Last month, the Connecticut legislature passed two bills that amend and expand the Connecticut Data Privacy Act (CTDPA): Senate Bill 4 (SB 4) and House Bill 5222 (HB 5222). SB 4 (which was signed into law on May 27, 2026) and HB 5222 (which amends parts of SB 4 and was signed into law on June 2, 2026) contain new requirements for businesses and data brokers operating in the Constitution State.

SB 4, as amended by HB 5222, (collectively, the CTDPA Updates) amend the CTDPA by:

  1. creating a new, broad framework for defining what a data broker is and imposing registration and deletion requirements;
  2. adding to the list of states imposing restrictions and disclosure requirements on surveillance pricing;
  3. banning the sale of any Connecticut resident’s precise geolocation data;
  4. placing unique restrictions and disclosure requirements on the use of facial recognition technology for physical security purposes; and
  5. placing new compliance requirements on consumer genetic testing companies.

Except as otherwise noted below, the requirements of the CTDPA Updates are set to take effect on October 1, 2026. Here is a summary of the provisions and key takeaways:

Data broker requirements. Existing laws in California, Oregon, Texas, and Vermont offer varying definitions of what it means to be a data broker, and the CTDPA Updates introduce yet another definition of which all businesses should be aware—as well as new substantive obligations with which data brokers must comply. The definition of a data broker under the CTDPA Updates has the potential to capture new entities that do not currently consider themselves to be data brokers.

Scope. The CTDPA Updates largely mirror Oregon’s House Bill 2052 by defining a “data broker” as any business or any portion of a business that sells or licenses “brokered personal data” to another person. “Brokered personal data” includes direct identifiers (such as a consumer’s name, address, date of birth, and biometric data) and information that, alone or in combination with other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty. Unlike Oregon’s law, however, the CTDPA Updates omit defined exceptions of entities that are not data brokers and instead includes a set of general carveouts from the law that is similar to, but slightly different than, Oregon’s law. For example, Oregon’s law states that a business is not a data broker when it collects information about “a customer, subscriber or user of the business entity’s goods or services.” Connecticut’s data broker law, meanwhile, states that it does not apply to information collected about a consumer “in a contractual relationship with the business,” which constitutes a narrower exception.

Registration requirement. The CTDPA Updates establish a data broker registration program administered by Connecticut’s Department of Consumer Protection. The CTDPA Updates require data brokers that sell or license brokered personal data in the state to be actively registered with the Department, submit specified information, (including, but not limited to, the applicant’s name, contact information, and primary internet website address) and maintain a privacy policy addressing compliance with the bill and the CTDPA. Each application for an initial registration as a data broker will be accompanied by an initial registration fee of $2,500, and registration with the Department will be required by January 1, 2027. Data brokers will be required to renew their registration and pay additionally $2,500 renewal fees annually.

Accessible deletion mechanism requirement. Through the passage of the CTDPA Updates, Connecticut has become the second state in the country (after California) to establish a mandatory accessible data deletion mechanism for consumers. This will allow Connecticut residents to submit a single deletion request to registered data brokers to have their personal data deleted. Registered data brokers must access the deletion mechanism at least once every 45 days and comply with verified deletion requests. Implementation of the accessible deletion mechanism must be complete by July 1, 2028, and deletion requirements will begin October 1, 2028.

Independent audit requirements. Beginning in 2031, the CTDPA Updates also require registered data brokers to retain, at their own expense, an independent auditor to audit the data broker’s books to assess compliance with the accessible deletion mechanism requirements of the law and prepare an audit report. Data brokers will have to have these audits conducted every three years and maintain each audit report and any associated materials for a period of at least six years. Data brokers will be required to produce audit reports to the Connecticut Department of Consumer Protection within five business days upon request.

Enforcement. The CTDPA Updates empower Connecticut’s Commissioner of Consumer Protection to impose civil penalties of up to $200 per day per consumer for each violation, following a notice and hearing. If even one percent of Connecticut’s total population submits deletion requests via the new mechanism, that equates to possible civil penalties of over $7 million per day for data brokers that fail to comply with their deletion obligations under the law.

Surveillance pricing restrictions. The CTDPA Updates also create new rules to address surveillance pricing, which is generally defined as the practice of using a consumer’s or group of consumers’ personal data (such as internet browsing history, income, or precise geolocation) to set individualized prices for those consumers. Connecticut has become the third state in the nation (after New York and Maryland) to regulate the use of surveillance pricing (sometimes referred to as personalized algorithmic pricing or dynamic pricing). The CTDPA Updates direct “any person” doing business in Connecticut who uses a consumer’s personal data to increase the price of a consumer good or service for that consumer through an automated process to include the following (or a substantially similar) disclosure along with the price: “THIS PRICE WAS INCREASED USING YOUR PERSONAL DATA.” In addition, surveillance pricing is expressly prohibited for retail sellers (i.e., retailers that make in-person sales of tangible personal property and retail food establishments) and third-party delivery services doing business in Connecticut, subject to some limited exceptions such as for retention offers, winning back customers, attracting new customers, item cross-selling, differences in costs, loyalty programs, correcting pricing errors, and discounts available to all consumers in broadly defined groups, such as veterans, seniors, students, and teachers.

Geolocation data sale ban. SB 4 generally prohibits the sale of a consumer’s “precise geolocation data,” which is defined as information derived from technology, including, but not limited to, GPS coordinates or other mechanisms that directly identify the specific location of an individual with precision and accuracy within a radius of 1,750 feet. SB 4 joins the growing landscape of state laws that have already restricted the use and sale of geolocation data. (See, e.g.Oregon’s HB 2008 and Maryland’s Online Data Privacy Act—both of which ban the sale of consumers’ geolocation data.)

Unique facial recognition requirements. The CTDPA Updates also restrict permissible uses of facial recognition technology by controllers, processors, and consumer health data controllers. If these entities use facial recognition technology on their premises to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment or other illegal activities, they must exclusively use the technology to match still images or video to a database that is under their exclusive maintenance and control. In other words, the CTDPA Updates prohibit the use of facial recognition technology on private property in Connecticut for security purposes if that technology matches faces to third-party or public databases. The CTDPA Updates also require clearly legible signage to be posted at each entrance to the premises where the facial recognition technology is in use (except for entrances to areas where access is restricted to authorized employees). The signage must include a conspicuous hyperlink or QR code that directs consumers to the facial recognition technology policy maintained by the controller, processor, or consumer health data controller. Such policies must include contact information for the office of the Connecticut Attorney General and may disclose the organization’s policies concerning interactions between their loss prevention officers and consumers. These requirements do not apply in situations where a consumer has consented to the use of facial recognition technology in the course of a commercial transaction.

Requirements for consumer genetic testing companies. SB 4 creates property right in consumers’ biological samples provided to a direct-to-consumer genetic testing company and in the results of any genetic testing conducted on the consumer’s DNA by such companies. Further, the law requires direct-to-consumer genetic testing companies to disclose their policies and procedures concerning the collection, use, and disclosure of genetic data prior to accepting any biological sample, genetic data, or payment from a consumer. These companies must also, among other things: (1) prominently display a privacy notice on their websites; (2) obtain consumers’ express consent to collect, disclose, transfer, use, and retain their genetic data; (3) implement reasonable security measures to protect consumers’ biological samples or genetic data from any unauthorized access, destruction, use, modification, or disclosure; and (4) implement a process for consumers to access, delete, and destroy their biological samples and genetic data.

Next steps. In light of the passage of the CTDPA Updates, many companies doing business in Connecticut will need to evaluate whether they are prepared to comply with the new requirements for data brokers and restrictions on surveillance pricing, location data sales, and the use of facial recognition technology.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning your compliance efforts, please contact Tracy ShapiroManeesha MithalEddie HolmanMichelle Ullman, or any member of the firm’s Data, Privacy, and Cybersecurity practice.