The 2025 amendments to the Connecticut Data Privacy Act (“CTDPA”) eliminate the primary exemption pursuant to the federal Gramm-Leach-Bliley Act (“GLBA”) that could have applied to dealers, removing any ambiguity about the law’s reach. Every dealership operating in Connecticut must now be in compliance with the CTDPA by July 1, 2026.
Background: The Connecticut Data Privacy Act
Connecticut enacted the CTDPA in May 2022, becoming one of the first states to adopt a comprehensive consumer privacy law. From the outset, however, questions arose about the extent to which the CTDPA applied to dealerships. Two features of the original law combined to create ambiguity. First, the CTDPA included an entity-level exemption for any “financial institution” subject to the GLBA. Second, the original law only applied to businesses that processed the personal data of at least 100,000 Connecticut consumers annually, a threshold that most individual dealerships would likely not plausibly reach.
The result was confusion whether the CTDPA applies to dealers. That is no longer unclear.
The 2025 Amendments: Closing the Door on Ambiguity
On June 24, 2025, Governor Ned Lamont signed Senate Bill 1295, enacting significant amendments to the CTDPA. The amendments address, directly and specifically, the concerns that the Connecticut Attorney General had highlighted in enforcement reports in both 2024 and 2025 — including a specific concern that dealerships and similar non-bank financial institutions were using the GLBA exemption to avoid applicability under the state privacy law, a result the legislature had never intended.
SB 1295 makes two principal changes that take effect on July 1, 2026.
Change One: The GLBA Entity-Level Exemption Is Gone
The most significant change for dealerships is the elimination of the broad entity-level GLBA exemption. Under the original CTDPA, any “financial institution” subject to the GLBA arguably meant that the entire organization fell outside the statute’s reach, even if only a portion of the dealership’s activities were subject to the GLBA. Under the amended law, the exemption no longer applies to the organization as a whole. Most of the personal data a dealership collects and processes, including marketing data, service records, website interactions, and vehicle ownership histories, is now fully subject to the CTDPA, and thus the dealership must comply with the CTDPA.
The new entity-level exemptions that replaced the GLBA blanket exemption are narrow and institution-specific: they cover banks, credit unions, insurers, certain health carriers, and registered broker-dealers and investment advisers. Dealerships do not fall within any of these categories. The Connecticut Attorney General was explicit on this point, and the legislature acted in response to the AG recommendations.
Change Two: The Size Threshold Is Dramatically Lower — and May Be Irrelevant
Even setting aside the GLBA issue, the original CTDPA’s 100,000-consumer threshold provided a practical shield for most dealerships. Few individual dealerships process the personal data of 100,000 Connecticut consumers in a given year. SB 1295 changes this in two important ways.
- First, the general processing threshold is reduced from 100,000 consumers to 35,000 consumers. The average dealer is likely to maintain at least 35,000 consumers’ data.
- Second, the amendment removes the numerical threshold entirely for businesses that process sensitive data, or businesses that sell personal data “in trade or commerce”. Under the amended law, if a dealership processes the sensitive personal data, or offers the sale the personal data, of even a single Connecticut consumer, the CTDPA applies, without regard to the size of the dealership or the total number of consumers whose data it holds.
Sensitive data under the CTDPA includes a broad range of categories that are commonplace in dealership operations:
- Precise geolocation data (collected by connected vehicles, service loaner tracking systems, or location-based marketing tools)
- Financial account numbers and government-issued identification numbers (collected in connection with finance applications and title transactions)
- Health or disability information (which may arise in accommodation requests or employment contexts)
- Biometric data (increasingly relevant as dealerships adopt biometric timekeeping or identity verification)
The practical effect is straightforward: any Connecticut dealership that collects any of this sensitive information about any Connecticut resident — which virtually every dealership will — is now subject to the CTDPA regardless of its size or the volume of data it otherwise processes. The size of the dealership is no longer a relevant consideration.
On the sale aspect, SB 1295 expands the CTDPA to any business that “offers” personal data for sale in trade or commerce, regardless of whether the business actually sells personal data. This, combined with the CTDPA’s broad definition of “sale” as an exchange of personal data for monetary or other valuable consideration, means that the updated law does not require a dealer to receive money or other benefits from sales of personal data for the CTDPA to apply.
What Connecticut Dealerships Must Do by July 1, 2026
The compliance obligations under the CTDPA are substantial. Dealerships subject to the law must:
- Post a privacy notice that clearly describes the categories of personal data collected, the purposes for which it is processed, how consumers may exercise their rights, and whether personal data is sold or shared for targeted advertising.
- Develop a process to honor consumer rights requests, including the right to access, correct, delete, and obtain a portable copy of their personal data, and the right to opt out of targeted advertising, profiling, and the sale of personal data, within 45 days, with one permitted 45-day extension.
- Obtain consumer consent before processing sensitive personal data for any purpose beyond what is disclosed and reasonably necessary.
- Enter into data processing agreements with all third-party vendors that process consumer personal data on the dealership’s behalf.
- Implement and maintain reasonable data security safeguards appropriate to the volume and sensitivity of data processed.
- Honor universal opt-out signals, which Connecticut has required since January 2025.
Penalties for willful violations of the CTDPA can reach $5,000 per violation, with additional exposure for restitution and injunctive relief under the Connecticut Unfair Trade Practices Act. Enforcement authority rests exclusively with the Connecticut Attorney General, whose office has been active and has explicitly identified dealerships as a compliance concern.
The Bottom Line
The question of whether Connecticut’s privacy law applies to dealerships has been answered. The 2025 amendments to the CTDPA were drafted with dealerships specifically in mind, and every dealership operating in Connecticut, regardless of size, should proceed on the assumption that the CTDPA applies to it and that compliance is required by July 1, 2026. The time to conduct a data inventory, review vendor agreements, prepare a privacy notice, and build a consumer rights response program is now.
ComplyAuto can help. We work with more than 10,000 dealerships nationwide on an array of privacy issues. We can help you comply with the CTDPA and get you onboarded and ready to go very quickly. The time to act is now. Contact ComplyAuto today and see how we can help you navigate these complicated waters before July 1.