

















The Connecticut Data Privacy Act (CTDPA) has been revised multiple times since being enacted in 2022: SB 3 added heightened protections for consumer health data and for minors in 2023; and SB 1295 in 2025 expanded the law’s scope, updated and added consumer rights, modified the data minimization and purpose limitation requirements, prescribed impact assessment requirements for profiling, and further heightened protections for minors. Like clockwork, Connecticut has once again passed new privacy legislation.
This year’s efforts include more CTDPA amendments, a new California Delete Act–style data broker registry and accessible deletion mechanism, restrictions on data-driven pricing, and regulation of direct-to-consumer genetic testing. These changes came in a trio of bills: SB 4, HB 5222, and HB 5563. The bulk of the new requirements are located in SB 4, but, due to legislative procedure and timing, there were additional ‘clean-up’ amendments to SB 4 in the other two bills. Governor Lamont signed SB 4 on May 27. Although at the time of publication we are still waiting for HB 5222 and HB 5563 to be signed, this blog post assumes that these bills will be enacted and provides an overview of all three bills’ main requirements.
Key elements of these bills:
Note: The legislature also passed SB 5, a broad AI bill that addresses companion chatbots, automated decisionmaking technology, social media, and other AI-related provisions. If that bill is signed by the Governor, then FPF will cover it in a separate blog post.
The updates to the CTDPA primarily affect publicly available information, the consumer deletion right, the sale of precise geolocation data, and the use of facial recognition technology for security purposes in retail. Many of these changes are responsive to legislative recommendations in enforcement reports from the Connecticut AG.

These requirements will be effective October 1, 2026.
Connecticut joins California, Oregon, Texas, and Vermont by creating a data broker registry. Starting January 1, 2027, this bill would prohibit a “data broker” from selling or licensing “brokered personal data” in Connecticut unless the data broker is actively registered with the Department of Consumer Protection.
Notable exemptions include: personal data collected or sold in compliance with the Driver’s Privacy Protection Act; consumer reporting agencies and furnishers to the extent they are engaged in activities regulated by FCRA; financial institutions, affiliates and nonaffiliated third parties to the extent they are engaged in activities regulated under Title V of GLBA; covered entities, business associates, and protected health information under HIPAA; and narrow exceptions for activities such as selling or licensing publicly available information (defined narrowly), providing digital access to materials such as newspapers, or providing directory assistance.
Registration will be annual, cost $2,500, and require applications to include extensive, mandated disclosures (e.g., a public website with information on how consumers can exercise consumer rights under the CTDPA, whether the data broker collects certain listed categories of personal information, whether and to what extent the data broker is subject to regulation under FCRA, GLBA, and HIPAA).
The Commissioner of Consumer Protection will establish and update a public website disclosing the information each data broker includes in its registration application. Similar to the California Delete Act, this bill will also require the state to—by July 1, 2028—establish an accessible deletion mechanism that will allow consumers to submit a single deletion request to (up to) all registered data brokers. The Commissioner has authority to adopt regulations to implement sections 2-8 of the bill. Data brokers will be required to comply with deletion requests submitted via the accessible deletion mechanism once every 45 days starting on October 1, 2028. Also consistent with the Delete Act, data brokers will be required to undergo independent third-party audits once every three years (starting in 2031). The penalties under the new data broker provisions are $200 per day per consumer for each violation.
There are two unique aspects of Connecticut’s data broker requirements worth flagging. First, the law is scoped broadly and, unlike other state data broker laws, does not clearly carve out data collected in the context of a first-party relationship. For example, most laws define a data broker as a business that (1) collects and sells personal information concerning a consumer with whom the business does not have a direct relationship, or (2) sells personal data that the business did not collect directly from the consumer. The closest thing to a first-party relationship exception in this bill is a carve out for a business that collects information concerning a consumer if the consumer is or was “in a contractual relationship with the business” or any “similar” relationship. This provision is similar to, but less defined than, language in Oregon’s and Vermont’s laws carving out a business that collects information about a consumer who is a past or present customer, subscriber, or user of the business’s goods or services.
The second ambiguity to note is inconsistent scoping regarding “brokered personal data” versus “personal data.” For example, the obligation for data brokers to comply with a verified deletion request provides that a data broker must “delete any personal data such registered data broker maintains concerning the participating consumer.” This bill adopts the definition of “personal data” from the CTDPA: “any information that is linked or reasonably linkable to an identified or identifiable individual.” However, that term is broader than “brokered personal data,” as utilized within the definition of “data broker,” which is limited to an enumerated list of identifiers. As a result, data brokers may be required to delete more information than what is required to label them as a data broker.
This bill (1) bans surveillance pricing by a retail seller or third-party delivery service, subject to exceptions, and (2) subjects any other person engaged in surveillance pricing to mandatory disclosures.
The prohibition on surveillance pricing is narrowly targeted to retail sellers and third-party delivery services. Earlier this year, Maryland enacted a similar but narrower law, the Protection From Predatory Pricing Act (HB 895), which regulates food retailers’ and third-party delivery service providers’ use of dynamic pricing, personal data, and protected class data in setting prices for food.
The disclosure requirements broadly apply to “any person” doing business in Connecticut who engages in surveillance pricing for any reason other than to establish a discounted price for a consumer good or service as part of an online transaction, and who (online) advertises or promotes the price, labels a consumer good with the price, or publishes a statement, image, or announcement disclosing the price. These requirements include providing a mandated disclosure stating “THIS PRICE WAS INCREASED USING YOUR PERSONAL DATA” and informing consumers of their rights under the CTDPA. The disclosure must be “readily visible to the average consumer.” No disclosure is required if the price is the bona fide market price, as defined in the bill. The disclosure requirement is similar to that under New York’s Algorithmic Pricing Disclosure Act.
These provisions are subject to entity-level exemptions, including for persons licensed to operate under the state’s insurance laws and persons whose activities are based on data provided in a consumer report covered by FCRA or data reflecting factors a credit can consider under the Equal Credit Opportunity Act.
Violations of these provisions will be enforced exclusively by the AG as unfair or deceptive trade practices. These requirements will be effective February 1, 2027.
Procedural Note: HB 5563 is substituting its own data-driven pricing requirements in place of those in HB 5222, which was in turn repealing and substituting the data-driven pricing section in SB 4.
In their most recent enforcement report, the Connecticut OAG “urge[d] the legislature to adopt a standalone genetic data privacy law.” This bill responds to that call, making Connecticut the second state this year after South Dakota (SB 49) to enact a direct-to-consumer genetic testing privacy law. The requirements for direct-to-consumer genetic testing companies include—
Similar to Texas’s law, this law also provides consumers with a “property right in, and . . . the right to exercise exclusive control over,” their biological samples used by a direct-to-consumer genetic testing company as well as results of DNA testing by the company. These requirements will be effective October 1, 2026.
* * *
Looking to get up to speed on the existing state comprehensive consumer privacy laws? Check out FPF’s 2025 report, Anatomy of a State Comprehensive Privacy Law: Charting the Legislative Landscape.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。