← Back to Blog

Connecticut Forces Every Store to Declare LLM Training by July 1

Connecticut’s CTDPA amendment takes effect July 1, 2026 and requires every covered business to explicitly disclose whether it collects, uses, or sells personal data to train large language models. The threshold drops from 100,000 to 35,000 consumers, pulling thousands of mid-sized WooCommerce stores into scope for the first time. Businesses must affirmatively state yes or no — “I don’t know” is no longer compliant. Connecticut is the first US state to mandate this disclosure.

Contents

What Changed in the CTDPA Amendment

Connecticut rewrote its privacy law scope and added the country’s first mandatory LLM training disclosure.

Governor Lamont signed Public Act No. 25-113 on June 25, 2025, amending the Connecticut Data Privacy Act with changes effective July 1, 2026. This isn’t a minor tweak — it’s a fundamental expansion of who must comply and what they must disclose. The amendment lowers applicability thresholds, adds two entirely new triggers for coverage, expands the definition of sensitive data, bans targeted advertising to minors aged 13 to 17, and introduces mandatory LLM training disclosure in privacy notices.

For WooCommerce store owners, the practical impact lands in two places. First, the lower threshold means your store may now fall under the law when it didn’t before. Second, if you’re using any AI-powered tools that touch customer data — and most stores are — you need to declare that in your privacy policy before July 1.

Connecticut is the first state to integrate AI-specific obligations into an existing consumer privacy framework, rather than passing standalone AI legislation. Other states have introduced separate AI bills. Connecticut embedded its requirements directly into the CTDPA, which means enforcement mechanisms already exist and the AG’s office is already staffed to act.

You may be interested in: Cookie Consent Banners Are Now Costing WooCommerce Stores More Data Than Ad Blockers

The Threshold Drop That Pulls In Mid-Sized Stores

The consumer count threshold fell nearly two-thirds, and two new triggers have no volume floor at all.

The original CTDPA applied to businesses processing personal data of 100,000 or more Connecticut consumers, or 25,000 consumers when more than 25% of revenue came from selling personal data. The amendment slashes the primary threshold to 35,000 consumers and adds two triggers with zero volume requirements.

Here’s what the three applicability triggers look like after July 1, 2026:

TriggerBefore July 1, 2026After July 1, 2026
Consumer volume100,000 consumers35,000 consumers
Sensitive data processingNot a standalone triggerAny volume (no threshold)
Personal data sales25,000 consumers + 25% revenueAny volume (no threshold)

Connecticut’s CTDPA threshold drops from 100,000 to 35,000 consumers on July 1, 2026, and adds two new no-volume triggers for sensitive data processing and personal data sales.

Translation: if your WooCommerce store processes any sensitive data from Connecticut residents — and collecting payment information, health data, or precise geolocation counts — you’re in scope regardless of how many customers you have. Every website that collects personal data from visitors is effectively counting toward the 35,000 threshold, because the law counts consumers, not paying customers. A visitor who lands on your site and has a cookie set is a consumer under the CTDPA.

As TrueVault noted, considering that virtually every commercial website collects personal data from each visitor, that 35,000 number adds up fast. A WooCommerce store with moderate US traffic can easily hit that mark in a single quarter.

The LLM Training Disclosure Requirement

Connecticut now requires a binary yes-or-no statement about LLM training in every covered business’s privacy notice.

This is the requirement that makes Connecticut unique among all US states. Starting July 1, 2026, privacy notices must include a clear and conspicuous statement disclosing whether the controller collects, uses, or sells personal data for the purpose of training large language models.

The critical word is “whether.” This isn’t a disclosure you only add if you’re training models. Every covered business must state affirmatively that it does or does not use personal data for LLM training. Silence isn’t compliant. “We may use data for various purposes” isn’t compliant. The disclosure must be specific and binary.

The LLM training disclosure is binary and affirmative — every covered business must state whether it does or does not use personal data for LLM training, regardless of whether it actually does.

Here’s the twist: the CTDPA doesn’t define “large language model.” Bryan Cave Leighton Paisner’s analysis recommends that organizations take a conservative approach in determining what AI systems fall within this requirement. Does Klaviyo’s predictive analytics qualify? Does a ChatGPT-powered chatbot widget that processes customer questions qualify? Does sending customer data to an email platform that uses AI segmentation qualify? The safe answer is to treat any AI system that ingests customer data as potentially in scope.

The practical problem for WooCommerce store owners is that most don’t know where their customer data actually goes. Data flows from WooCommerce through plugins, through email platforms, through analytics tools, through ad pixels — and each of those third parties may feed data into AI systems the store owner never approved.

Your WooCommerce AI Tools Are the Problem

Most WooCommerce stores already route customer data through AI systems and don’t realize it.

A typical WooCommerce store in 2026 runs several tools that use AI or machine learning on customer data. Each one creates a potential LLM training disclosure obligation under the CTDPA. Let’s walk through the most common ones.

Klaviyo is the most widely used email and SMS platform among WooCommerce stores, with over 15,000 merchants on the integration. Klaviyo’s 2026 product roadmap includes AI-powered features: predictive analytics, AI segmentation, AI-powered recommendations, and a Customer Agent that uses machine learning to handle support conversations. Customer purchase history, browsing behavior, and engagement data all flow into these AI systems.

ChatGPT-powered support widgets have proliferated across WooCommerce stores. Tools like Tidio, Gorgias with AI, and custom chatbot integrations route customer questions — which often contain personal details like order numbers, addresses, and product preferences — through LLM APIs. If the AI provider uses that data for model improvement, your store is involved in LLM training whether you intended it or not.

AI recommendation engines — including Rebuy, Product Recommendations by WooCommerce, and third-party personalization plugins — process purchase history and browsing data to generate suggestions. The machine learning models behind these recommendations may qualify as LLMs under a conservative reading of the statute.

Even Google Analytics 4 uses machine learning on your customer data. GA4’s modeled conversions, predictive audiences, and behavioral modeling all depend on feeding visitor data into Google’s algorithms. Whether Google’s processing qualifies as “training” is ambiguous, but the conservative position is to disclose it.

WooCommerce stores running Klaviyo AI, ChatGPT-powered support widgets, or AI recommendation engines likely route customer data through LLM-adjacent systems without knowing it.

Enforcement Is Already Real

Connecticut isn’t waiting — enforcement actions, settlements, and active investigations are already underway.

The CTDPA’s cure period expired on January 1, 2025. That means the Attorney General’s office no longer needs to give businesses a 60-day window to fix violations before pursuing penalties. And the AG has made clear it intends to use that authority.

By the end of 2025, the AG’s office had issued over two dozen cure notices, finalized multiple data breach settlements, and resolved its first enforcement action under the CTDPA. The TicketNetwork settlement — $85,000 for deficient privacy notices — set the precedent. Attorney General William Tong stated directly that there is “no excuse for continued non-compliance” and that his office is “prepared to use the full weight of our enforcement authority.”

The numbers from the 2025 Enforcement Report paint a picture of active oversight: over 1,830 data breach notifications were reviewed. In 63 of those cases, warning letters were issued for late notification. Omni Healthcare paid $105,000 for waiting fourteen months to report a breach. Fresenius Medical Care Holdings settled for $116,000. WebTPA Employer Services paid $200,000.

The AG’s 2026 report also disclosed active investigations into chatbot safety, particularly for platforms used by minors. This signals that AI-related data practices — exactly the kind the LLM training disclosure targets — are already on the enforcement radar.

You may be interested in: Google Flips the Switch Between Consent Mode and Google Signals on June 15

How to Audit Your Data Flow Before July 1

A five-step process to determine what your privacy notice needs to say about LLM training.

Step one: inventory every third-party tool that touches customer data. This means every plugin, every SaaS integration, every API connection. If you’re a typical WooCommerce store, that list includes your email platform, your analytics stack, your payment processor, your chatbot, your review system, your recommendation engine, and your ad pixels. Write them all down.

Step two: check each vendor’s data processing agreement and privacy policy. Specifically, look for language about machine learning, model training, AI improvement, or data use for product development. Klaviyo’s terms, for instance, describe how customer data powers AI features. Google’s privacy policy covers how data feeds machine learning. If the vendor’s terms mention any form of AI training, flag it.

Step three: map which tools process data from Connecticut residents. If you sell nationwide or accept website visitors from all US states, the answer is probably all of them. Don’t assume a small Connecticut customer base means you’re exempt — remember the 35,000 consumer threshold counts visitors, not just buyers.

Step four: draft your disclosure statement. It needs to appear in your privacy notice as a clear and conspicuous statement. Nixon Peabody recommends coordinating with legal and technical teams to ensure disclosures are accurate and reflect actual practices. A template statement might read: “We use third-party tools that process customer data using artificial intelligence, including large language models, for purposes including [personalized recommendations / customer support / email segmentation]. We do not directly sell personal data for the purpose of training large language models.”

Step five: update your privacy notice link placement. The CTDPA amendment also requires the privacy notice link to be displayed as a conspicuous hyperlink that includes the word “privacy” on your homepage. The notice must also be available in each language you use in your business and be accessible to individuals with disabilities.

The Server-Side Advantage for Disclosure Compliance

First-party server-side data architecture makes the LLM disclosure answerable because you can see where data actually goes.

The core challenge of the CTDPA’s LLM disclosure isn’t writing a privacy policy sentence. It’s answering the underlying question with confidence: does customer data from my store flow into any system that trains large language models?

When your WooCommerce store relies on client-side pixels — Meta Pixel, Google tag, Klaviyo’s JavaScript — data leaves the browser and goes directly to third-party servers. You don’t control that transmission. You can’t audit it. You can’t say with certainty what happens to the data after it leaves. Every pixel fires a payload of customer data to an endpoint you don’t own, and each vendor’s data processing practices may change without notice.

Server-side first-party architecture inverts that model. Events fire from your server, through your infrastructure, to destinations you choose. Every data point that leaves your system passes through a pipeline you control. You can log it. You can audit it. You can prove exactly which vendors receive customer data, what data they receive, and whether any of those vendors use data for AI training.

Server-side first-party data architecture gives store owners an auditable record of exactly where customer data flows, making the CTDPA disclosure answerable with evidence instead of guesswork.

This matters for the CTDPA because the disclosure must reflect actual practices. A store that can’t trace its data flows is guessing at compliance. A store with server-side event capture and a controlled outbound pipeline can point to its architecture and say exactly where data goes — and where it doesn’t. Transmute Engine™ routes WooCommerce events through a first-party pipeline to BigQuery and selected ad platforms, creating the audit trail that makes LLM training disclosure a question you can answer with data rather than hope.

Key Takeaways

  • Deadline is July 1, 2026: Connecticut’s CTDPA amendments take effect in less than a month, requiring LLM training disclosure in every covered business’s privacy notice.
  • Threshold dropped to 35,000: The consumer volume threshold fell from 100,000 to 35,000, and two new no-volume triggers mean any business processing sensitive data or selling personal data is in scope.
  • Disclosure is binary: You must state whether you do or do not use personal data for LLM training — silence and vague language aren’t compliant.
  • AI tools create the exposure: Klaviyo AI, ChatGPT support widgets, recommendation engines, and even GA4’s machine learning all potentially route customer data through LLM-adjacent systems.
  • Enforcement is active: The cure period expired, the AG has settled for $85,000+, and chatbot investigations signal AI practices are already on the radar.
  • Server-side architecture provides the audit trail: First-party event pipelines let you trace exactly where customer data flows, turning the LLM disclosure from guesswork into evidence-based compliance.
What does the Connecticut CTDPA LLM training disclosure require?

Starting July 1, 2026, every business covered by the CTDPA must include a clear statement in its privacy notice disclosing whether it collects, uses, or sells personal data for the purpose of training large language models. This applies regardless of whether the business actually uses data for LLM training — a “we do not” statement is still required.

Does the Connecticut CTDPA apply to WooCommerce stores outside Connecticut?

Yes. The CTDPA applies to any business that conducts business in Connecticut or targets products and services to Connecticut residents, provided it meets the applicability thresholds. If your WooCommerce store ships to Connecticut or processes data from 35,000 or more Connecticut consumers, the law likely applies to you even if your business is located elsewhere.

What counts as using personal data to train a large language model under CTDPA?

The CTDPA does not define large language models, which means businesses should take a conservative approach. If customer data flows through any AI system that uses machine learning for predictions, recommendations, or content generation — including third-party tools like Klaviyo AI or ChatGPT-powered support chatbots — that likely qualifies and must be disclosed.

What happens if my WooCommerce store does not comply with the CTDPA by July 1, 2026?

Connecticut’s cure period expired on January 1, 2025. The Attorney General can now issue Notices of Violation and pursue enforcement without offering a fix-first window. The first CTDPA enforcement action resulted in an $85,000 settlement, and the AG’s office has signaled it will use the full weight of its enforcement authority against non-compliant businesses.

References

Your privacy notice deadline is July 1. Your data flow audit starts now. Talk to Seresa about first-party data architecture.