FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryprivacydata protectionState privacy laws

Connecticut, Virginia, Utah Privacy Laws and the AI Compliance Mapping

By Basel IsmailMay 18, 2026

Connecticut, Virginia, Utah Privacy Laws and the AI Compliance Mapping

Connecticut, Virginia, and Utah were among the first states to follow California's lead on comprehensive consumer privacy legislation. The Connecticut Data Privacy Act (CTDPA), Virginia Consumer Data Protection Act (VCDPA), and Utah Consumer Privacy Act (UCPA) all went into effect in 2023. They share a common DNA, borrowing heavily from the same model legislation, but the differences between them matter quite a bit when you start mapping them onto AI use cases. And most compliance teams haven't done that mapping carefully enough.

The Shared Framework

All three laws establish consumer rights over personal data: access, deletion, correction, portability, and the right to opt out of certain processing activities. All three apply to entities conducting business in the respective state or targeting its residents, with processing thresholds that determine applicability. Virginia's VCDPA (Va. Code Ann. § 59.1-575 et seq.) kicks in at 100,000 consumers or 25,000 consumers if you derive over 50% of gross revenue from selling personal data. Connecticut's CTDPA (Conn. Gen. Stat. § 42-515 et seq.) mirrors those same thresholds. Utah's UCPA (Utah Code Ann. § 13-61-101 et seq.) sets the bar higher, requiring $25 million in annual revenue in addition to the processing volume thresholds.

For AI systems that ingest, process, or generate outputs based on personal data, all three laws are relevant. But the devil is in how each one treats specific processing activities that are central to AI workflows.

Profiling and Automated Decision-Making

This is where the three laws start to diverge in ways that directly affect AI deployments.

Virginia's VCDPA explicitly grants consumers the right to opt out of profiling "in furtherance of decisions that produce legal or similarly significant effects concerning the consumer" (Va. Code Ann. § 59.1-577(A)(5)). Connecticut's CTDPA includes the same opt-out right for profiling but goes further: as amended in 2023 (Public Act 23-56, effective October 1, 2023), it requires controllers to allow consumers to opt out of purely automated decisions that produce legal or similarly significant effects. Connecticut also added a requirement that controllers provide consumers with information about the profiling and an opportunity to contest the decision.

Utah's UCPA, by contrast, does not address profiling or automated decision-making at all. It is the most business-friendly of the three, and it simply does not create a consumer right to opt out of profiling. If your AI system is making consequential decisions about Utah consumers, the UCPA itself imposes no specific obligations around that activity.

For compliance teams, this creates a tiered problem. A single AI system used for, say, insurance underwriting or tenant screening could face three different regulatory postures depending on the consumer's state of residence. Connecticut demands the most: disclosure, opt-out, and contestability. Virginia requires opt-out rights. Utah requires none of the above under its privacy law (though other state and federal laws may apply).

Data Protection Assessments

Both Virginia and Connecticut require data protection assessments (DPAs) for processing activities that present a heightened risk of harm to consumers. Targeted advertising, selling personal data, processing sensitive data, and profiling all trigger the DPA requirement under both laws.

Virginia's VCDPA (§ 59.1-580) requires the assessment to weigh the benefits of the processing against the potential risks to consumer rights. Connecticut's CTDPA (§ 42-520) follows essentially the same structure. The Connecticut Attorney General can demand these assessments, and Virginia's AG has the same authority.

Utah does not require data protection assessments at all.

For AI systems, the DPA requirement is significant. Any model that processes personal data for profiling, targeting, or decisions with legal effects will trigger the assessment obligation in Virginia and Connecticut. The assessment needs to be documented and defensible. If you are training models on consumer data, fine-tuning with personal information, or deploying inference systems that classify individuals, you should assume a DPA is required in those two states.

Sensitive Data and Consent Models

All three laws define categories of sensitive data that require heightened protections, but the consent models differ.

Virginia and Connecticut both require opt-in consent before processing sensitive data. Sensitive data under both laws includes racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship status, genetic data, biometric data for identification, data from known children, and precise geolocation. Connecticut's 2023 amendment expanded this to include data concerning a consumer's status as transgender or nonbinary.

Utah takes a different approach: it requires only opt-out rights for sensitive data processing, not opt-in consent. A controller must inform the consumer and give them a chance to opt out, but affirmative consent is not required before processing begins.

This distinction has real consequences for AI pipelines. If your model ingests health data, biometric identifiers, or other sensitive categories, Connecticut and Virginia require you to obtain affirmative consent before that data enters the pipeline. Utah lets you proceed unless the consumer objects. Building an AI system that complies with all three means defaulting to the strictest standard (opt-in) or implementing state-level logic to differentiate consent flows.

Enforcement and Penalties

None of these three laws include a private right of action. Enforcement is exclusively through the state attorney general in each case.

Virginia's VCDPA originally included a 30-day cure period, allowing businesses to remediate violations before facing enforcement action. That cure period remains in place. Connecticut's CTDPA had a similar cure period, but it sunset on January 1, 2025. After that date, the Connecticut AG has discretion over whether to offer a cure opportunity. Utah's UCPA retains its 30-day cure provision.

Penalties under all three laws are structured as civil penalties. Virginia allows up to $7,500 per violation. Connecticut follows the same $5,000 per violation cap under its Unfair Trade Practices Act (Conn. Gen. Stat. § 42-110o). Utah allows up to $7,500 per violation.

The sunsetting of Connecticut's cure period is worth flagging. It means Connecticut's AG can now pursue enforcement more aggressively, without the procedural speed bump of mandatory cure notices. For AI systems processing Connecticut consumer data, the margin for error just got narrower.

Practical Mapping for AI Systems

If you are deploying AI that touches consumer personal data across these three states, here is a rough compliance hierarchy:

Connecticut (strictest): Opt-in consent for sensitive data, opt-out rights for profiling and automated decisions, contestability rights for automated decisions, mandatory DPAs, no guaranteed cure period.
Virginia (middle): Opt-in consent for sensitive data, opt-out rights for profiling, mandatory DPAs, 30-day cure period.
Utah (most permissive): Opt-out for sensitive data, no profiling provisions, no DPA requirement, 30-day cure period, revenue threshold limits applicability.

The practical move for most organizations is to build to Connecticut's standard and apply it universally, rather than maintaining three separate compliance architectures. But that decision depends on your risk tolerance, your user base distribution, and whether the operational cost of state-level differentiation is justified.

How FirmAdapt Addresses This

FirmAdapt's platform is built to handle exactly this kind of multi-jurisdiction complexity. The compliance mapping engine tracks which state privacy laws apply to specific data processing activities, including AI-driven profiling and automated decision-making, and flags where consent models, assessment requirements, or consumer rights differ across jurisdictions. This means your team can see, before deployment, where an AI workflow meets Connecticut's stricter requirements versus Utah's more permissive framework.

FirmAdapt also maintains structured templates for data protection assessments that align with both Virginia's and Connecticut's statutory requirements. When your AI processing activities trigger a DPA obligation, the platform walks your compliance team through the required balancing analysis and produces documentation that is ready for attorney general review. The goal is to reduce the manual overhead of tracking these regulatory differences so your team can focus on the substantive compliance decisions rather than the jurisdictional bookkeeping.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free