Connecticut’s Governor Ned Lamont announced on May 29, 2026 that he had ratified sweeping artificial intelligence legislation in Senate Bill 5, titled “An Act Concerning Online Safety.” The law is unique in its breadth among the growing list of state AI laws, in that it regulates several distinct applications or categories of AI.
Specifically, the law addresses: 1) subscription-based AI services; 2) frontier AI models; 3) automated employment-related decision technology; 4) AI companions; and 5) AI in social media. Below, we summarize certain requirements pertaining to each regulated topic.
Requirements
1) AI Subscription Services: “Subscription-based providers” of AI must provide consumers with a written notice disclosing the key terms of the subscription and must obtain from each subscriber written notice disclosing that the consumer has accepted such terms.
For initial subscriptions, notices must describe any quantitative or qualitative limitations the provider may impose and whether the provider has discretion to limit or eliminate access or to reduce the quantity or quality of any functionality. For subscription renewals, the notice must describe any quantitative or qualitative limitations that will be imposed for the first time upon renewal and any discretion as described above that the provider will be able to exercise for the first time upon renewal.
These provisions will become effective on October 1, 2026. Violations will be deemed unfair or deceptive trade practices.
2) Frontier Models: “Frontier developers” of AI “foundation models” are prohibited from retaliating against whistleblowers who report certain “catastrophic risks.” “Frontier developers” are defined as any person doing business in Connecticut that trains or intends to train a foundation model using computing power greater than ten to the twenty-sixth power integer or floating-point operations. “Catastrophic risks” are foreseeable, material risks that the foundation model will contribute to the death or serious injury of more than fifty individuals, or more than one billion dollars in loss of or damage to certain property, arising from certain types of incidents.
“Large frontier developers” (frontier developers with annual gross revenue over $500 million) must establish anonymous internal processes for employee reporting of potential catastrophic risks.
Whistleblower protections will become effective on October 1, 2026, and large developer internal reporting requirements will become effective on January 1, 2027. Violations will result in civil penalties of up to $1,000 per violation.
3) AEDT: Businesses deploying “automated employment-related decision technology” (AEDT) in hiring or other human resources contexts must disclose to relevant employees or candidates that they are interacting with an AEDT and must provide written pre-use notices containing certain content to applicants and employees. Such notices must disclose:
- That the deployer has deployed an AEDT;
- The purpose of the AEDT and the nature of its related decisions;
- The trade name of the AEDT;
- The categories of personal data the AEDT will process and how such data will be assessed in related decisions;
- The sources of the personal data; and
- The deployer’s contact information.
In addition, developers of AEDT must provide to deployers all information the deployer requires to comply with the above requirements.
These provisions will become effective on October 1, 2027. Violations will be deemed unfair or deceptive trade practices.
4) AI Companions: AI companion technologies that could cause a person to believe they are interacting with a human must provide notice to users that the user is interacting with AI. Operators must include protocols to detect language relating to self-harm, to refer users to mental health resources upon detection of such language, and to prohibit the AI from claiming that it is a human. Such protocols must be posted in a prominent and publicly accessible location on the operator’s website.
Operators are prohibited from providing AI companions to minors unless the operator has instituted certain measures to prevent the AI from encouraging self-harm or violence, to prevent explicit interactions, to encourage extended interactions, and to prevent the AI from offering mental health services (subject to certain exceptions). Operators must also provide minors and parents with tools to manage minor user screen time and account settings.
These provisions become effective on January 1, 2027. Violations will be deemed unfair or deceptive trade practices.
5) AI in Social Media: Operators of certain online technologies that utilize or offer social media-type content or interactions between users are required to utilize age verification technology to verify that users are not minors, and if the user is a minor, to obtain verifiable parental consent before providing algorithmic feeds to minors. Operators of such platforms must display certain Surgeon General warnings regarding social media.
In addition, covered operators must make annual, public disclosures of certain information, including the total number of users, the portion of covered users for whom the operator obtained parental consent, and the average amount of time per day that covered users interacted with the platform.
Age verification and parental consent requirements will become effective on January 1, 2028. Reporting requirements will become effective on March 1, 2028. Violations will be deemed unfair or deceptive trade practices.
Conclusion
Taft has identified at least twenty-two states that have enacted legislation specifically regulating private business use of AI, not counting laws regarding “deep-fakes” or explicit content. Connecticut’s Act Concerning Online Safety is but the latest, significant addition to the U.S. state patchwork of AI laws. As businesses continue to develop and deploy AI solutions both internally for HR, hiring, and business operations, and externally in customer-facing products and services, businesses should engage legal counsel with the expertise needed to assess applicability and to help develop and execute compliance strategies. Taft’s Privacy, Security, and Artificial Intelligence attorneys are experienced in these matters and are ready and willing to help.
As always, please sign up to receive emails of our latest posts here on Privacy and Data Security Insights, and follow us on LinkedIn for the latest in privacy, security and artificial intelligence legal news.