SB 5 in Five: What to Know About Connecticut’s New AI Law

Connecticut’s SB 5 fits a lot of AI obligations into a small bill number. This week, Governor Lamont (D) signed the 39-section bill into law, creating new requirements across several fast-moving areas of AI policy, including companion chatbots, automated employment decision tools (AEDTs), social media, and provenance data. The law also includes provisions related to frontier AI whistleblower protections, AI-related layoff notices, and planning for a state AI regulatory sandbox, making it one of the broader state AI packages enacted this year. The law’s provisions phase in over time, with effective dates ranging from October 2026 to January 2028.

The law follows several years of debate in Connecticut over how to regulate AI, including last year’s SB 2, which cleared the Senate but ultimately fell apart after a veto threat from Governor Lamont over concerns that the bill could hamper innovation. SB 5 takes a different path. Rather than establishing a single comprehensive high-risk AI framework, it stitches together a set of more targeted obligations, alongside provisions focused on innovation, workforce development, and future study.

The result is a wide-ranging law that touches many of the AI issues currently moving through state legislatures. With so much packed into SB 5, here are five things to know about Connecticut’s new AI law.

Note: The Governor also signed SB 4, a broad privacy bill that establishes a data broker registry and accessible deletion mechanism, regulates data-driven pricing, updates the CTDPA, and regulates direct-to-consumer genetic testing, which is covered in FPF’s recent blog.

1. Companion chatbots get their Connecticut chapter

SB 5 gives companion chatbots their Connecticut chapter, adding the state to a growing list of jurisdictions (New York, California, Washington, Oregon, Nebraska, Idaho, Iowa, and Georgia) writing rules for chatbot systems that can sustain relationships with users. The law would impose baseline protections for all users, including safety protocols for suicidal ideation and clear non-human disclosures, while also introducing minor-specific safeguards such as parental tools to manage privacy and screen time, as well as limits on engagement-maximizing features. For those following this rapidly evolving area, FPF maintains a continuously updated chatbot legislation tracker that monitors activity in this space.

Scope: SB 5 uses a detailed set of carveouts to narrow the systems covered, similar to Nebraska’s and Idaho’s laws. But Connecticut’s definition of “AI companion” is more targeted: it focuses on systems that provide adaptive, human-like responses and can sustain a relationship over time. One carveout is especially notable: the law excludes “narrow, task-specific” tools that provide outputs related to a discrete topic or function, so long as the tool’s primary function is not to discuss mental health. Similar narrow-task carveouts appear in other state chatbot laws, but Connecticut’s version appears narrower because the exclusion may not apply where the tool’s primary function is mental health-related.

Requirements for all users: SB 5 follows several other companion chatbot laws enacted this year in setting a familiar baseline: safety protocols, non-human disclosures, and safeguards to keep AI companions from presenting themselves as human. Operators would need to publicly post safety protocols using “evidence-based methods” to detect and “clinical best practices and expertise” to respond to user expressions indicating suicide, self-harm, or physical violence. Because “evidence-based methods” and “clinical best practices” are not defined, operators may face questions about what detection tools or clinical inputs are sufficient to meet that standard.

The law would also require clear non-human disclosures when an AI companion could reasonably lead a user to believe they are interacting with a human. Like Washington and Georgia, Connecticut applies a one-hour disclosure interval for minors and a three-hour interval for adults. Although the law distinguishes between users, the shorter minor-focused interval could become the practical default if operators choose to comply uniformly.

Minor-Specific Requirements: For minors, SB 5 moves beyond “tell users it is AI” and into the harder question of how companion chatbots are designed to interact and build relationships over time. Similar to Oregon’s law, Connecticut’s protections apply when an operator “knows or has reason to believe” that a user is under 18, a standard that may require operators to account for contextual signals, not just direct knowledge of age.

Similar to Washington’s chatbot law, SB 5 would require operators to prevent their chatbots from engaging in certain harmful conduct before providing an AI companion to a minor, including encouraging disordered eating or physical violence; romantic interactions; and manipulative techniques intended to extend engagement, such as encouraging isolation from family or friends or fostering inappropriate emotional dependence. Terms like “inappropriate emotional dependence” and “disordered eating” are not further defined, raising questions about how operators should distinguish benign interactions from those prohibited under the law. The law also includes a broader provision prohibiting operators from “optimizing user engagement in any manner that disregards” the minor-specific safeguards, which may extend the reach of the minor protections beyond listed outputs.

Finally, SB 5 also requires tools for parents and minors to manage screen time and account settings, a feature that appears in other state chatbot laws, including Idaho, Nebraska, and Georgia. 

Enforcement: SB 5 would make violations an unfair or deceptive trade practice enforced by the Attorney General, keeping the law in the AG-enforcement lane rather than creating a private right of action. These requirements take effect January 1, 2027.

2. For employment AI, SB 5 asks for a heads-up, not an audit or assessment

Employment AI gets its turn in SB 5, with new transparency requirements for automated employment-related decision technologies (AEDTs) used to shape decisions about hiring, promotion, discipline, and discharge. The section draws from broader ADMT laws, including California’s CPPA ADMT regulations, the Colorado AI Act as originally enacted in 2024, as well as employment-specific laws such as New York City’s LL 144. But unlike other state frameworks, Connecticut does not require AEDTs to undergo bias audits or risk assessments. Instead, SB 5 focuses on disclosures and written notice to applicants and employees, similar to the revised Colorado ADM Act.

Scope: SB 5 is narrower than broader ADMT frameworks that apply across sectors such as housing and education. It covers AEDTs that are a “substantial factor” used to “make or materially influence” an employment-related decision. The law defines “substantial factor” as something that “meaningfully alters” the outcome, a narrower definition than the Colorado AI Act’s 2024 language covering systems that are “capable of altering” or “assist” in making a consequential decision.

Notice obligations: The notice obligations are allocated between actors in the AI value chain, similar to the current and previous version of the Colorado AI law. Beginning October 1, 2027, developers that market AEDTs for employment decisions would need to provide deployers with information about the tool. Deployers would then need to disclose to employees or applicants that an AEDT has been deployed, the purpose and nature of the decision, the tool’s trade name, the categories and sources of personal data used, how that data will be assessed, and contact information for the deployer. Developers and deployers do not need to disclose trade secrets, but must tell individuals when information is withheld on that basis.

Civil rights and enforcement: SB 5 may be notice-first, but it is not notice-only. The law also amends Connecticut’s human rights statute to clarify that using an AEDT is not a defense to discrimination claims, while allowing courts or the commission to consider evidence of anti-bias testing and related efforts when evaluating those claims. That consideration of anti-bias testing also builds on a related theme in last year’s amendments to the Connecticut Data Privacy Act, which included an exemption allowing controllers to process personal data for internal use to allow them to use data for bias testing. California and Illinois have similarly amended employment or human rights laws to address automated decision systems in the workplace. As a result, entities may not be required to conduct bias testing or assessments under Connecticut law, but are strongly encouraged to reduce their regulatory risk. 

Violations would be treated as unfair or deceptive trade practices and enforced by the Attorney General, with a potential 60-day cure period through the end of 2027 and no private right of action. These requirements take effect October 1, 2026.

3. Social media and AI regulations increasingly become the dynamic duo in online safety

As the online safety landscape continues to evolve and other jurisdictions weigh pairing social media and chatbot regulations—Connecticut strikes first by incorporating a section on online safety obligations for social platforms into SB 5. Similar to laws enacted in California and New York, SB 5 restricts operators from providing minors under 18 access to a platform that “recommends, selects, or prioritizes for display…media items” shared by other users—also known as personalized recommender systems–unless certain requirements are met. 

Age assurance and parental consent: As is commonly the case in social media frameworks, SB 5 requires that covered operators implement “commercially reasonable and technically feasible methods” to determine whether a user is an adult or a minor. In the case of a minor, a covered operator may not offer access to personalized recommender systems without first obtaining parental consent. Unlike California and New York, however, SB 5 does not authorize agency rulemaking to provide guidance on acceptable forms of age assurance under this law, potentially creating ambiguity for compliance teams. 

Default safety features: The law also requires certain minor-specific default safety features seen in other recent frameworks, such as South Carolina’s Age Appropriate Design Code (AADC), including preventing unconnected users from viewing or contacting minor accounts and restricting minors from viewing “sensitive content.” Notably, SB 5 broadly defines “sensitive content” to include any material violative of platform community standards, “or any similar guidelines or standards” established by the covered operator. Lastly, in a novel move, covered operators would be required to limit minors’ access to personalized recommender systems to one hour per day by default, comparable to a recently enjoined obligation in Virginia. Only a minors’ parent can adjust the default time limit on personalized recommender system access through parental control mechanisms.

Parental controls: Covered operators must establish and provide parents or guardians access to prescribed controls for supervising the accounts of their children. These controls include providing parents the ability to prevent minors from receiving notifications outside of preset timeframes and limiting minor access to personalized recommender systems to specific times indicated by the parent. SB 5 would also require covered platforms to provide parents with a mechanism for setting the minor’s account to a protected mode that does not allow unconnected users to view published content of or exchange messages with minors—although it is unclear how this particular parental tool is supposed to be implemented alongside the seemingly identical default safety feature noted above.

Disclosures: SB 5 requires covered operators to provide two kinds of disclosures. First, minors must be provided a health warning from the Surgeon General concerning the potential harms of social media use. Secondly, covered operators must annually disclose to the state Attorney General’s office, in a publicly accessible format, information related to platform use, such as the total number of covered users for whom the covered operator obtained parental consent, enabled default settings, and the average amount of time covered users spent on the platform per day. SB 5’s reliance on disclosure obligations follows a growing trend of requiring various kinds of disclosures in online safety legislation to both individuals, like in Colorado’s recently enjoined social media warnings law, and to state entities for public accessibility, like in South Carolina’s AADC.

Enforcement: A covered operator’s violation of these requirements constitutes an unfair or deceptive trade practice under Connecticut consumer protection law, which includes a private right of action in addition to state enforcement authority. These requirements become effective on January 1, 2028.

4. AI provenance rules make their way east in SB 5

SB 5 picks up the provenance trend seen in western states–adding Connecticut to the growing list of states setting requirements for AI-generated content. SB 5 would require covered providers to include provenance data in content that is created or materially altered by a generative AI system. California spearheaded AI provenance data disclosure with the California AI Transparency Act, enacted in 2024 and amended in 2025. Other states with provenance data laws include Utah and Washington.

The provision is relatively targeted. It applies to covered providers that produce publicly accessible generative AI systems for personal use with more than 1 million monthly users. It also focuses on content that is created or “materially altered” by a generative AI system, while excluding minor modifications such as changes in color or resizing. That distinction helps to focus the law’s requirement on more meaningful generative AI edits, rather than changes unlikely to affect the substance of the content.

The law requires provenance data to be difficult to tamper with or remove. At the same time, covered providers are not required to include information relating to an identified or reasonably identifiable individual, trade secrets, or confidential or proprietary information.

These provenance requirements are narrower than SB 5’s provisions on chatbots or AEDTs, but still notable because they place Connecticut within a growing state-level push to make AI-generated and altered content easier to trace. Other provenance data bills are still pending in states like Arizona and New Jersey. These requirements take effect October 1, 2026.

5. Whistleblowers, layoff notices, and sandboxes get targeted treatment in SB 5

SB 5 also borrows from a few other state AI playbooks, like frontier AI protections and regulatory sandboxes. But in both cases, Connecticut takes a narrower path. Rather than creating a full frontier model governance framework or immediately launching a sandbox program, SB 5 focuses on employee whistleblower protections and planning for a potential future sandbox, as well as a targeted AI-related layoff notice requirement.

Frontier AI whistleblower protections: SB 5 borrows the language of frontier AI laws, but not the full architecture. Like California’s SB 53 and New York’s RAISE Act, it defines key terms such as “frontier developer,” “large frontier developer,” and “catastrophic risk.” But unlike broader frontier AI frameworks, SB 5 does not require developers to publish governance frameworks, issue transparency reports, or establish critical safety incident reporting mechanisms. Instead, it focuses on solely protecting employees who report certain serious AI-related risks.

The law would prohibit frontier developers from penalizing covered employees for protected whistleblower activity and bar retaliation against employees who report, with reasonable cause, conduct they believe poses a specific and substantial danger to public health or safety due to a catastrophic risk. Large frontier developers would also need to create an internal reporting process by January 1, 2027, allowing employees to anonymously report such risks, provide updates to reporting employees, share reports with directors quarterly, and notify employees of their rights. These requirements take effect October 1, 2026.

AI-related layoff notices: SB 5 also includes a workforce disclosure provision. Employers issuing plant-closing or mass layoff notices would need to disclose to the Labor Department whether the layoffs are related to the employer’s use of AI. These requirements take effect October 1, 2026.

Regulatory sandbox planning:  SB 5 directs the Commissioner of Economic and Community Development to develop a plan for an AI regulatory sandbox program, joining a small but growing group of states (Utah, Texas, and Delaware) that have adopted AI sandbox frameworks. The program would allow approved applicants to test innovative AI systems under reduced regulatory requirements.

But here too, Connecticut starts with a blueprint. SB 5 requires planning for a potential sandbox, not the immediate launch of one, and asks the Commissioner to assess the feasibility of a reciprocal, multistate sandbox model. Recommendations are due by January 1, 2028.

Conclusion

SB 5 does not create one comprehensive AI framework. Instead, it reflects a broader trend in state AI policymaking of setting targeted obligations across several use cases, from companion chatbots and employment tools to provenance data and frontier AI employee protections. As states continue experimenting with issue-specific AI laws, Connecticut’s SB 5 offers another example of how significant AI regulation can emerge through issue-specific provisions. Additionally, as states continue to pursue substantive online safety frameworks for minors, whether other jurisdictions will pair social media regulation with chatbot safety requirements remains a trend to watch.