On May 27, 2026, the Connecticut governor signed SB 4, an omnibus privacy law, which among other things, amends the Connecticut Data Privacy Act (“CTDPA”), establishes a data broker registry and accessible deletion mechanism, imposes restrictions on the use of price setting devices and surveillance pricing, and creates requirements for direct-to-consumer genetic testing companies.

The CTDPA amendments, data-driven pricing provisions, and genetic testing provisions take effect on October 1, 2026, while the data broker registration requirements take effect on January 1, 2027. Certain other data broker requirements would phase in between 2027 and 2031.

CTDPA Amendments. SB 4 makes several amendments to the CTDPA, including the following:

• Publicly Available Information: SB 4 updated the definition of “publicly available information” to exclude obscene visual depictions, data created by combining personal data with publicly available information, genetic data unless that data is made publicly available by the consumer, information provided by a consumer on a publicly accessible website or online service where the consumer has a reasonable expectation of privacy, intimate images known to be nonconsensual, and intimate synthetically created images known to be nonconsensual.

• Consumer Deletion Rights: SB 4 broadens the consumer deletion right to apply to publicly available information that is (i) collated and combined to create a consumer profile that is freely available to a user of a public website or (ii) made available for sale, and any inferences generated from that information.

• Purpose Limitation: SB 4 also amends the purpose limitation provision so that it applies to processing for any new purpose, removing the “material” new purpose qualifier.

• Precise Geolocation Data: SB 4 prohibits controllers or third parties from selling a consumer’s precise geolocation data.

• Facial Recognition Technology: SB 4 establishes new requirements for a controller or consumer health data controller that uses facial recognition technology (“FRT”) on its premises to prevent fraud pursuant to the CTDPA’s existing exceptions. SB 4 defines FRT as “any technology that analyzes facial features in still images or video to uniquely and personally identify a specific individual.” A controller who uses FRT for fraud prevention purposes must: (i) exclusively use FRT to match still images or video to a database maintained exclusively by the controller; and (ii) post clearly legible signage at entrance to the premise where FRT is used, other than entrances to an area where access is restricted to authorized employees. The signage must alert consumers that FRT is in use and provide a conspicuous hyperlink or QR code directing consumers to the controller’s FRT policy. The FRT policy must include contact information for the Attorney General’s office and “may” disclose the controller’s policies concerning interactions between loss prevention officers and consumers.

Data Brokers. SB 4 establishes a data broker registration program, following California, Oregon, Texas, and Vermont in creating such a registry.

• Covered Entities: A “data broker” is defined as any business, or any portion of a business, that sells or licenses brokered personal data to another person. “Brokered personal data” generally refers to personal data elements concerning a consumer that are categorized or organized for sale or license to a third party.

• Registration: Data brokers are required to register annually with the Department of Consumer Protection and include a set of mandated disclosures in their registration applications, including information about how consumers can exercise their rights under the CTDPA, whether the data broker collects certain listed categories of personal information, and the extent to which the data broker is subject to regulation under FCRA, GLBA, and HIPAA. The state will establish and maintain a public website that discloses the information included in each data broker’s registration application.

• Accessible Deletion Mechanism: Similar to the California Delete Act, SB 4 requires the Commissioner of Consumer Protection to establish an accessible deletion mechanism by July 1, 2028, allowing consumers to submit a single deletion request to all registered data brokers. Data brokers will be required to comply with deletion requests submitted through this mechanism once every 45 days, beginning October 1, 2028.

• Audits: Data brokers will also be subject to independent third-party audit requirements once every three years, beginning in 2031.
• Exemptions: The law includes exemptions for certain data and entities regulated under laws such as the DPPA, FCRA, GLBA, and HIPAA, as well as exclusions for selling or licensing of brokered personal data if such sale or licensing exclusively involves publicly available information that (A) concerns a consumer’s business or profession, (B) is sold or licensed as part of health or safety alert service, or (C) is lawfully made available from government records, unless those records are combined to create consumer profiles that are available to consumers for free or are used to generate inferences about the consumer.
• Enforcement: The Commissioner of Consumer Protection may impose civil penalties of not more than $200 per day per consumer for each violation.

Data-Driven Pricing. The law also would impose disclosure requirements when a covered entity uses a “price setting device” and it would prohibit “retail sellers” and “third-party delivery services” from engaging in “surveillance pricing.”

• Price Setting Device Disclosures: Persons who use a “price setting device,” defined as an automated or programmed process that uses a consumer’s personal data to establish a price for a good or service, and who directly or indirectly advertises or promotes online a price established by using a price device setting, must provide a readily visible disclosure stating, “THIS PRICE WAS INCREASED BY A PRICE SETTING DEVICE USING YOUR PERSONAL DATA.” This disclosure requirement does not apply when a person uses a price setting device to establish a discounted price for a good or service.

• Surveillance Pricing Prohibition: The law would prohibit retail sellers and third-party delivery services from engaging in “surveillance pricing,” defined as establishing a customized price for a consumer, or group of consumers, for a consumer good or service based on personal data collected through any technology and by the person establishing the customized price, directly or indirectly. The law would exclude certain activities from the definition of surveillance pricing, such as discounted pricing and establishing different prices due to justifiable differences in costs (e.g., delivery distances or delivery times).

• Entity-level Exemptions: The law would not apply to persons licensed pursuant to insurance laws of the state, financial institutions regulated by the GLBA, and banks that are subject to the supervision of the Banking Commissioner.

• Enforcement: Violations will be enforced solely by the Attorney General as unfair or deceptive trade practices, and the requirements take effect on February 1, 2027.

DTC Genetic Testing Companies. SB 4 establishes requirements for direct-to-consumer genetic testing companies. You can read more about these requirements in our blog post here.