惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
The GitHub Blog
The GitHub Blog
T
Threatpost
人人都是产品经理
人人都是产品经理
大猫的无限游戏
大猫的无限游戏
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
博客园 - Franky
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Apple Machine Learning Research
Apple Machine Learning Research
酷 壳 – CoolShell
酷 壳 – CoolShell
M
MIT News - Artificial intelligence
小众软件
小众软件
Hugging Face - Blog
Hugging Face - Blog
云风的 BLOG
云风的 BLOG
S
Security Affairs
P
Proofpoint News Feed
L
LINUX DO - 最新话题
宝玉的分享
宝玉的分享
S
Security @ Cisco Blogs
H
Hacker News: Front Page
Security Archives - TechRepublic
Security Archives - TechRepublic
Vercel News
Vercel News
Engineering at Meta
Engineering at Meta
Know Your Adversary
Know Your Adversary
Y
Y Combinator Blog
美团技术团队
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
月光博客
月光博客
量子位
博客园_首页
The Last Watchdog
The Last Watchdog
D
DataBreaches.Net
www.infosecurity-magazine.com
www.infosecurity-magazine.com
P
Privacy International News Feed
The Register - Security
The Register - Security
Schneier on Security
Schneier on Security
H
Help Net Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
V
Visual Studio Blog
Google DeepMind News
Google DeepMind News
F
Full Disclosure
C
Cyber Attacks, Cyber Crime and Cyber Security
MyScale Blog
MyScale Blog
aimingoo的专栏
aimingoo的专栏
S
Schneier on Security
L
Lohrmann on Cybersecurity
S
Secure Thoughts
Stack Overflow Blog
Stack Overflow Blog
Cloudbric
Cloudbric
Microsoft Security Blog
Microsoft Security Blog

Future of Privacy Forum

Navigating Cross-Border Data Transfers in the ASEAN Region: An Analysis of Developments from 2023 to 2026 FPF Submits Comments to Inform California Children’s Social Media Protections Rulemaking Process Mandating “Evidence-Based” Suicide Detection in Chatbots Data Brokers & Beyond: Navigating New Jersey’s Data Broker & “Data Collector” Registration Law - Future of Privacy Forum FPF Hosts Frontiers Workshop on Privacy, AI, and Emerging Infrastructure FPF’s 2026 DC Privacy Forum: Leading Voices in AI, Privacy and Emerging Technology Understanding Data Embassies and Corridors Perseverance Pays Off for Vermont Privacy Efforts Future of Privacy Forum Announces 2026 Career Achievement Award Recipients - Future of Privacy Forum Future of Privacy Forum Releases Comprehensive Report On Algorithmic Personalization in Youth Online Experiences Frontier AI Goes Federal: How the Great American AI Act Compares to State Laws Privacy Becomes You, Bayou State: A Look at the Louisiana Data Privacy Act Comparing Enacted App Store Accountability Acts - Future of Privacy Forum No Silver Bullet, But a Silver Lining? PETs and International Data Transfers Career Choice in the AI Age: What Next for Privacy and Data Professionals? FPF Releases Practitioner Guides on Privacy Enhancing Technologies for Education Stakeholders Third Time’s the Charm: Connecticut Enacts Annual Privacy Update - Future of Privacy Forum Colorado Revises Its AI Act: What Changed and Why The EU Commission’s Approach to Age Verification: Mobile Apps, DSA Enforcement, and Challenging National Social Media Bans Taking stock: The Impact of the India AI Impact Summit 2026 The New(ish) Architecture of Consumer Health and Artificial Intelligence Celebrating Another Year of Privacy and AI Governance: FPF at the 2026 IAPP Global Summit - Future of Privacy Forum Adapting the Privacy Profession to Changing Times More Parties, More Risks, More Opportunity? Evolving Governance to Support Cyber Resilience Amidst Evolving Policy and Technological Change Contextualizing the Proposed SECURE Data Act in the State Privacy Landscape FPF on the Securing and Establishing Consumer Uniform Rights and Enforcement Over Data ("SECURE Data") Act The Alabama Personal Data Protection Act Brings Consumer Privacy to the Heart of Dixie The Price is Right: Responsible Uses of Personal Data in Pricing Red Lines under the EU AI Act: Restricting Real-time Remote Biometric Identification Systems for Law Enforcement Purposes The Rest of the West: Oregon and Washington Build on California Chatbot Law Red Lines under the EU AI Act: Understanding the prohibition of biometric categorization for certain sensitive characteristics 2026 Chatbot Legislation Tracker Red Lines under EU AI Act: Unpacking the prohibition of emotion recognition in the workplace and education institutions Privacy Protections Coming Sooner Rather Than Later to the Sooner State Navigating Autonomy and Privacy in Emerging AgeTech: Insights from the FPF Roundtable Incentives or Obligations? The U.S. Regulatory Approach to Voluntary AI Governance Standards Red Lines under the EU AI Act: Understanding the ban of the untargeted scraping of facial images and facial recognition databases
SB 5 in Five: What to Know About Connecticut’s New AI Law
https://www.facebook.com/FutureofPrivacy · 2026-05-28 · via Future of Privacy Forum

Policy Analyst, AI Policy and Legislation

Daniel Hales

Policy Counsel for U.S. Legislation

Connecticut’s SB 5 fits a lot of AI obligations into a small bill number. This week, Governor Lamont (D) signed the 39-section bill into law, creating new requirements across several fast-moving areas of AI policy, including companion chatbots, automated employment decision tools (AEDTs), social media, and provenance data. The law also includes provisions related to frontier AI whistleblower protections, AI-related layoff notices, and planning for a state AI regulatory sandbox, making it one of the broader state AI packages enacted this year. The law’s provisions phase in over time, with effective dates ranging from October 2026 to January 2028.

The law follows several years of debate in Connecticut over how to regulate AI, including last year’s SB 2, which cleared the Senate but ultimately fell apart after a veto threat from Governor Lamont over concerns that the bill could hamper innovation. SB 5 takes a different path. Rather than establishing a single comprehensive high-risk AI framework, it stitches together a set of more targeted obligations, alongside provisions focused on innovation, workforce development, and future study.

The result is a wide-ranging law that touches many of the AI issues currently moving through state legislatures. With so much packed into SB 5, here are five things to know about Connecticut’s new AI law.

Note: The Governor also signed SB 4, a broad privacy bill that establishes a data broker registry and accessible deletion mechanism, regulates data-driven pricing, updates the CTDPA, and regulates direct-to-consumer genetic testing, which is covered in FPF’s recent blog.

  1. Companion chatbots get their Connecticut chapter

SB 5 gives companion chatbots their Connecticut chapter, adding the state to a growing list of jurisdictions (New York, California, Washington, Oregon, Nebraska, Idaho, Iowa, and Georgia) writing rules for chatbot systems that can sustain relationships with users. The law would impose baseline protections for all users, including safety protocols for suicidal ideation and clear non-human disclosures, while also introducing minor-specific safeguards such as parental tools to manage privacy and screen time, as well as limits on engagement-maximizing features. For those following this rapidly evolving area, FPF maintains a continuously updated chatbot legislation tracker that monitors activity in this space.

Scope: SB 5 uses a detailed set of carveouts to narrow the systems covered, similar to Nebraska’s and Idaho’s laws. But Connecticut’s definition of “AI companion” is more targeted: it focuses on systems that provide adaptive, human-like responses and can sustain a relationship over time. One carveout is especially notable: the law excludes “narrow, task-specific” tools that provide outputs related to a discrete topic or function, so long as the tool’s primary function is not to discuss mental health. Similar narrow-task carveouts appear in other state chatbot laws, but Connecticut’s version appears narrower because the exclusion may not apply where the tool’s primary function is mental health-related.

Requirements for all users: SB 5 follows several other companion chatbot laws enacted this year in setting a familiar baseline: safety protocols, non-human disclosures, and safeguards to keep AI companions from presenting themselves as human. Operators would need to publicly post safety protocols using “evidence-based methods” to detect and “clinical best practices and expertise” to respond to user expressions indicating suicide, self-harm, or physical violence. Because “evidence-based methods” and “clinical best practices” are not defined, operators may face questions about what detection tools or clinical inputs are sufficient to meet that standard.

The law would also require clear non-human disclosures when an AI companion could reasonably lead a user to believe they are interacting with a human. Like Washington and Georgia, Connecticut applies a one-hour disclosure interval for minors and a three-hour interval for adults. Although the law distinguishes between users, the shorter minor-focused interval could become the practical default if operators choose to comply uniformly.

Minor-Specific Requirements: For minors, SB 5 moves beyond “tell users it is AI” and into the harder question of how companion chatbots are designed to interact and build relationships over time. Similar to Oregon’s law, Connecticut’s protections apply when an operator “knows or has reason to believe” that a user is under 18, a standard that may require operators to account for contextual signals, not just direct knowledge of age.

Similar to Washington’s chatbot law, SB 5 would require operators to prevent their chatbots from engaging in certain harmful conduct before providing an AI companion to a minor, including encouraging disordered eating or physical violence; romantic interactions; and manipulative techniques intended to extend engagement, such as encouraging isolation from family or friends or fostering inappropriate emotional dependence. Terms like “inappropriate emotional dependence” and “disordered eating” are not further defined, raising questions about how operators should distinguish benign interactions from those prohibited under the law. The law also includes a broader provision prohibiting operators from “optimizing user engagement in any manner that disregards” the minor-specific safeguards, which may extend the reach of the minor protections beyond listed outputs.

Finally, SB 5 also requires tools for parents and minors to manage screen time and account settings, a feature that appears in other state chatbot laws, including Idaho, Nebraska, and Georgia

Enforcement: SB 5 would make violations an unfair or deceptive trade practice enforced by the Attorney General, keeping the law in the AG-enforcement lane rather than creating a private right of action. These requirements take effect January 1, 2027.

  1. For employment AI, SB 5 asks for a heads-up, not an audit or assessment

Employment AI gets its turn in SB 5, with new transparency requirements for automated employment-related decision technologies (AEDTs) used to shape decisions about hiring, promotion, discipline, and discharge. The section draws from broader ADMT laws, including California’s CPPA ADMT regulations, the Colorado AI Act as originally enacted in 2024, as well as employment-specific laws such as New York City’s LL 144. But unlike other state frameworks, Connecticut does not require AEDTs to undergo bias audits or risk assessments. Instead, SB 5 focuses on disclosures and written notice to applicants and employees, similar to the revised Colorado ADM Act.

Scope: SB 5 is narrower than broader ADMT frameworks that apply across sectors such as housing and education. It covers AEDTs that are a “substantial factor” used to “make or materially influence” an employment-related decision. The law defines “substantial factor” as something that “meaningfully alters” the outcome, a narrower definition than the Colorado AI Act’s 2024 language covering systems that are “capable of altering” or “assist” in making a consequential decision.

Notice obligations: The notice obligations are allocated between actors in the AI value chain, similar to the current and previous version of the Colorado AI law. Beginning October 1, 2027, developers that market AEDTs for employment decisions would need to provide deployers with information about the tool. Deployers would then need to disclose to employees or applicants that an AEDT has been deployed, the purpose and nature of the decision, the tool’s trade name, the categories and sources of personal data used, how that data will be assessed, and contact information for the deployer. Developers and deployers do not need to disclose trade secrets, but must tell individuals when information is withheld on that basis.

Civil rights and enforcement: SB 5 may be notice-first, but it is not notice-only. The law also amends Connecticut’s human rights statute to clarify that using an AEDT is not a defense to discrimination claims, while allowing courts or the commission to consider evidence of anti-bias testing and related efforts when evaluating those claims. That consideration of anti-bias testing also builds on a related theme in last year’s amendments to the Connecticut Data Privacy Act, which included an exemption allowing controllers to process personal data for internal use to allow them to use data for bias testing. California and Illinois have similarly amended employment or human rights laws to address automated decision systems in the workplace. As a result, entities may not be required to conduct bias testing or assessments under Connecticut law, but are strongly encouraged to reduce their regulatory risk. 

Violations would be treated as unfair or deceptive trade practices and enforced by the Attorney General, with a potential 60-day cure period through the end of 2027 and no private right of action. These requirements take effect October 1, 2026.

  1. Social media and AI regulations increasingly become the dynamic duo in online safety

As the online safety landscape continues to evolve and other jurisdictions weigh pairing social media and chatbot regulations—Connecticut strikes first by incorporating a section on online safety obligations for social platforms into SB 5. Similar to laws enacted in California and New York, SB 5 restricts operators from providing minors under 18 access to a platform that “recommends, selects, or prioritizes for display…media items” shared by other users—also known as personalized recommender systems–unless certain requirements are met. 

Age assurance and parental consent: As is commonly the case in social media frameworks, SB 5 requires that covered operators implement “commercially reasonable and technically feasible methods” to determine whether a user is an adult or a minor. In the case of a minor, a covered operator may not offer access to personalized recommender systems without first obtaining parental consent. Unlike California and New York, however, SB 5 does not authorize agency rulemaking to provide guidance on acceptable forms of age assurance under this law, potentially creating ambiguity for compliance teams. 

Default safety features: The law also requires certain minor-specific default safety features seen in other recent frameworks, such as South Carolina’s Age Appropriate Design Code (AADC), including preventing unconnected users from viewing or contacting minor accounts and restricting minors from viewing “sensitive content.” Notably, SB 5 broadly defines “sensitive content” to include any material violative of platform community standards, “or any similar guidelines or standards” established by the covered operator. Lastly, in a novel move, covered operators would be required to limit minors’ access to personalized recommender systems to one hour per day by default, comparable to a recently enjoined obligation in Virginia. Only a minors’ parent can adjust the default time limit on personalized recommender system access through parental control mechanisms.

Parental controls: Covered operators must establish and provide parents or guardians access to prescribed controls for supervising the accounts of their children. These controls include providing parents the ability to prevent minors from receiving notifications outside of preset timeframes and limiting minor access to personalized recommender systems to specific times indicated by the parent. SB 5 would also require covered platforms to provide parents with a mechanism for setting the minor’s account to a protected mode that does not allow unconnected users to view published content of or exchange messages with minors—although it is unclear how this particular parental tool is supposed to be implemented alongside the seemingly identical default safety feature noted above.

Disclosures: SB 5 requires covered operators to provide two kinds of disclosures. First, minors must be provided a health warning from the Surgeon General concerning the potential harms of social media use. Secondly, covered operators must annually disclose to the state Attorney General’s office, in a publicly accessible format, information related to platform use, such as the total number of covered users for whom the covered operator obtained parental consent, enabled default settings, and the average amount of time covered users spent on the platform per day. SB 5’s reliance on disclosure obligations follows a growing trend of requiring various kinds of disclosures in online safety legislation to both individuals, like in Colorado’s recently enjoined social media warnings law, and to state entities for public accessibility, like in South Carolina’s AADC.

Enforcement: A covered operator’s violation of these requirements constitutes an unfair or deceptive trade practice under Connecticut consumer protection law, which includes a private right of action in addition to state enforcement authority. These requirements become effective on January 1, 2028.

  1. AI provenance rules make their way east in SB 5

SB 5 picks up the provenance trend seen in western states–adding Connecticut to the growing list of states setting requirements for AI-generated content. SB 5 would require covered providers to include provenance data in content that is created or materially altered by a generative AI system. California spearheaded AI provenance data disclosure with the California AI Transparency Act, enacted in 2024 and amended in 2025. Other states with provenance data laws include Utah and Washington.

The provision is relatively targeted. It applies to covered providers that produce publicly accessible generative AI systems for personal use with more than 1 million monthly users. It also focuses on content that is created or “materially altered” by a generative AI system, while excluding minor modifications such as changes in color or resizing. That distinction helps to focus the law’s requirement on more meaningful generative AI edits, rather than changes unlikely to affect the substance of the content.

The law requires provenance data to be difficult to tamper with or remove. At the same time, covered providers are not required to include information relating to an identified or reasonably identifiable individual, trade secrets, or confidential or proprietary information.

These provenance requirements are narrower than SB 5’s provisions on chatbots or AEDTs, but still notable because they place Connecticut within a growing state-level push to make AI-generated and altered content easier to trace. Other provenance data bills are still pending in states like Arizona and New Jersey. These requirements take effect October 1, 2026.

  1. Whistleblowers, layoff notices, and sandboxes get targeted treatment in SB 5

SB 5 also borrows from a few other state AI playbooks, like frontier AI protections and regulatory sandboxes. But in both cases, Connecticut takes a narrower path. Rather than creating a full frontier model governance framework or immediately launching a sandbox program, SB 5 focuses on employee whistleblower protections and planning for a potential future sandbox, as well as a targeted AI-related layoff notice requirement.

Frontier AI whistleblower protections: SB 5 borrows the language of frontier AI laws, but not the full architecture. Like California’s SB 53 and New York’s RAISE Act, it defines key terms such as “frontier developer,” “large frontier developer,” and “catastrophic risk.” But unlike broader frontier AI frameworks, SB 5 does not require developers to publish governance frameworks, issue transparency reports, or establish critical safety incident reporting mechanisms. Instead, it focuses on solely protecting employees who report certain serious AI-related risks.

The law would prohibit frontier developers from penalizing covered employees for protected whistleblower activity and bar retaliation against employees who report, with reasonable cause, conduct they believe poses a specific and substantial danger to public health or safety due to a catastrophic risk. Large frontier developers would also need to create an internal reporting process by January 1, 2027, allowing employees to anonymously report such risks, provide updates to reporting employees, share reports with directors quarterly, and notify employees of their rights. These requirements take effect October 1, 2026.

AI-related layoff notices: SB 5 also includes a workforce disclosure provision. Employers issuing plant-closing or mass layoff notices would need to disclose to the Labor Department whether the layoffs are related to the employer’s use of AI. These requirements take effect October 1, 2026.

Regulatory sandbox planning:  SB 5 directs the Commissioner of Economic and Community Development to develop a plan for an AI regulatory sandbox program, joining a small but growing group of states (Utah, Texas, and Delaware) that have adopted AI sandbox frameworks. The program would allow approved applicants to test innovative AI systems under reduced regulatory requirements.

But here too, Connecticut starts with a blueprint. SB 5 requires planning for a potential sandbox, not the immediate launch of one, and asks the Commissioner to assess the feasibility of a reciprocal, multistate sandbox model. Recommendations are due by January 1, 2028.

Conclusion

SB 5 does not create one comprehensive AI framework. Instead, it reflects a broader trend in state AI policymaking of setting targeted obligations across several use cases, from companion chatbots and employment tools to provenance data and frontier AI employee protections. As states continue experimenting with issue-specific AI laws, Connecticut’s SB 5 offers another example of how significant AI regulation can emerge through issue-specific provisions. Additionally, as states continue to pursue substantive online safety frameworks for minors, whether other jurisdictions will pair social media regulation with chatbot safety requirements remains a trend to watch.