While much of the national attention has focused on the wave of state-level AI legislation introduced in 2025, Connecticut has quietly enacted a significant AI-related amendment to its existing consumer privacy framework. On June 25, 2025, Governor Lamont signed Public Act No. 25-113 into law, amending the Connecticut Data Privacy Act (“CTDPA”) to include a new, mandatory disclosure requirement for businesses that use personal data to train artificial intelligence (“AI”) systems, specifically large language models (“LLMs”).
This amendment has garnered relatively little attention compared to headline-grabbing AI bills in California, Colorado, and New York. Yet it is broadly applicable to a large swath of companies operating nationally and should not be ignored.
New Disclosure Requirement for AI Training
Effective July 1, 2026, controllers subject to the CTDPA[1] must update their consumer-facing privacy notices to include a clear and conspicuous statement disclosing whether they collect, use, or sell personal data for the purpose of training LLMs. The disclosure must be “reasonably accessible, clear and meaningful,” and kept current.
This requirement applies regardless of whether the data is used internally or sold to third parties for model training and. Importantly, also applies to vendors acting on the controller’s behalf.
Compliance Considerations
To meet this obligation and more generally as key steps of the organization’s AI governance program, controllers should:
- Audit data processing activities to determine whether personal data is used in LLM training, directly or via vendors. Importantly, this disclosure is not limited to high-risk AI systems or automated decision-making contexts. It applies broadly to any use of personal data in training LLMs, regardless of the downstream application. And given that the law does not define LLMs, organizations should take a conservative approach in determining what AI systems fall within this requirement.
- Coordinate with legal and technical teams to ensure disclosures are accurate and reflect actual practices.
- Review and revise privacy notices ahead of the July 1, 2026 deadline.
Connecticut’s approach integrating AI-specific obligations into its broader consumer privacy framework may serve as a model for other jurisdictions. For businesses, this means that AI-related compliance must be addressed as part of a unified privacy governance strategy.
[1] The CTDPA applies to entities that (1) control or process the personal data of at least 35,000 consumers, (2) control or process consumers’ sensitive data (excluding personal data controlled or processed solely for completing a payment transaction), or (3) offer consumers’ personal data for sale.
[View source.]
