On July 1, 2026, new privacy laws take effect in three states at once, and together they push consumer data rights further than any single state has gone before. Connecticut, Arkansas, and Utah each amended or expanded their privacy statutes to take effect on the same date, and each one tackles a different piece of the problem: who’s covered, what counts as sensitive, and who gets to act on a child’s data without asking permission.
You don’t have to live in Connecticut, Arkansas, or Utah for this to matter. Many companies apply their strictest state’s privacy standard to every user, everywhere, because running separate systems for separate states is more expensive than just doing the stricter thing once. These three laws are also a preview: state privacy law in the US keeps expanding in the same direction, and what lands in Hartford or Little Rock this year tends to show up in other state legislatures next year.
Connecticut: A Much Bigger Net, and New Profiling Rights
Connecticut’s Data Privacy Act (CTDPA) gets amended by SB 1295, effective July 1, 2026. Two changes stand out.
The threshold drops from 100,000 to 35,000 consumers
Previously, the CTDPA only applied to businesses that processed personal data for 100,000 or more Connecticut consumers in a year. SB 1295 lowers that to 35,000. That’s a significant drop, and it pulls a large number of mid-sized companies — ones that never had to think about CTDPA compliance before — into scope for the first time.
”Sensitive data” now includes neural data
The categories of personal data that get extra legal protection keep growing. SB 1295 expands Connecticut’s definition of sensitive data to include new categories, among them neural data — information generated by measuring the activity of a person’s central or peripheral nervous system. This matters because wearables and consumer devices that read brain or nerve signals are no longer hypothetical; the law is catching up to hardware that already exists.
New rights around automated profiling
This is the part with the most everyday relevance. Starting July 1, 2026, Connecticut consumers gain the right to:
- Question a decision made about them through automated profiling
- Be informed of the reasoning behind that decision
- Review the data that was used to make it
- Correct that data if it’s wrong
- Request reevaluation of the decision once the data is corrected
If an algorithm decided your loan rate, your insurance premium, or your job application outcome, you now have a defined process to ask why, see the inputs, fix what’s wrong, and get a second look.
The right to know who your data was sold to
SB 1295 also creates a new right to obtain a list of the specific third parties a company has sold your personal data to. This is a meaningfully different right from the general “can I opt out of sale” rights most state laws already provide — it’s a named list, not just a toggle.
Arkansas: No More Targeted Ads to Kids, Full Stop
Arkansas takes a narrower but sharper approach with the Children and Teens’ Online Privacy Protection Act (HB 1717), also effective July 1, 2026.
The rule is simple: companies cannot collect personal data for targeted advertising purposes from anyone under 16 in Arkansas. There’s no consent exception built into this prohibition — a parent or guardian saying “yes, go ahead” doesn’t open the door. The collection itself is off-limits when the purpose is targeted advertising to that age group.
This sets Arkansas apart from a lot of existing children’s privacy law, which tends to be built around consent mechanisms — verify the parent, get a checkbox, proceed. HB 1717 skips the consent step entirely for this specific use case and just prohibits it.
Utah: Correction Rights and Data Portability for Social Media
Utah’s amendments come through HB 418, updating the Utah Consumer Privacy Act (UCPA), again effective July 1, 2026.
A new right to correct your data
The UCPA previously gave Utah consumers rights to access, delete, and opt out of certain processing, but no general right to fix inaccurate data. HB 418 adds that: Utah residents can now require companies to correct personal data that’s wrong.
Social media portability under the Digital Choice Act
HB 418 also folds in new rules from Utah’s Digital Choice Act, requiring data portability and interoperability for social media platforms. In practice, this is aimed at letting users move their data — and potentially their social graph — between platforms rather than being locked into one ecosystem because switching means starting from zero.
The Pattern Behind All Three Laws
Looked at individually, these are three state-specific statutes with different focuses. Looked at together, they trace a consistent direction that’s worth paying attention to regardless of where you live.
Comprehensive privacy law keeps spreading
Connecticut, Arkansas, and Utah are not outliers — they’re part of a list that’s now around 20 states with comprehensive consumer privacy laws on the books. California and Virginia got there first; most of the rest have followed within the last few years, each one borrowing language and structure from the states before it.
”Sensitive data” is an expanding category, not a fixed one
Biometric data was added to sensitive-data definitions in earlier waves of state privacy law. Connecticut’s addition of neural data in 2026 is the same pattern playing out again: lawmakers extend extra protection to new categories of data as the technology that generates them becomes common enough to need regulating.
Profiling and automated-decision rights are becoming standard
Connecticut’s new profiling rights — the ability to question, understand, review, correct, and force reevaluation of an automated decision — reflect a broader move toward giving consumers a process for contesting algorithmic outcomes, not just a disclosure that an algorithm was used.
What This Means If You Don’t Live in CT, AR, or UT
Compliance is rarely state-by-state in practice. Building one privacy system for Connecticut residents and a different, weaker one for everyone else is more engineering and legal overhead than most companies want to carry, so a lot of businesses just apply the strictest applicable standard to their entire user base. That’s why a law passed in one state regularly ends up shaping what every user of a national app or service actually experiences.
It also means these three laws are a reasonable preview of what’s coming elsewhere. A right that shows up in Connecticut’s amendments this year has a decent chance of showing up in a different state’s legislature next year, dropped into a new bill with the same structure and slightly different wording.
Practical steps you can take right now, regardless of your state
You don’t need to wait for your own state to pass something equivalent. Many of these rights are things you can simply ask for, and many companies will honor the request nationally because it’s simpler than checking your ZIP code first.
- Request a copy of your personal data. Most companies with any privacy program have a data access request process, even if your state doesn’t legally require them to honor it for you specifically.
- Ask for the list of third parties your data has been sold to. Connecticut’s new right is a useful template — even companies not legally bound by SB 1295 may have this information readily available if you ask.
- Opt out of automated profiling where you can. Look for settings related to “personalization,” “automated decision-making,” or “profiling” in account privacy settings, and turn them off if the choice is offered.
- Correct inaccurate data when you find it. If a company’s profile of you is wrong — old address, wrong purchase history, mismatched preferences — ask for a correction rather than assuming it doesn’t matter.
- Check whether the service applies privacy protections by state or universally. A company that says “these rights are available to all users” rather than “available only to residents of X” is signaling it chose the simpler, more protective path.
Where Storage Choices Fit Into This
None of these three laws are about cloud storage specifically, but the underlying concern is the same one that should shape where you keep your own photos, documents, and personal files: who can access this data, what gets done with it, and can you get a straight answer when you ask.
daftei doesn’t sell personal data, doesn’t train third-party AI models on what you store, and doesn’t run ads — so there’s no third-party sale list to request, because the list is empty by design. Everything is encrypted with TLS 1.3 in transit and AES-256 at rest, and daftei is built to be GDPR and CCPA compliant as a baseline, not a state-by-state patchwork. If you delete your account, you get a 30-day grace window to change your mind, after which deletion is permanent and irreversible — no quiet retention, no exceptions.
The Bigger Picture
Connecticut, Arkansas, and Utah didn’t coordinate these laws, but July 1, 2026 makes them land together, and that’s a useful nudge to look at your own data rights rather than waiting for your state to catch up. The trend across roughly 20 states with comprehensive privacy law is consistently in one direction: more categories of data protected, more rights to question and correct what’s collected, and less tolerance for collection practices that used to be standard.
You can act on most of this today, in any state, by simply asking the companies you already use for what these new laws now guarantee elsewhere. The rights spreading state to state are, in practice, available to anyone willing to ask for them first.