Connecticut Overhauls Its Privacy Law: What Businesses Need to Know

By Cynthia J. Larose

Connecticut has significantly expanded its privacy law.

Connecticut Governor Ned Lamont has signed Senate Bill 4 into law, making major changes to the Connecticut Data Privacy Act (CTDPA). Together, these updates represent some of the most significant changes to the CTDPA since it took effect.

The amendments introduce new rules for data brokers, prohibit the sale of precise geolocation data, restrict certain forms of personalized pricing, and create new protections for genetic information.

New Rules for Data Brokers

Key dates: Registration begins January 1, 2027.

Businesses that sell or license personal data to third parties may soon face a new compliance regime in Connecticut.

Under the amendments, a "data broker" is generally a business that sells or licenses personal data that has been organized or categorized for third-party use.

Key requirements include:

  • Annual registration. Beginning January 1, 2027, data brokers must register with the Connecticut Department of Consumer Protection (DCP) and pay an annual fee.
  • Public listing. Registration information will be published by the DCP.
  • Universal deletion requests. By July 2028, Connecticut must launch a single deletion portal that allows consumers to submit one request to all registered data brokers at once.
  • Deletion obligations. Starting in October 2028, data brokers will be required to regularly check the portal, honor deletion requests, and pass those requests on to service providers and downstream recipients where applicable.
  • Independent audits. Beginning in 2031, registered data brokers must undergo third-party compliance audits every three years.

Certain organizations already regulated under laws such as HIPAA, GLBA, FCRA, and DPPA are exempt from these requirements.

The penalties can be substantial: violations may result in fines of up to $200 per day, per consumer.

Privacy Law Changes Take Effect October 1, 2026

Several updates will affect businesses already subject to the CTDPA.  Among the most notable changes:

  • A ban on the sale of precise geolocation data.
  • A narrower definition of "publicly available information."
  • Expanded deletion rights that may apply to certain publicly available information and inferences derived from personal data.
  • New requirements for privacy policies, including how and where privacy notices must be displayed, required languages, and when to inform consumers of changes to the notice or a business’ practices.
  • New transparency requirements for organizations using facial recognition technology for security or fraud prevention purposes.

Lowering CTDPA Thresholds

Currently, the CTDPA applies to businesses processing the personal data of (i) 100,000+ residents, or (ii) 25,000+ residents with over 25% of their revenue from selling such data.

Effective July 1, the applicability threshold will be lowered to businesses processing personal data of at least 35,000 Connecticut residents. The amendments also establish a significant new threshold: businesses controlling or processing a single Connecticut resident’s sensitive data, as defined thereunder, are now subject to the CTDPA. The definition of “sensitive data” now includes personal data revealing mental or physical disability or treatment, nonbinary status, transgender status, information derived from biometric and genetic data, neural data, financial account information, and government-issued identification numbers (i.e., driver’s licenses, SSNs, passports). In addition to obtaining consent prior to processing sensitive data, such processing must be reasonably necessary in relation to the purpose for which such sensitive data is processed, and the CTDPA now expressly prohibits the sale (for monetary or other valuable consideration) of sensitive data without consumer consent.

Additionally, the blanket entity-level exemption for GLBA-regulated entities is now a data-level exemption for GLBA information and entity-level exemptions for certain traditional financial institutions.

These changes will extend CDTPA applicability to a broader group of businesses and may require updates to privacy notices, data inventories, and consumer rights processes.

Connecticut Takes Aim at "Surveillance Pricing"

One of the most attention-grabbing provisions addresses the use of personal data in pricing decisions.

Beginning October 1, 2026, businesses that use automated tools to set prices based on a consumer's personal information may be required to provide a clear disclosure:

"THIS PRICE WAS INCREASED BY A PRICE SETTING DEVICE USING YOUR PERSONAL DATA."

A "price setting device" generally refers to software or automated systems that use personal data to determine the price of a product or service.

The law also prohibits certain forms of surveillance pricing by retailers and third-party food delivery platforms. In simple terms, surveillance pricing occurs when a business uses personal information collected about a consumer to charge that consumer a customized price.

Important Exceptions

The law does not prohibit every form of personalized pricing.

Permitted practices include:

  • Discounts designed to retain existing customers.
  • Price differences based on legitimate business factors, such as shipping costs, delivery timing, inventory levels, or market demand.
  • Loyalty programs, rewards programs, senior discounts, student discounts, veteran discounts, and other broadly available promotional programs, provided their terms are clearly disclosed.
  • Certain financial institutions and insurance-related entities that are already subject to other regulatory frameworks.

New Protections for Genetic Data

The amendments also impose new requirements on direct-to-consumer genetic testing companies, effective October 1, 2026.

Among other things, these companies must:

  • Clearly explain how genetic data is collected, used, and disclosed.
  • Obtain express consent before collecting, using, or sharing genetic information.
  • Obtain separate consent before disclosing genetic data to third parties other than service providers.
  • Restrict disclosures of genetic testing results.
  • Implement reasonable safeguards to protect genetic information and biological samples.
  • Give consumers the ability to access, delete, destroy, and withdraw consent relating to certain genetic data processing activities.

The law goes even further by recognizing that consumers have a property interest in their biological samples and genetic testing results, giving them greater control over how that information is used.

What Businesses Should Do Now

Organizations that operate in Connecticut should begin assessing whether these changes affect their business models, particularly if they:

  • Buy, sell, license, or aggregate personal data;
  • Use location data;
  • Employ AI or automated tools to personalize pricing;
  • Use facial recognition technologies; or
  • Process genetic information.

While some requirements do not take effect until 2027 or later, many of the privacy-related changes become effective on October 1, 2026, leaving businesses a relatively short window to prepare.   Your Mintz Privacy and Security team is ready to assist you with compliance with these new amendments.

Subscribe To Viewpoints

Published

    • Viewpoint Topics

  • Privacy & Cybersecurity

    • Professionals

  • Cynthia J. Larose

    • Related Practices

  • Privacy & Cybersecurity

    • Author

    Cynthia J. Larose

    Cynthia J. Larose

    Member / Co-Chair, Privacy & Cybersecurity Practice

    Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.