessing what “porting” means at a technical level: export formats, API availability, authentication for transfer requests, and how to honor a transfer without creating a new data-breach vector in the process.

The 2026 Landscape: Twenty Laws, One Baseline, Growing Divergence

July 1 is a milestone inside a larger trend. Twenty states now have comprehensive privacy laws in effect in 2026, with Indiana, Kentucky, and Rhode Island having come online in January. The compliance baseline — notice, purpose limitation, access/deletion/portability rights, opt-outs for sale and targeted advertising, universal opt-out signal recognition — has genuinely converged.

What has not converged is the growing layer of state-specific innovations sitting on top of that baseline, and Connecticut’s LLM-training disclosure is the clearest example yet. Companies that built a “highest common denominator” program in 2023–2024 are discovering that the denominators keep moving: neural data in three states, AI-training disclosures in one (so far), minors’ advertising bans in several, and — as we covered when the CPPA’s Audits Division opened its first CCPA compliance audits — regulators who increasingly verify programs rather than take them on faith.

What to Verify Now

The effective date has passed, so this is a verification checklist, not a planning one.

If you touch Connecticut consumers

  • Re-run the applicability analysis against the 35,000-consumer threshold and the volume-independent triggers (sensitive-data processing; any sale of personal data).
  • Re-map sensitive data against the expanded categories — government IDs, financial account information, SSNs, neural data — and confirm opt-in consent flows and DPAs cover them.
  • Publish the LLM-training disclosure, backed by an actual inventory of internal training uses, vendor model-improvement clauses, and any data-licensing arrangements with AI developers.
  • Confirm sensitive data is not being sold without consent, including via adtech flows that qualify as “sales.”
  • Extend profiling opt-outs and ADM transparency to the amended scope.

If you serve minors and reach Arkansas

  • Classify your services — directed at minors, or knowingly collecting from them?
  • Implement the two-tier consent flow (parental for 12 and under; teen-or-parent for 13–16).
  • Kill targeted advertising to minors in scope — verify your ad stack can suppress it, not just your policy saying it does.
  • Document data minimization for minors’ data collection and retention.

If you have Utah users

  • Stand up the correction workflow — intake, identity verification, propagation to processors.
  • For social platforms: scope the portability and interoperability requirements against your export tooling and API surface now, before demand letters define it for you.

Conclusion

None of the three July 1 laws is, on its own, a program-breaking event for a mature privacy operation. Connecticut’s amendments are the most demanding, but the mechanics — threshold analysis, sensitive-data mapping, consent gating — are familiar work.

The LLM-training disclosure is different in kind. It is the first time a US privacy statute has forced companies to make a public, specific, verifiable statement about their participation in the AI training economy. Answering it honestly requires data governance that most organizations have not yet built: a live inventory of where consumer data meets model training, inside the company and across its vendor stack. Connecticut will not be the last state to ask. Companies that treat July 1, 2026 as the prompt to build that inventory — rather than the deadline to write a vague sentence — will be ready when the question spreads.

This article is provided for informational purposes only and does not constitute legal advice.