Data Privacy, Privacy Laws, Uncategorized

The Data Privacy Compliance Wake-Up Call for Small and Mid-Sized Law Firms in CT

Posted on by Dena M. Castricone, CIPP/US, CIPM

(This article was written in collaboration with Noah Block, J.D. Candidate, Quinnipiac University School of Law, ’26)

Small and mid-sized law firms haven’t thought much about compliance with the Connecticut Data Privacy Act (CTDPA) because they have been able to take refuge in the relatively small size of their practices.  But size no longer matters.  As of July 1, 2026, any Connecticut business that collects even one piece of “sensitive” data is subject to CTDPA requirements, the most basic of which is a privacy notice.  This article focuses on the privacy notice requirement, not full CTDPA compliance.

Firms that have a privacy notice often treat it like an office plant — something inherited or borrowed from another firm or company, set in place, and ignored.  Having a non-compliant privacy notice is essentially the same as having none at all.  And it presents an easy target for enforcement.

Background

The CTDPA went into effect in 2023. It has been substantively amended twice, once in 2023 and then in 2025, with the 2025 amendment set to become effective this July. The most recent amendment expands obligations around transparency, consumer rights, and, critically, the handling of sensitive data. Unlike many other businesses that must meet specific data processing thresholds to fall within the law, law firms are uniquely exposed because they routinely handle sensitive personal information, bringing them squarely within the statute’s scope regardless of size.

Sensitive Data

Any entity processing sensitive data must comply with the CTDPA, regardless of the volume of consumers, unless the entity is exempt.  Sensitive data includes[i]:

  • Government-issued ID numbers (e.g., SSNs, driver’s license numbers, passport numbers)
  • Financial account numbers or login information that can be used to access an account
  • Citizenship or immigration status
  • Mental or physical health condition, diagnosis, disability, or treatment
  • Consumer health data
  • Race or ethnicity
  • Religious beliefs
  • Sexual information (sex life, sexual orientation, nonbinary or transgender status)
  • Genetic or biometric data used to uniquely identify an individual
  • Personal data of a known child
  • Victim status
  • Neural data
  • Precise geolocation data [ii]

Entity Exemptions

Exempt entities include governmental bodies (and their contractors), nonprofit organizations, higher education institutions, HIPAA-regulated entities, and certain others.  Importantly, an exemption tied to a specific client relationship applies only to data associated with that relationship.  For example, a firm acting as a business associate to a healthcare covered entity, is exempt only with respect to that work; it would still be subject to the CTDPA for other work, such as trust and estates matters for other clients.

If your firm is not exempt and collects sensitive data, it must comply with the CTDPA as of July 1, 2026, including maintaining a compliant, public-facing privacy notice that explains how it collects, uses, shares, and protects personal data.

Creating a CTDPA-Compliant Privacy Notice

  1. Start with your operations, not a template

The first step is understanding what data your firm collects, where it is stored and how it is used.  Law firms often retain more data than necessary, which increases both risk and compliance obligations.  The CTDPA requires transparency around collection, use, and sharing, including whether you sell data (broadly defined), use it for AI/Large Language Models (LLM), or engage in profiling.

  1. Mandatory content to include[iii]

At a minimum, your privacy notice must describe:

  • Categories of personal data processed
  • Purpose(s) for processing
  • Whether data is sold and how consumers can opt out
  • Use of data for AI/LLM or profiling, and related consumer rights
  • The month and year that notice was last updated

  1. Make it easy to find and use

Your notice should be clearly accessible (typically via a conspicuous “Privacy” link on your homepage) and available in languages and formats you use with clients. If you make a material retroactive change, you must notify affected consumers and give them a reasonable opportunity to withdraw consent.

  1. Handle sensitive data with care

As discussed above, Connecticut defines “sensitive data” broadly.  If you collect it, you need consent and must disclose in the privacy notice the collection, purpose, and any sale of that data.

  1. Explain consumer rights clearly

Consumers have rights to access, correct, and opt out of certain uses of their data, including profiling and the sale of their data. Your notice should clearly explain how to exercise these rights.

  1. Keep it practical

  • Use plain language and concrete examples tied to your services
  • Keep a short, easy-to-read summary upfront.
  • Log the month/year of each update and keep copies of old notices.

Using ChatGPT and Auto‑generated Notices

AI can help brainstorm phrasing, but don’t let it draft your final notice. LLMs often produce generic, overbroad, or inaccurate text and can omit mandatory, operation‑specific disclosures.  Further, a properly drafted privacy notice must be specially tailored for your firm’s use of data.

The Bottom Line

Connecticut’s CTDPA now demands accuracy, specificity, and accessibility. For small firms, that means mapping your real data practices, updating notices to reflect LLM training, profiling, and sensitive data handling, placing the notice where consumers will actually see it, and documenting updates. This is new territory for many firms, and it may be worth seeking guidance to ensure your privacy notice is compliant and aligned with your actual data practices.

[i]  Conn. Gen. Stat. §42-515(39).

[ii]  See SB 4, §12 (https://www.cga.ct.gov/asp/cgabillstatus/cgabillstatus.asp?selBillType=Bill&which_year=2026&bill_num=4).

[iii]  Conn. Gen. Stat. § 42-520(b).