TLDR
- Three U.S. state privacy laws took effect on July 1, 2026.
- Connecticut's CTDPA now covers businesses that process data of just 35,000 residents (down from 100,000)
- Arkansas banned targeted advertising tracking for anyone under 16
- Utah gave residents the right to correct inaccurate data held by businesses
- For any website collecting personal data from U.S. visitors, these changes require an immediate review of your consent framework, privacy notice, and data processing practices
Connecticut: Major Scope Expansion and New Consumer Rights
The Connecticut Data Privacy Act (CTDPA) is the biggest story of this legislative wave.
As of July 1, 2026, amendments to the law nearly triple the number of businesses subject to it and introduce consumer rights that go well beyond what most other U.S. state laws require.

Lower Applicability Thresholds
Previously, the CTDPA applied to businesses that processed personal data of at least 100,000 Connecticut residents. That threshold dropped to 35,000 residents as of July 1.
More significantly, two new "no-threshold" triggers exist:
- Any business that sells personal data (even a single Connecticut resident's record) is now covered.
- Any business that processes sensitive data from Connecticut residents is covered, regardless of volume.
That second trigger has wide reach because the definition of sensitive data just expanded.
Expanded Definition of Sensitive Data
The CTDPA's definition of sensitive data now includes:
- Mental or physical disability status or treatment information
- Transgender or nonbinary status
- Neural data
- Financial account information
- Government-issued identification numbers (driver's licenses, SSNs, passports)
- Inferences derived from biometric and genetic data
If your website or app processes any of these data types for Connecticut residents, you are now inside the CTDPA's scope.
Processing sensitive data also requires explicit consumer consent and must be "reasonably necessary" to the stated purpose. The amendments expressly prohibit the sale of sensitive data without consumer consent.
New Consumer Rights
Connecticut residents gained several new rights under the July 2026 amendments:
- Third-party disclosure list: Consumers can request a list of every third party that received their personal data.
- Inference access: Consumers can access inferences drawn about them from their personal data.
- Profiling transparency: Consumers can request information on automated profiling decisions, the rationale behind them, and the data used, and in certain housing-related contexts, require a rerun of the analysis after correcting inaccurate data.
- Opt-out expansion: The right to opt out now covers any covered automated profiling decision, not only decisions that are solely automated.
Ad tech platforms, data brokers, and businesses that build consumer profiles will need new disclosure infrastructure to respond to these requests.
LLM Training Disclosure
One requirement stands out for any business using AI tools. Connecticut now requires privacy notices to disclose whether the business uses personal data to train large language models or sells that data for that purpose. As AI data pipelines become standard infrastructure, this catches businesses that haven't examined where their user data flows.
No Cure Period
Here is the detail that changes the enforcement calculus entirely: Connecticut's cure period expired in December 2024. Most state privacy laws give companies 30 to 60 days to fix violations before formal enforcement begins.
Connecticut removed that buffer 18 months ago. A business newly pulled into scope by the July 1 threshold change faces immediate enforcement risk if it is not compliant from day one.
Looking further ahead, Governor Ned Lamont signed SB 4 on May 27, 2026, which adds a ban on selling precise geolocation data, new requirements for facial recognition technology, and a redefined scope for publicly available information.
Those provisions take effect October 1, 2026.
Arkansas: A Hard Ban on Kids' Ad Tracking
Arkansas's Children and Teens' Online Privacy Protection Act took effect July 1 and goes further than any comparable U.S. law on the topic of minors and targeted advertising.
For children under 13 and teens aged 13 through 16, the law imposes a flat prohibition on collecting personal data for targeted advertising. There is no consent exception, no opt-in path, and no parental workaround. The ban is unconditional.
The law applies to operators "directed at" minors or with "actual knowledge" that they collect from that age group, the same trigger standard used in COPPA. That means federal precedent on what constitutes "actual knowledge" applies directly here.
For compliance purposes, this extends to third-party pixels and tracking scripts. If your platform has actual knowledge it reaches under-16 users, behavioral tracking for targeting — including tracking pixels, click-tracking redirects, and any mechanism routing minor engagement data into an ad platform - must be removed from those campaigns.
The Arkansas Attorney General enforces the law at $10,000 per violation.
There is no private right of action and no cure period.

Utah: The Right to Correct Inaccurate Data
Utah's HB 418 filled a notable gap in the Utah Consumer Privacy Act: residents previously had rights to access, delete, and opt out of data sales, but no right to correct inaccurate records.
From July 1, businesses have 45 days to comply with correction requests from Utah residents. That window starts on the date of the request. For businesses managing customer data across CRMs, marketing databases, and third-party processors, a formal correction workflow now needs to exist.
Utah also enacted the Digital Choice Act alongside HB 418, which requires social media platforms to allow Utah users to transfer their data to competing platforms in real time and support interoperability. Third-party content such as comments requires the commenter's consent before inclusion in any transfer.

What These Changes Mean for Your Website
These three laws add to a patchwork that now includes more than 20 states with comprehensive consumer privacy laws. For website owners, the practical implications cluster around four areas:
1. Your privacy notice is probably out of date. Connecticut's amendments require new disclosures on LLM training, updated sensitive data categories, and details on new consumer rights (third-party lists, inferences, profiling rationale). If your privacy notice hasn't been updated since before July 2026, it doesn't meet Connecticut's current requirements.
2. Your consent layer needs to reflect expanded sensitive data. If your site processes any of the newly added sensitive data categories (financial account information, disability data, government IDs) you need explicit, purpose-specific consent in place before that processing happens.
3. Cookie and tracking consent becomes more consequential. The Arkansas law makes it clear that behavioral tracking for ad targeting must be blocked for known under-16 users. This requires your consent management platform to enforce those restrictions at the cookie and pixel level, not just on paper.
4. Your data subject request workflow needs to cover new rights. Connecticut residents can now ask for inference data and third-party recipient lists. Utah residents can submit correction requests with a 45-day response deadline. Your intake and response processes need to handle these.
How to Get Compliant
Here is a practical checklist based on the July 2026 changes:
Connecticut CTDPA
- Re-run your applicability analysis. If you process data for 35,000+ Connecticut residents, sell any personal data, or process sensitive data from any Connecticut resident, you are in scope.
- Audit your sensitive data inventory against the expanded definition.
- Update your privacy notice to include the LLM training disclosure, expanded sensitive data categories, and new consumer rights.
- Review consent collection for sensitive data — consent must be obtained and processing must be reasonably necessary.
- Update data subject request processes to handle third-party lists, inference access, and profiling information requests.
Arkansas
- Inventory your email and ad tech stack for any platforms with actual knowledge of under-16 users.
- Remove behavioral tracking from any campaigns or tools reaching that audience.
- Audit third-party pixel and click-tracking deployments.
Utah
- Build a correction request workflow with a 45-day response window.
- Coordinate with downstream processors to propagate corrections.
Consentmo makes this process significantly simpler. The app handles cookie consent, privacy notice management, and data subject request workflows. As laws like Connecticut's keep raising the bar, having a single compliance layer across your Shopify store or website means you spend less time chasing amendments and more time running your business.


_converted.avif)
