State Privacy Laws Add AI-Training Disclosure: What Marketers Must Answer Now
Privacy & Compliance

State Privacy Laws Add AI-Training Disclosure: What Marketers Must Answer Now

Three US state privacy laws took effect on July 1, according to an overview of the three effective-date changes, and the headline change is not another cookie banner rule. Connecticut’s amended data privacy act (Public Act 25-113) now requires every covered controller to state, clearly in its privacy notice, whether it collects, uses, or sells personal data to train large language models. The disclosure has to cover internal use, sale to third parties, and vendors acting on the company’s behalf. Arkansas, on the same date, put a flat ban on collecting data from minors for targeted advertising, no parental opt-in exception. Utah added a right to correct inaccurate personal data and a social-media data portability rule. Two of the three states offer no cure period before enforcement.

What does Connecticut’s new AI-disclosure clause require?

Under the amended CTDPA, a controller must include a clear and conspicuous statement in its privacy notice disclosing whether it collects, uses, or sells personal data for the purpose of training large language models, a provision legal analysis has flagged as a quietly added mandate. The requirement reaches three separate data paths: the company’s own internal model training, sale of data to third parties for that purpose, and use by vendors processing data on the company’s behalf. The law does not mandate a specific yes/no format or sample wording, and it does not define “LLM” or limit itself to high-risk AI systems, so the disclosure obligation is broader than the label suggests.

The applicability bar also dropped. Connecticut’s law now reaches businesses handling personal data of just 35,000 state consumers, down from 100,000, plus any business that sells personal data or that controls or processes sensitive data regardless of volume. Sensitive-data categories were expanded too, adding neural data and government-issued ID numbers to the list that already triggers stricter handling.

Why this matters for marketing and analytics teams

This is not a legal-department-only problem. The question “does this data feed a model” now has to be answered for every vendor sitting in the martech stack: the ad platform, the CDP, the analytics tool, the chatbot vendor. If a company cannot currently answer that question for each pixel and integration it runs, the privacy notice cannot be written accurately, and an inaccurate notice is itself exposure. Consumers also gained the right to request a list of every third party that received their data and to see the inferences and profiling logic applied to them, raising the documentation bar for controllers.

Connecticut’s right-to-cure period, which let companies fix violations before facing penalties, expired at the end of 2024 and was not renewed. Enforcement exposure starts on day one. The law also tightens targeted-advertising and data-sale limits where a controller has actual knowledge a consumer is a minor, extending protection into the older teen range.

Arkansas and Utah: narrower but still concrete

Arkansas’s Children and Teens’ Online Privacy Protection Act is narrower but stricter in wording. It prohibits collecting personal data for targeted advertising from anyone under 13 or aged 13 to 16, full stop. The source language is explicit: “Not conditional. Not subject to parental opt-in. Prohibited outright.” It also bars operators from letting third parties collect that data for targeted-ad purposes. The Attorney General enforces it, penalties run $10,000 per violation, there is no private right of action, and again, no cure period.

Utah’s changes are procedural rather than prohibitive. HB 418 adds a right to correct inaccurate personal data, with businesses given 45 days to respond. The companion Digital Choice Act introduces social-media data portability: users can transfer their data to a competing platform in real time and choose which portions to move, though moving another person’s content, a comment they made, for example, requires that person’s consent. Utah’s law does not address a cure period either way.

State Law Key new obligation Cure window
Connecticut CTDPA amendment (PA 25-113) Privacy notice must state whether personal data trains LLMs; threshold drops to 35,000 consumers; neural data and government IDs now sensitive No (lapsed end of 2024)
Arkansas Children and Teens’ Online Privacy Protection Act Flat ban on collecting under-13 and 13-16 data for targeted advertising; $10,000 per violation No
Utah HB 418 + Digital Choice Act New right to correct (45-day window); real-time social-media data portability Not specified

The near-term action

The practical task sits at the same layer marketers already manage for controlling which ad and analytics data leaves the stack: map every vendor and pixel that touches personal data, get a straight answer on whether any of it trains a model, and get that answer into the privacy notice before an audit asks the question first. Teen-targeting settings in ad platforms and tag managers need a check against both the Connecticut known-minor limits and the Arkansas outright ban, since neither leaves room to fix things after the fact. State-level privacy enforcement has already shown it can reach directly into ad-tech data flows, a pattern covered in the 42-state probe into AI ad platform data practices. With no cure period in two of the three states live today, “we’ll fix it if flagged” is not a compliance posture, it’s a bet.

Alex Savich

Digital marketing journalist covering MarTech, AI, SEO, and analytics for Elsop Insights.