Connecticut Expands Data Privacy Act With Sweeping New Rules On Brokers, Pricing, And Facial Recognition

Connecticut has significantly strengthened its data privacy framework after the legislature passed two bills amending the Connecticut Data Privacy Act, known as the CTDPA.

Senate Bill 4 was signed into law on May 27, 2026, with House Bill 5222 following shortly after on June 2, 2026, amending certain provisions of the first bill.

The majority of the new requirements are set to take effect on October 1, 2026, giving businesses a narrow window to achieve compliance across several distinct areas.

One of the most consequential changes involves a new legal definition of “data broker,” covering any business that sells or licenses brokered personal data to another person.

The definition is modelled largely on Oregon’s HB 2052, and entities falling within scope must register with the Department of Consumer Protection by January 1, 2027.

Data brokers will also be required to submit third-party compliance audits every three years, with civil penalties of up to $200 per day per violation available to regulators for breaches.

A state-run centralised deletion mechanism, modelled on California’s Delete Act, must be operational by July 1, 2028, allowing consumers to request removal of their data from broker databases.

The updated law also bans the sale of precise geolocation data by controllers and third parties, with only narrow exceptions permitted, such as operations involving smart meters.

Businesses using automated processes that rely on a consumer’s personal data to set prices must now disclose this practice, with so-called surveillance pricing by retail sellers and third-party delivery services banned outright.

New transparency and operational requirements apply to any business deploying facial recognition technology for security or loss prevention purposes, including mandatory signage at public entrances.

Facial recognition systems are also restricted to databases maintained exclusively by the business itself, limiting how broadly such data can be shared or aggregated across third parties.

Direct-to-consumer genetic testing companies face a separate set of new requirements under the updated law, reflecting growing legislative concern about the sensitivity of genetic information.

Separately, amendments to the CTDPA that took effect on July 1, 2026 lowered the law’s applicability threshold from 100,000 to 35,000 Connecticut consumers, dramatically widening its reach.

Any organisation that processes sensitive data or sells personal data now falls within scope regardless of the volume of consumers it handles, closing a significant exemption gap.

New obligations relating to large language model training disclosures and artificial intelligence profiling assessments also form part of the updated Connecticut privacy regime.