close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Regulations

Connecticut Expands Data Broker Privacy Law, What You Need To Know.

Kendall Lovett - June 3, 2026

Connecticut’s New Privacy Laws Put Data Brokers on Notice

Connecticut has had a busy few months. While most states are still working through their first-generation privacy laws, Connecticut has followed the lead of California’s Delete Act and DROP platform, passing a layered set of updates that significantly expand who is covered, what data is protected, and what data brokers are required to do.

If you operate in Connecticut, or collect data from Connecticut residents, the window to get ahead of these changes is narrowing.

Here’s what’s new, what it means, and what the key dates are that you need to know.

Two waves of new obligations

Connecticut’s 2026 privacy updates come in two distinct packages, and both matter.

The first is a set of amendments to the existing Connecticut Data Privacy Act (CTDPA), effective July 1, 2026. The second is Senate Bill 4 (now Public Act 26-64), signed by Governor Ned Lamont on May 27, 2026 and effective October 1, 2026. They layer on top of each other, and together they represent the most significant expansion of Connecticut’s privacy framework since the CTDPA was first enacted in 2023.

Expanded data broker requirements mean more companies are now in scope

The July amendments do something that too often gets buried in regulatory coverage: they expand the definition of who has to comply in the first place.

The amendment makes two notable changes to who must comply:

  1. It lowers the CTDPA’s applicability threshold from 100,000 Connecticut consumers to 35,000, bringing a significantly broader set of companies into scope. That’s not a minor adjustment.
  2. It extends requirements to any business that processes sensitive data or offers personal data for sale, regardless of size. There is no headcount or revenue floor for those categories.

☝️ If your team sized out of Connecticut compliance obligations under the original 100,000 consumer threshold, plan to revisit that analysis before July 1.

SB 4: what it means for privacy teams

Senate Bill 4 goes further. It is Connecticut’s most ambitious standalone privacy legislation to date, and its data broker provisions deserve particular attention.

These laws aren’t emerging in a vacuum. According to DataGrail’s 2026 Privacy and AI Trends Report, deletion requests have surged 567% since 2021, with data brokers absorbing a 398% jump in 2025 alone.

California’s Delete Act and Connecticut’s SB 4 are, in part, a direct legislative response to that consumer demand: people want easier, centralized ways to find out who holds their data and get rid of it. State-run deletion platforms are the infrastructure that makes that possible at scale.

Who qualifies as a data broker under Connecticut’s new law?

More companies qualify as data brokers than realize it. SB 4 defines data brokers as businesses that collect and sell or license personal data about consumers with whom they do not have a direct relationship. Under this definition, companies across advertising technology, analytics, financial services, and data aggregation may find themselves subject to registration requirements whether or not “data broker” is how they would describe themselves.

☝️ If your business monetizes consumer data collected from third-party sources, SB 4’s requirements likely apply to you.

New data broker registration and deletion obligations

Under SB 4, data brokers must register with Connecticut’s Department of Consumer Protection, disclose how they have responded to consumer deletion requests, and check the state-run deletion platform every 45 days for new requests. Connecticut becomes only the second state in the country, after California, to require a centralized deletion platform of this kind. DataGrail has covered California’s framework in depth, including how the Delete Act and DROP work and why more companies qualify as data brokers under California law than they expect. Connecticut’s registry raises the same questions for any business operating in the state.

Precise geolocation data is now off limits for sale

The law defines precise location data as information that can identify someone’s whereabouts within a 1,750-foot radius, and prohibits companies from selling it. Connecticut becomes only the fourth state to institute this prohibition, joining Maryland, Oregon, and Virginia. Any company whose data practices involve this level of location specificity, whether through apps, advertising technology, or third-party data sharing, needs to audit those workflows before October 1.

AI profiling assessments and LLM training disclosure required

The amendments also introduce AI-specific obligations that privacy teams should flag immediately. Companies will be required to conduct assessments of certain automated profiling activities, and must disclose when personal data is used to train large language models. For any company building or deploying AI products that touch Connecticut residents’ data, these aren’t future considerations.

Additional SB 4 provisions

SB 4 also restricts “surveillance pricing,” the practice of using personal data to set individualized prices for consumers. The law bolsters protections for genetic data. On facial recognition, businesses must now post notice whenever they deploy the technology, including for security or fraud-prevention purposes, and there are new restrictions on how facial recognition databases may be maintained. SB 4 also places new limits on how Connecticut state agencies may use automatic license plate reader data, including prohibitions on using that data for immigration enforcement or investigations involving reproductive or gender-affirming care.

Key dates at a glance

July 1, 2026: CTDPA amendments take effect. New applicability thresholds, AI profiling assessment requirements, and LLM training disclosure obligations all go live.

October 1, 2026: SB 4 takes effect. Geolocation sales ban, data broker registration framework, surveillance pricing restrictions, genetic data protections, and facial recognition and ALPR safeguards become enforceable.

January 1, 2027: Data broker registration deadline. Brokers must be registered with the Department of Consumer Protection or they may not sell or license brokered personal data in Connecticut.

July 1, 2028: State deletion platform goes live. Connecticut’s centralized consumer data deletion tool, modeled on California’s Delete Act, must be operational.

What this means for your privacy program

Connecticut’s 2026 updates are a useful window into where US state privacy law compliance is heading more broadly. Thresholds are dropping. Data broker registration requirements are spreading. AI obligations are arriving. And the states that were early movers are now iterating, building more teeth into laws that companies may have assumed were static.

Static compliance checklists and annual reviews aren’t built for this pace of change. Multi-state privacy compliance requires unified visibility into your data map, automated consumer rights workflows, and real-time regulatory intelligence. For everyone else, every new amendment is another manual scramble.

DataGrail is a complete, enterprise-grade data privacy platform that gives brands visibility into unknown risks so they can be proactively mitigated, with purpose-built DSR automation and 2,500+ integrations to help you meet deletion obligations at scale. If you’re working through what Connecticut’s 2026 updates mean for your program, talk to a DataGrail expert.

Related Content
The Delete Act and DROP: What You Need to Know
GrailCast Live Ep. 2 Rewind: The Responsible AI Governance Blueprint ft. Lauren Nardoni
What You Need To Know About Indiana’s New Privacy Law
What You Need To Know About Tennessee’s New Privacy Law
Contact Us image

Let’s get started

Ready to level up your privacy program?

We're here to help.

Talk to an expert