On May 27, 2026, Connecticut Governor Ned Lamont signed Senate Bill 4, now Public Act No. 26-64 (the “Act”),[1] significantly expanding the Connecticut Data Privacy Act (CTDPA).

The Act creates a California Delete Act-style, but Connecticut-specific, data broker registration and deletion-mechanism regime. It also restricts the sale, sharing, transfer, and provision of access to precise geolocation data;[2] imposes facial recognition transparency requirements; adds surveillance-pricing prohibitions and disclosure obligations; narrows the CTDPA’s “publicly available information” exclusion; adds rules for certain employment-related processing and profiling decisions; expands consumer deletion rights; and regulates direct-to-consumer (DTC) genetic testing companies.

At a high level, the Act adds compliance obligations for data brokers, CTDPA controllers and processors, retailers, third-party delivery services, and DTC genetic testing companies.[3]

These amendments follow shortly after the July 1, 2026 effective date for separate CTDPA amendments enacted in 2025 through SB 1295, which expanded coverage thresholds, added profiling impact assessment obligations, and imposed minors-related requirements. Companies should thus treat SB 4 as part of a broader 2026 Connecticut compliance cycle, rather than a standalone update.

I. SB 4: Key Takeaways

Key provisions[4] include:

  • A California Delete Act-style data broker registry and centralized consumer deletion mechanism;
  • Restrictions on the sale and transfer of precise geolocation data;
  • New surveillance pricing obligations, meaning pricing programs historically treated as marketing or revenue optimization tools may require legal review;
  • Expanded regulation of facial recognition technologies;
  • New rules for profiling used to make legal or similarly significant decisions, including employment-related profiling, and related consumer rights;
  • New consumer rights over genetic data held by direct-to-consumer genetic testing companies; and
  • A narrowed CTDPA “publicly available information” exclusion, which may bring certain compiled or combined datasets within the scope of regulated personal data.

II. Companies and Data Practices Most Likely to Be Affected

Companies should pay particular attention if they:

  • Sell or license brokered personal data,
  • Sell, share, transfer, or provide access to precise geolocation data,
  • Use personal data to set individualized prices,
  • Use on-premises facial recognition for security, fraud prevention, or loss-prevention purposes,
  • Compile public-source information into profiles for sale or licensing, or
  • Offer consumer genetic testing products or services.

III. Compliance Timeline

The Act’s requirements phase in over several years. The first restrictions become effective in 2026, data broker and surveillance-pricing obligations follow in 2027, and other data broker obligations in 2028 and beyond.

Compliance DateKey Amendments and Compliance Requirements
October 1, 2026Core amendments take effect, including: (1) Establishment of a data broker registration framework and website, with registration obligations phasing in January 2027; (2) Restrictions on the sale, sharing, transfer, or provision of access to precise geolocation data;(3) Requirements for facial recognition technology;(4) Profiling-related requirements and changes to the definition of “publicly available information”; and (5) New rights and obligations concerning genetic data held by DTC genetic testing companies.
January 1, 2027Data broker registration takes effect. Data brokers may not sell or license brokered personal data in Connecticut unless registered with the Department of Consumer Protection, subject to statutory exceptions.

Registration requires specified disclosures about the broker’s data practices, including a publicly accessible webpage explaining how consumers may exercise their CTDPA rights.
July 1, 2027Surveillance pricing obligations take effect.
July 1, 2028Department of Consumer Protection must establish the state-run accessible deletion mechanism.
October 1, 2028Registered data brokers must begin accessing the accessible deletion mechanism at least every 45 days and process covered deletion requests.
July 1, 2031 and beyondBeginning in 2031, registered data brokers must undergo independent third-party audits at least once every three years.

IV. Business Impact and Action Items

The following table summarizes the principal business impacts and practical steps for companies assessing whether the Act applies to their data practices.

Who Is AffectedIssueWhat ChangedAction Items
Businesses, or business units, that sell or license brokered personal data, including providers of analytics, location intelligence, people search, lead generation, marketing data, and identity resolutionData Broker RegulationsData brokers must register with the Department of Consumer Protection, disclose data practices, pay required fees, and participate in a state-run deletion mechanism.

Note: Ordinary first-party CRM or loyalty program use, standing alone, is not considered data brokerage.		(1) Determine whether the company or any business unit qualifies as a data broker; (2) Inventory data sets that are sold or licensed; (3) Review public-facing consumer rights disclosures; (4) Prepare for registration and renewal obligations; (5) Begin designing deletion workflows; and (6) Review processor and service provider terms, including data use restrictions, audit rights and deletion assistance.
Entities that sell or otherwise provide third-party access to precise geolocation dataPrecise Geolocation DataThe Act restricts the sale, sharing, transfer, or provision of access to precise geolocation data, with limited exceptions. The exceptions include certain processor disclosures, consumer-requested services, affiliate disclosures, and M&A-related transfers.(1) Inventory precise geolocation data collection and sharing;Identify all external access and disclosure points;(2) Determine application of statutory exceptions; and (3) Implement contractual and technical controls to prevent prohibited access, sale, or downstream use.
Retail sellers, third-party delivery services, and other businesses using personal data to set or display individualized online pricesSurveillance PricingRetail sellers and third-party delivery services face targeted restrictions on surveillance pricing.

Other Connecticut businesses using online price labels may need to display a statutory disclosure when a price has been increased using personal data, unless an exception applies.		(1) Review pricing personalization practices; (2) Map the input of personal data in pricing models;(3) Distinguish individualized price increases from discounts, loyalty programs and publicly disclosed promotions;(4) Document applicable exceptions; (5) Coordinate legal review before launching or modifying personalized pricing programs; and (6) Ensure legal, product, pricing, and ad-tech teams follow a common ruleset for algorithmic and dynamic pricing in online transactions.
Users of on-premises Facial Recognition Technology (FRT)Facial Recognition TechnologyThe Act requires notice, signage, policies, and use limits for on-premises FRT used for security, fraud and abuse prevention, or system security, but excludes FRT used with consumer consent in commercial transactions.(1) Review facial-recognition deployments; (2) Create or update a facial-recognition policy;(3) Confirm the purpose, scope and database limitations for covered deployments; (4) Review signage, notices and notice placement; and (5) Align security operations with privacy governance.
Entities using profiling for employment, lending, housing, insurance, health care, or similarly consequential decisionsEmployment[5] and ProfilingThe Act narrows the CTDPA’s employment-related exemption and gives consumers new rights over certain profiling decisions.

Controllers using profiling to produce legal or similarly significant effects must conduct impact assessments addressing use cases, risks, data inputs and outputs, performance metrics, limitations, transparency, monitoring and safeguards.		(1) Identify profiling used for employment, lending, housing, insurance, health care and similarly consequential decisions;(2) Conduct or update profiling impact assessments; and (3) Update privacy notices and internal governance.
Direct-to-Consumer Genetic Testing CompaniesGenetic TestingConsumers receive a property right and exclusive control over their biological samples and genetic test results, a notable departure from typical state privacy control rights.

The Act imposes consent, disclosure, access, deletion, destruction, transfer, research, and security requirements.		(1) Review consent flows and required disclosures; (2) Assess vendor arrangements, research uses and data-transfer processes;(3) Review retention periods and deletion/destruction procedures;(4) Update consumer access workflows; and (5) Confirm restrictions on transfers to employers, certain insurers, and advertising or marketing recipients.
Controllers using public-source data to create, sell, or make available consumer profilesPublic-Source Data, Profiling, and Deletion RightsThe Act narrows the CTDPA’s “publicly available information” exception by excluding certain categories, including nonconsensual intimate depictions, certain genetic data, information from public websites where the consumer maintained a reasonable expectation of privacy, and data created by combining publicly available information with personal data.

It also expands deletion rights for certain public-source profile information and related inferences.		(1) Review inventories of public-source data and profile products;(2) Determine where publicly available information is combined with personal data or used to create consumer profiles;(3) Reassess whether CTDPA exemptions or “publicly available information” assumptions remain valid; (4) Update deletion workflows; and (5) Revise applicable privacy notices and consumer-rights procedures.

V. Key Provisions in Detail

As discussed above, the Act addresses several major privacy and consumer protection topics. The new provisions are generally enforced by the Connecticut Attorney General or relevant state agencies and do not create an Illinois BIPA-style private right of action. Below, we highlight in more detail some of the major provisions affecting entities that collect, use, sell, or license personal data of Connecticut residents.

  • Data Brokers: Registration and Deletion Mechanism Obligations

The Act creates a state-supervised data broker registration program coupled with a state-run accessible deletion mechanism. Beginning January 1, 2027, data brokers may not sell or license brokered personal data in Connecticut unless registered with the Department of Consumer Protection, subject to statutory exceptions. Registration requires an annual $2,500 fee and specified disclosures about the broker’s data practices, including contact information, a publicly accessible consumer rights webpage, information about collection of certain sensitive categories of data, compliance measures, and regulatory status information. Connecticut thereby becomes the second state after California to require both data broker registration and a centralized deletion mechanism. The state must establish the deletion mechanism by July 1, 2028. Beginning October 1, 2028, registered data brokers must access the mechanism at least every 45 days and process covered deletion requests.

Data brokers should design verification and deletion workflows that do not collect more personal data than necessary and should account for later obligations, including annual public website disclosures and independent third-party audits.

  • Restrictions on Sale of Precise Geolocation Data

Effective October 1, 2026, the Act prohibits controllers and third parties from selling a consumer’s precise geolocation data (excluding utility metering data). The CTDPA’s definition of “sale” includes exchanges for monetary or other valuable consideration but contains statutory exceptions for processor disclosures, consumer-requested services, affiliates, and M&A transfers.

Because “sale” is defined broadly, controllers should review transfers, licenses, Software Development Kit (SDK) access, ad-tech disclosures, analytics arrangements and other third-party access points to determine whether precise location data is being exchanged for monetary or other valuable consideration. App operators, in particular, should assess whether arrangements involving precise location data, geofencing events or point-of-interest signals tied to ad monetization, analytics credits, SDK functionality or revenue sharing could constitute a prohibited sale. Companies should not assume that OS-level location permission or general privacy policy disclosures alone resolve the issue.

Third-party SDKs are likely to be another point of risk under the Act. If an SDK vendor receives precise location data for its own purposes, uses the data to improve its own products or receives the data as part of the consideration for providing SDK functionality, the arrangement may require closer review. Companies should inventory SDKs and APIs, test actual data flows, review vendor terms and technical settings, and implement contractual and technical controls restricting onward use, retention and disclosure of precise geolocation data in ways that may violate the Act.

Location analytics providers that acquire device-level location data and sell foot traffic reports, audience segments, attribution products or competitive intelligence tools should also assess their exposure. In addition to the prohibition on precise geolocation sales, these companies should evaluate whether they qualify as data brokers and whether any outputs are sufficiently aggregated or de-identified to fall outside the restricted data flows.

Oregon, Maryland, and Virginia have adopted similar location data restrictions, and other states are considering comparable legislation.[6] Companies should thus treat the Act as part of a broader multi-state compliance program.

  • Surveillance Pricing: Prohibitions for Retail and Delivery; Disclosures for Others

Effective July 1, 2027, Connecticut restricts “surveillance pricing,” or the use of personal data to set or offer customized prices to consumers. Retail sellers and third-party delivery services doing business in Connecticut are prohibited from engaging in surveillance pricing, unless an exception applies. Retail sellers include businesses that sell, lease, or rent consumer goods or services, including digital goods, directly to end users. Third-party delivery services include businesses that facilitate delivery or online ordering for retail food establishments.

The Act also imposes a disclosure requirement on other businesses that engage in surveillance pricing in Connecticut. A business that uses surveillance pricing in connection with an online price advertisement, label, offer, or solicitation must display the disclosure: “THIS PRICE WAS INCREASED USING YOUR PERSONAL DATA,” or substantially similar language, unless an exception applies. Such exceptions include certain discounts, loyalty programs, publicly disclosed promotions, bona fide market-price offers, and certain regulated insurance activity.

Companies should review pricing personalization programs to determine whether they use personal data to set, increase, or display individualized prices. This review should include pricing models, experimentation platforms, loyalty and retention programs, ad-tech and analytics inputs, and vendor tools that influence pricing or offers. Companies should also distinguish individualized price increases from discounts or broadly available promotions, document applicable exceptions and coordinate legal review before launching or materially changing personalized pricing programs.

While differing in scope, Connecticut’s provision has similarities to New York’s existing algorithmic pricing law[7] and Maryland’s HB 895, which affects the food sector. Companies operating across state lines should thus consider implementing a governance framework that allows legal, product, pricing, marketing, and ad-tech teams to identify when a pricing practice triggers a prohibition, a disclosure obligation, or a state-specific exception.

  • Facial Recognition: Premises Notices and Database Limits

Unlike Illinois’s BIPA, which broadly regulates biometric identifiers and includes written consent requirements and a private right of action, the Act imposes targeted operational limits and premises-level transparency obligations for facial recognition technology.

The Act applies to controllers[8] that use facial recognition technology (FRT)[9] on their premises for security, fraud prevention, anti-harassment, anti-abuse, legal compliance, or system-protection purposes. Online-only identity verification via facial recognition is thus not covered by this provision, but the broader CTDPA may still apply to it. The Act also includes a limited exception where the controller obtains the consumer’s consent to use FRT in the course of a commercial transaction.

For covered on-premises FRT uses, controllers must operate under a facial recognition policy and limit image matching to a database maintained exclusively by the controller. This creates compliance risk for systems that rely on cross-retailer, shared, or vendor-controlled watchlists or suspect databases. Beginning October 1, 2026, covered entities must post required on-site signage before using covered FRT. The notice must include a conspicuous hyperlink or QR code to the controller’s facial recognition policy and should be coordinated with the controller’s broader CTDPA privacy notice.

In practice, these obligations may affect any business that is open to consumers and uses FRT on its premises for loss prevention, physical security, fraud prevention, or similar purposes. Companies should thus map where FRT is deployed, confirm the purpose and database limitations for each use, review vendor contracts and watchlist practices, update or create facial recognition policies, and ensure that security, facilities, fraud, and privacy teams follow a common governance process.

  • Profiling

Effective October 1, 2026, the Act expands the CTDPA’s treatment of profiling used to make decisions that produce legal or similarly significant effects. Companies should understand this concept broadly; profiling may include automated processing that evaluates, analyzes, predicts or scores aspects of an individual, including employment performance, economic situation, health, preferences, reliability, behavior, location, or movements. Companies should identify where profiling tools are used in any context involving significant decision-making. These tools may be embedded in vendor products, HR systems, eligibility screens, scoring models, recommendation engines or ranking tools. Companies should understand what data these tools use, what outputs they generate and how decision-makers use those outputs.

The Act also makes profiling impact assessments more important. Because the Act requires impact assessments for covered profiling, controllers should be prepared to maintain written records explaining the purpose of the profiling activity, the data inputs and outputs, the reasonably foreseeable risks, how the tool’s performance is measured, any known limitations, and the transparency, monitoring, and safeguard measures used to reduce risk. Where profiling tools are provided by vendors, companies should review contracts, documentation, testing information and oversight rights.

For employment-related tools, companies should also revisit prior assumptions that certain processing was outside the scope of the CTDPA. As a practical matter, businesses may need to update privacy notices, consumer-rights procedures, vendor diligence, internal approval workflows, profiling inventories and ongoing monitoring practices.

  • Direct-to-Consumer Genetic Testing Company Regulation

Effective October 1, 2026, the Act grants consumers a property right[10] in biological samples provided to DTC genetic testing companies and in the resulting genetic test results. This formulation is notable because most state privacy laws provide control rights, rather than express property rights in samples or results. DTC genetic testing companies must disclose their policies before accepting a biological sample, genetic data, or payment. Separate express consent is required for: (i) disclosure to anyone other than a vendor or service provider; (ii) secondary uses; and (iii) retention after testing. Research transfers require informed consent meeting federal standards for human-subjects research.

The Act also restricts certain downstream disclosures. DTC genetic testing companies may not disclose genetic testing results to employers, certain insurers for underwriting purposes, or third parties that the company knows intend to use the data for advertising, marketing or other promotional purposes. Covered companies must also implement reasonable security measures, provide consumer access and honor deletion or destruction requests.

  • Public-Source Data, Profiling, and Deletion Rights

Effective October 1, 2026, the Act narrows the CTDPA’s “publicly available information” exclusion and limits the ability to treat public-source data as categorically outside the law. Companies should no longer assume that information is exempt solely because it was obtained from a public website, public record or other publicly accessible source. These amendments are particularly relevant where public-source data is combined with other personal data, used to build profiles, or incorporated into products made available to customers or other third parties.

As a practical matter, the amendments require closer attention to data lineage. Companies that scrape, enrich, append, score or package public-source information should assess whether they can identify the source of each data element and distinguish public-source data from non-public personal data. Companies should also consider whether derived data or related inferences may be subject to deletion rights, particularly where information is used to create consumer profiles that are made publicly available or offered for sale.

These changes may affect people-search, lead-generation, identity-resolution, analytics, marketing-data, and similar profile products. Companies should revisit prior assumptions about CTDPA exemptions, update product documentation and deletion workflows, and review customer and vendor contracts for downstream-use restrictions, deletion assistance and recordkeeping obligations.

VI. Conclusion

The Act reflects a shift in state privacy law from general notice-and-choice and opt-out frameworks toward targeted regulation of specific data practices. Connecticut combines several practice-specific regimes in one law, including data broker registration and deletion, location-data restrictions, surveillance pricing disclosures, facial recognition premises notices, profiling regulations, narrowed public-source exclusions, and DTC genetic testing. These amendments reflect priorities Connecticut regulators have emphasized in recent enforcement reports. Compliance will require more than updates to privacy notices or consumer rights workflows; companies will need to assess the underlying data practices, systems, vendors and business processes that may trigger the Act’s requirements. Companies should consider whether the same data flows may implicate multiple regimes and use the Act’s phased effective dates to inventory covered practices before the first major compliance deadline on October 1, 2026.

[1] SB 4 was signed by the Governor on May 27, 2026, and became Public Act 26-64. Certain provisions were subsequently amended by HB 5222 and HB 5563.

[2] The Act’s restrictions on precise geolocation data follow Virginia’s recent enactment of a similar prohibition on the sale of consumers’ precise geolocation data.

[3]  This has been an active legislative season for Connecticut on technology and digital privacy, as the state has joined others with robust AI and data privacy regulation. Governor Lamont also recently signed SB 5, which imposes consumer-facing disclosure rules for subscription AI services and regulates higher-risk AI uses such as AI “companions” (including user notices and limits tied to minors). Discussion of that law is beyond the scope of this post.

[4] This post focuses on the Act’s privacy, data governance, and consumer data provisions and does not address every amendment included in SB 4.

[5] The Act narrows the CTDPA’s employment-related exemption, meaning that certain employment-related processing decisions that may previously have been treated as outside the CTDPA may now be subject to the Act’s profiling and related consumer-rights requirements.

[6] SB 4 continues a trend in state privacy enactments. Oregon amended its privacy law in 2025 to ban the sale of precise location data; Maryland’s Online Data Privacy Act (2024) bans the sale of “sensitive data,” which includes precise location data (effective October 2025); and Virginia enacted a location data sales prohibition in April 2026. California (AB 1542), New York (S3044), and Massachusetts (S.2608) are considering similar bills.

[7] On June 5, 2026, the New York state legislature passed “The One Fair Price Act,” (S.8623B/A.9349B), which, similar to Connecticut’s SB 4, prohibits the use of surveillance pricing, with exceptions for typical discount programs. The bill has been sent to the governor for consideration. 

[8] Including controllers of consumer health data, which may otherwise fall outside the CTDPA’s general scope but may now be subject to the Act’s facial-recognition obligations.

[9] Under the Act, “facial recognition technology” means “any technology that analyzes facial features in still images or video to uniquely and personally identify a specific individual.”

[10] The Act states: “A consumer shall have a property right in, and shall retain the right to exercise exclusive control over, any biological sample that is derived from the consumer’s body and provided to, or used by, a direct-to-consumer genetic testing company, as well as the results of any genetic testing conducted on the consumer’s DNA by a direct-to-consumer genetic testing company. Such right to exercise exclusive control includes, but is not limited to, the right to exercise exclusive control over the collection, use, retention, maintenance, disclosure or destruction of such biological sample and results.”  This language is similar to Tex. Bus. & Com. Code § 503A.003.

Photo of Judith Rubin Judith Rubin

Judith G. Rubin is Senior Counsel in the Privacy & Cybersecurity Group and a member of the Technology Media & Telecommunications group.

Judith counsels clients across a wide range of industries, including financial services, technology, medical devices, pharmaceuticals and media, on privacy and…

Judith G. Rubin is Senior Counsel in the Privacy & Cybersecurity Group and a member of the Technology Media & Telecommunications group.

Judith counsels clients across a wide range of industries, including financial services, technology, medical devices, pharmaceuticals and media, on privacy and cybersecurity laws and best practices in the US and Europe. She routinely advises clients in corporate transactions such as complex public and private asset or stock acquisitions, divestitures and cross-border mergers about deal- and business-related privacy and cybersecurity risks, regulatory developments and enforcement trends.

Another focus of Judith’s practice is the facilitation of internal privacy compliance programs, including data mapping, risk assessments, internal privacy and cybersecurity policies and procedures, data use and sharing agreements, vendor due diligence and contract revisions. She has advised clients in various sectors on marketing compliance, including requirements for data brokers, advertising best practices, marketing to children, cookies and chatbots.

Judith helps companies respond to data breaches, prepare for such incidents, and develop and implement global privacy programs and policies aimed at protecting data and mitigating risk under a range of regulatory regimes. She has represented clients in regulatory enforcement actions across a variety of jurisdictions. She also provides counsel on interactions with regulators and law enforcement, as well as company stakeholders, affected individuals and the public.

Judith previously practiced at several Am Law 100 firms in the United States and in Europe. Fluent in German, she served as a judicial clerk for two years in the Bundesverfassungsgericht, the German Supreme Constitutional Court in Karlsruhe. She also speaks basic Russian, French, Bosnian and Polish.

Judith is a Certified Information Privacy Professional in the United States (CIPP/US) and Europe (CIPP/E), and a Certified Information Privacy Technologist (CIPT).

Read more about Judith Rubin
Show more Show less