The Connecticut Data Privacy Act (CTDPA) has been revised multiple times since being enacted in 2022: SB 3 added heightened protections for consumer health data and for minors in 2023; and SB 1295 in 2025 expanded the law’s scope, updated and added consumer rights, modified the data minimization and purpose limitation requirements, prescribed impact assessment requirements for profiling, and further heightened protections for minors. Like clockwork, Connecticut has once again passed new privacy legislation.

This year’s efforts include more CTDPA amendments, a new California Delete Act–style data broker registry and accessible deletion mechanism, restrictions on data-driven pricing, and regulation of direct-to-consumer genetic testing. These changes came in a trio of bills: SB 4, HB 5222, and HB 5563. The bulk of the new requirements are located in SB 4, but, due to legislative procedure and timing, there were additional ‘clean-up’ amendments to SB 4 in the other two bills. Governor Lamont signed SB 4 on May 27. Although at the time of publication we are still waiting for HB 5222 and HB 5563 to be signed, this blog post assumes that these bills will be enacted and provides an overview of all three bills’ main requirements.

Key elements of these bills: 

• Privacy Updates: The CTDPA amendments are less significant than prior revisions in SB 3 or SB 1295. The biggest change is that the law will now ban the sale of precise geolocation data, whether by a controller or a third party. The amendments also narrow the definition of publicly available information, expand the deletion rights, and add transparency requirements for the use of facial recognition technology for security/fraud prevention. 
• Data Brokers: Connecticut becomes the second state to enact a Delete Act that both requires data brokers to annually register with the state and creates an accessible deletion mechanism allowing consumers to submit deletion requests to many data brokers at once. 
• Data-Driven Pricing: Amidst growing public scrutiny over data-driven pricing, this law bans “surveillance pricing” by a retail seller or third-party delivery service, subject to exceptions, and subjects any other person engaged in “surveillance pricing” to mandatory disclosures.
• Genetics: Connecticut becomes the latest state to regulate direct-to-consumer genetic testing companies. This law includes a slightly unusual “property” right for consumers over their biological samples and DNA testing results. 

Note: The legislature also passed SB 5, a broad AI bill that addresses companion chatbots, automated decisionmaking technology, social media, and other AI-related provisions. If that bill is signed by the Governor, then FPF will cover it in a separate blog post.

CTDPA Updates (SB 4, Sections 12-16; HB 5222, Section 45)

The updates to the CTDPA primarily affect publicly available information, the consumer deletion right, the sale of precise geolocation data, and the use of facial recognition technology for security purposes in retail. Many of these changes are responsive to legislative recommendations in enforcement reports from the Connecticut AG. 

• Publicly Available Information: This bill narrows the definition of “publicly available information,” including by adding exceptions for obscene visual depictions, information created by combining personal data with publicly available information, genetic data (unless made publicly available by the consumer), information provided by a consumer on a publicly accessible website or online service (subject to additional criteria), nonconsensual intimate images, and nonconsensual intimate synthetically created images. 

• Deletion: Prior to SB 4 being enacted, the deletion right extended to personal data provided by, or obtained about, the consumer. This bill expands that right to also apply to some publicly available information. Specifically, a consumer shall have the right to delete (i) publicly available information that is collated and combined to create a consumer profile made available to a user of a publicly accessible website for compensation or free of charge, (ii) publicly available information made available for sale, or (iii) any inference generated from information described in (i) or (ii). 
• Precise Geolocation Data: This bill prohibits controllers or third parties from selling a consumer’s precise geolocation data. This is consistent with an emerging trend in state privacy law. Maryland banned the sale of sensitive data in 2024. Both Oregon and Virginia banned the sale of precise geolocation data in 2025 and 2026, respectively. 
• Facial Recognition Technology: Like most state comprehensive privacy laws, the CTDPA includes a broad exception for preventing, detecting, protecting against or responding to security incidents, identity theft, fraud, and similar activities. This bill adds new requirements for a controller (or consumer health data controller) who uses facial recognition technology (“FRT”) pursuant to that exception. FRT is defined as “any technology that analyzes facial features in still images or video to uniquely and personally identify a specific individual.” Notably, this definition does not reference the existing definition of “biometric data.” To use FRT for the security/fraud exception, a controller must: (i) exclusively use FRT to match still images or video to a database maintained exclusively by the controller; and (ii) post clearly legible signage at entrances (other than an entrance to an area restricted to authorized employees) that alerts consumers that FRT is in use and provides a conspicuous hyperlink or quick response code that directs consumers to the controller’s FRT policy. The FRT policy that a controller maintains must include contact information for the AG’s office and “may” disclose the controller’s policies concerning “interactions between the controller’s . . . loss prevention officers and consumers.” A controller is not required to comply with these requirements if they have obtained the consumer’s consent to use FRT “in the course of a commercial transaction.”

These requirements will be effective October 1, 2026.

Data Brokers (SB 4, Sections 1-10; HB 5222, Sections 39-43)

Connecticut joins California, Oregon, Texas, and Vermont by creating a data broker registry. Starting January 1, 2027, this bill would prohibit a “data broker” from selling or licensing “brokered personal data” in Connecticut unless the data broker is actively registered with the Department of Consumer Protection. 

• Data Broker: Any business or portion of a business that sells or licenses brokered personal data to another person;
• Brokered Personal Data: One or more of the listed personal data elements concerning a consumer, if categorized or organized for sale or license to a third party. These data elements include name, address, date or place of birth, mother’s maiden name, unique biometric data (used to identify or authenticate the consumer), name or address of a member of the consumer’s immediate family or household, SSN or other government-issued ID number, or other information that (alone or combined) would allow a reasonable person to identify the consumer with reasonable certainty. 

Notable exemptions include: personal data collected or sold in compliance with the Driver’s Privacy Protection Act; consumer reporting agencies and furnishers to the extent they are engaged in activities regulated by FCRA; financial institutions, affiliates and nonaffiliated third parties to the extent they are engaged in activities regulated under Title V of GLBA; covered entities, business associates, and protected health information under HIPAA; and narrow exceptions for activities such as selling or licensing publicly available information (defined narrowly), providing digital access to materials such as newspapers, or providing directory assistance. 

Registration will be annual, cost $2,500, and require applications to include extensive, mandated disclosures (e.g., a public website with information on how consumers can exercise consumer rights under the CTDPA, whether the data broker collects certain listed categories of personal information, whether and to what extent the data broker is subject to regulation under FCRA, GLBA, and HIPAA). 

The Commissioner of Consumer Protection will establish and update a public website disclosing the information each data broker includes in its registration application. Similar to the California Delete Act, this bill will also require the state to—by July 1, 2028—establish an accessible deletion mechanism that will allow consumers to submit a single deletion request to (up to) all registered data brokers. The Commissioner has authority to adopt regulations to implement sections 2-8 of the bill. Data brokers will be required to comply with deletion requests submitted via the accessible deletion mechanism once every 45 days starting on October 1, 2028. Also consistent with the Delete Act, data brokers will be required to undergo independent third-party audits once every three years (starting in 2031). The penalties under the new data broker provisions are $200 per day per consumer for each violation. 

There are two unique aspects of Connecticut’s data broker requirements worth flagging. First, the law is scoped broadly and, unlike other state data broker laws, does not clearly carve out data collected in the context of a first-party relationship. For example, most laws define a data broker as a business that (1) collects and sells personal information concerning a consumer with whom the business does not have a direct relationship, or (2) sells personal data that the business did not collect directly from the consumer. The closest thing to a first-party relationship exception in this bill is a carve out for a business that collects information concerning a consumer if the consumer is or was “in a contractual relationship with the business” or any “similar” relationship. This provision is similar to, but less defined than, language in Oregon’s and Vermont’s laws carving out a business that collects information about a consumer who is a past or present customer, subscriber, or user of the business’s goods or services. 

The second ambiguity to note is inconsistent scoping regarding “brokered personal data” versus “personal data.” For example, the obligation for data brokers to comply with a verified deletion request provides that a data broker must “delete any personal data such registered data broker maintains concerning the participating consumer.” This bill adopts the definition of “personal data” from the CTDPA: “any information that is linked or reasonably linkable to an identified or identifiable individual.” However, that term is broader than “brokered personal data,” as utilized within the definition of “data broker,” which is limited to an enumerated list of identifiers. As a result, data brokers may be required to delete more information than what is required to label them as a data broker.

Data-Driven Pricing (HB 5563, Section 501)

This bill (1) bans surveillance pricing by a retail seller or third-party delivery service, subject to exceptions, and (2) subjects any other person engaged in surveillance pricing to mandatory disclosures. 

• Surveillance Pricing: Establishing a customized price for a consumer good or service that is specific to a consumer (or group of consumers) based in whole or in part on the consumer’s personal data collected (A) through any technology or technological method, system, or tool [examples given include biometric monitoring, camera, device tracking, or sensor] and (B) by the person establishing the customized price, directly or indirectly. 
• The following activities do not constitute “surveillance pricing,” provided that the retail seller or third-party delivery service prominently posts the discount, discounted price, and terms and conditions in language readily understandable by the average consumer:
  • Establishing a discounted price for purposes such as retaining a customer, reestablishing a customer, attracting a new customer, cross-selling an item, or reengaging a lapsed customer; 
  • Establishing different prices due to justifiable differences in costs incurred in providing the good or service (e.g., due to physical location or delivery distance) or justifiable temporal differences; 
  • Establishing a discounted price
    • based on publicly disclosed uniform terms and conditions available to any consumer, 
    • available to all consumers in a broadly defined group (e.g., veterans) based on publicly disclosed discounts and uniform terms and conditions, or
    • through a loyalty, membership, or rewards program that a consumer affirmatively enrolls in; and 
  • Correcting an erroneous price.
• Retail Seller: A retailer (including retail food establishments) engaged in making sales, at retail, of “tangible personal property” (which includes “digital goods”). 
• Third-Party Delivery Service: An entity—outside of the operation of a retail food establishment’s business—that facilitates delivery or online ordering services to customers of a retail food establishment.

The prohibition on surveillance pricing is narrowly targeted to retail sellers and third-party delivery services. Earlier this year, Maryland enacted a similar but narrower law, the Protection From Predatory Pricing Act (HB 895), which regulates food retailers’ and third-party delivery service providers’ use of dynamic pricing, personal data, and protected class data in setting prices for food. 

The disclosure requirements broadly apply to “any person” doing business in Connecticut who engages in surveillance pricing for any reason other than to establish a discounted price for a consumer good or service as part of an online transaction, and who (online) advertises or promotes the price, labels a consumer good with the price, or publishes a statement, image, or announcement disclosing the price. These requirements include providing a mandated disclosure stating “THIS PRICE WAS INCREASED USING YOUR PERSONAL DATA” and informing consumers of their rights under the CTDPA. The disclosure must be “readily visible to the average consumer.” No disclosure is required if the price is the bona fide market price, as defined in the bill. The disclosure requirement is similar to that under New York’s Algorithmic Pricing Disclosure Act.

These provisions are subject to entity-level exemptions, including for persons licensed to operate under the state’s insurance laws and persons whose activities are based on data provided in a consumer report covered by FCRA or data reflecting factors a credit can consider under the Equal Credit Opportunity Act. 

Violations of these provisions will be enforced exclusively by the AG as unfair or deceptive trade practices. These requirements will be effective February 1, 2027.

Procedural Note: HB 5563 is substituting its own data-driven pricing requirements in place of those in HB 5222, which was in turn repealing and substituting the data-driven pricing section in SB 4. 

Genetic Testing (SB 4, Sections 17-19)

In their most recent enforcement report, the Connecticut OAG “urge[d] the legislature to adopt a standalone genetic data privacy law.” This bill responds to that call, making Connecticut the second state this year after South Dakota (SB 49) to enact a direct-to-consumer genetic testing privacy law. The requirements for direct-to-consumer genetic testing companies include—

• Transparency and mandatory disclosures to consumers; 
• Obtaining express consent for collecting, using or disclosing a consumer’s genetic data; 
• Obtaining separate consent for disclosures or transfers of genetic data to any person other than a vendor or service provider, secondary uses of genetic data, and retention of a biological sample after completion of the testing;
• Obtaining informed consent pursuant to 45 C.F.R. Part 46 for disclosure or transfer of genetic data to a third party for research purposes; 
• Limits on disclosing consumers’ genetic testing results to any person other than the consumer (without express consent or pursuant to a court order, warrant, or subpoena);
• Limits on disclosing a consumer’s genetic data to the consumer’s employer, certain insurers, or third parties whom the company knows or reasonably should know intend to use the data for marketing or targeted advertising; 
• Implementing reasonable security measures to protect biological samples and genetic data; and
• Implementing a process for consumers to access their genetic data, have their genetic data deleted, have their biological samples destroyed, and revoke previously given consent for research.

Similar to Texas’s law, this law also provides consumers with a “property right in, and . . . the right to exercise exclusive control over,” their biological samples used by a direct-to-consumer genetic testing company as well as results of DNA testing by the company. These requirements will be effective October 1, 2026.

* * *

Looking to get up to speed on the existing state comprehensive consumer privacy laws? Check out FPF’s 2025 report, Anatomy of a State Comprehensive Privacy Law: Charting the Legislative Landscape.