Connecticut Adopts Far-Reaching Amendments To Its Comprehensive Privacy Law

Connecticut is reshaping the national privacy landscape with its May 27, 2026 adoption of far-reaching amendments to its existing comprehensive privacy law.  When a state enacts or revises a privacy law, it influences the shape and direction of U.S. privacy law because other states consider, and sometimes follow, the policy decisions embodied by the newly enacted or revised law.  Connecticut’s Act Concerning Consumer Privacy And Protection, Public Act No. 26-64 accelerates that pressure.

Why this matters: Connecticut’s new amendments to its privacy law take effect on October 1, 2026, following prior amendments (enacted June 24, 2025) that take effect on July 1, 2026.  This demonstrates the hamster wheel-like nature of quickly evolving state privacy law. And these amendments alter existing exceptions from applicability that organizations rely upon:  for publicly available information and for preventing fraud, misconduct, and security incidents.  Those exceptions are still here but different.  Organizations need to be prepared for their elimination in the future -- or the potential elimination of other critical exemptions. 

Public Act No. 26-64 makes four significant changes to Connecticut’s privacy law that will affect organizations operating in Connecticut or otherwise subject to its privacy laws:

First, Connecticut creates new rules applicable to data brokers.  Connecticut is the sixth state to require organizations to register as “data brokers,” joining California, Nevada, Oregon, Texas, and Vermont.  Each state defines “data broker” differently:  An organization that is a “data broker” in one state may not be a “data broker” in another. 

Connecticut defines “data broker” the most broadly of the seven states.  Public Act No. 26-64 defines a “data broker” as an organization that “sells or licenses brokered personal data to another person.”¹ The closest definition in one of the other six states is Oregon’s:  there, a “data broker” is an organization “that collects and sells or licenses brokered personal data to another person.”² The available legislative history for Public Act No. 26-64 is silent as to why the Connecticut legislature chose to define “data broker” using the same approach as Oregon but without the  “collects . . . brokered personal data” language contained in Oregon’s definition.³ A reasonable guess to the impact of the Connecticut legislature’s choice is that more organizations will satisfy the definition of “data broker” than if that language were included.  Otherwise “collects” has no meaning. 

Public Act No. 26-64 follows Oregon law with exceptions for consumer reporting agencies, financial institutions, and organizations using data about their customers, employees, contractual counterparties, investors, donors, and similarly situated individuals and businesses.⁴ That final exception, about use of data about customers and the like, appears to generally track the requirement in California, Nevada, Texas, and Vermont that, to be a “data broker,” an organization needs to be selling or licensing personal data about individuals with whom the organization does not have “a direct relationship.”⁵

Even though Public Act No. 26-64 largely follows Oregon law in setting out what organizations are data brokers, it follows California law in imposing additional obligations upon them:

Data brokers will need to use an accessible deletion mechanism established by Connecticut to accept data subject deletion requests.⁶ Public Act No. 26-64 mandates that the accessible deletion mechanism be established by July 1, 2028 and that data brokers begin using it on October 1, 2028.⁷

Beginning July 1, 2029, data brokers will need to publish data subject request metrics on their websites and update them annually, like California does now.⁸ The metrics required by Connecticut for disclosure are narrower than those required by California, with Connecticut’s focusing on only deletion requests and the number granted or denied.⁹ (Texas is the only other state to require data brokers make affirmative disclosures on their websites.¹⁰ Texas’s required disclosure does not include data subject request metrics.)

Beginning July 1, 2031, Connecticut-regulated data brokers will need to be subject to an independent audit of their compliance with the accessible deletion mechanism.¹¹ This three-year audit requirement is consistent with California law.¹²

These obligations increase the compliance cost and burden for organizations. Moreover, because Connecticut did not align the start of its three-year audit requirement to California’s (California’s begins January 1, 2028; Connecticut’s, July 1, 2031), organizations that do not prepare early will have two separate compliance audit cycles, further increasing the cost and burden.  Proactive organizations can use early voluntary compliance to achieve a single compliance audit cycle, because Public Act No. 26-64 requires compliance “not later than July 1, 2031.”¹³

Second, Connecticut broadens the application of its comprehensive privacy law by narrowing or eliminating existing exclusions and exceptions.  Public Act No. 26-64 also chips away at data-level exclusions that organizations rely upon by altering the scope of the exclusions.

• The definition of “publicly available information” is changed.¹⁴ Previously, “publicly available information” was information made available by the government, by the person at issue, or through widely accessible media and excluded biometric data collected without consent.¹⁵  The new definition adds six new explicit limits on the scope of publicly available information and changes the exclusion for biometric data.¹⁶  The exclusion for biometric data is changed to collection without knowledge, not consent.¹⁷ That narrows the exclusion because of the heightened requirements for obtaining consent under Connecticut’s comprehensive privacy law.¹⁸ One explicit limit requires organizations to revisit their prior determination of the application of privacy law as a result:  “information provided by a consumer on a publicly accessible Internet web site or online service (I) which Internet web site or online service is made available to the general public for compensation or free of charge, and (II) where the consumer has maintained a reasonable expectation of privacy in such information, including, but not limited to, by restricting such information to a specific audience.”¹⁹  At the same time, Connecticut residents gain the right to request deletion of publicly available information about them.²⁰
• The general exemption for data used to “prevent, detect, protection against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action” is also narrowed by adding an exception to that exemption.²¹ Public Act No. 26-64 prohibits use of facial recognition technologies for those purposes unless the “facial recognition technology is used exclusively . . . to match still images or video to a database maintained exclusively by” the organization using it and unless “clearly legible signage is posted, at each entrance . . . , other than an entrance to an area where access is restricted to authorized employees, (I) alerting consumers entering such premises that facial recognition technology is in use, and (II) that includes a conspicuous hyperlink or quick response code that directs consumers to the privacy policy.”²²

In addition to the direct impacts of these changes, the changes signal a regulatory shift toward elimination of exclusions and exemptions from comprehensive privacy laws.  Even without a clear sunset in place for exclusions and exemptions, organizations need to consider the impact if exclusions and exemptions were eliminated. 

Third, Connecticut completely prohibits the sale of precise geolocation data.  Precise geolocation data, which identifies an individual within 1,750 feet, is generally treated as a form of sensitive data under most states’ comprehensive privacy laws, including Connecticut’s.²³ Public Act No. 26-64 adds to the burden:  While still sensitive data, and so requiring consent prior to collection,²⁴ precise geolocation data is uniquely subject to an absolute prohibition on being “[sold].”²⁵  This represents an evolution of Washington’s decision, reflected in the My Health My Data Act, to prohibit geofences “used to:  (1) Identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.”²⁶

Fourth, Connecticut regulates using personal data and activities to set prices of consumer goods and services.  Even though Public Act No. 26-64 is not framed as a law regulating artificial intelligence, the Connecticut legislature expanded consumer disclosures and rights associated with the use of artificial intelligence to set prices for consumer goods and services.

• It prohibits use of “surveillance pricing” -- essentially watching how people act to set prices -- with limited exceptions for retention and loyalty programs, and the like, as well as entity-level exemptions for financial services companies.²⁷
• And it requires disclosures for use of “price setting devices” -- essentially using someone’s personal data to change the price charged -- if it does not result in a discount for the individual, with entity-level exemptions for financial institutions.²⁸ The disclosure must say, in a readably visible way, “THIS PRICE WAS INCREASED BY A PRICE SETTING DEVICE USING YOUR PERSONAL DATA”²⁹

Other states, including California and Colorado, are experimenting with addressing the use of artificial intelligence to set prices and make decisions. Connecticut’s newly mandated restrictions and disclosure requirements represent a step in that direction.

*              *              *

Connecticut’s new Act Concerning Consumer Privacy And Protection, Public Act No. 26-64, illuminates that U.S. privacy law is heading toward greater legal coverage and greater restrictions on data use cases.  Organizations need to be nimble and prepared.  Change is said to happen slowly, then suddenly altogether at once.  Connecticut’s law was amended in June 2025, with changes taking effect on July 1, 2026; and amended again in May 2026 by Public Act No. 26-64, with changes taking effect on October 1, 2026.  The multiple changes to Connecticut’s privacy law prove privacy regulation evolves in real time.

1.  Pub. Act No. 26-64, § 1(7) (emphasis added).

2. Or. Rev. Stat. § 646A.593(c)(A) (emphasis added).

3. The General Law Committee’s Joint Favorable Report indicates that multiple individuals testified that the definition of “data broker” in the bill was too broad.  See General Law Committee, Joint Favorable Report, dated Mar. 16, 2026.

4. Pub. Act No. 26-64, § 7; Or. Rev. Stat. § 646A.593(c)(B).

5. Cal. Civ. Code § 1798.99.80(c); Nev. Rev. Stat. § 603A.323; Tex. Bus. & Com. Code § 510.001(4); Vt. Stat. tit. 9, § 2430(4)(A).  On June 16, 2026, Vermont’s governor signed a bill amending Vermont’s data broker statutes that, among other things, specifies what constitutes a “direct relationship” for purposes of Vermont law.  See Vt. H.211 (2026), § 1.

6. Pub. Act No. 26-64, § 5; Cal. Civ. Code § 1798.99.86.

7. Pub. Act No. 26-64, § 5(a)-(b).  Vermont may follow:  The newly signed bill amending Vermont’s data broker statutes also requires a feasibility study of among other things, “establishing an accessible deletion mechanism” to be used by data brokers, which will be provided to the Vermont legislature in interim form by December 1, 2027 and in final form by December 1, 2028. See Vt. H.211 (2026), § 2.

8. Cal. Civ. Code § 1798.99.85; Pub. Act No. 26-64, § 6.

9. Compare Pub. Act No. 26-64, § 6, with Cal. Civ. Code § 1798.99.85.  California’s required disclosures address multiple types of data subject requests and also require disclosing the median and mean number of days needed to respond to each request type.  Cal. Civ. Code § 1798.99.85(a)(1)-(2).

10. Tex. Bus. & Com. Code § 510.004.

11. Pub. Act No. 26-64, § 5(d)(1).

12. Cal. Civ. Code § 1798.99.86(e).

13. Pub. Act No. 26-64, § 5(d)(1) (emphasis added).

14. Conn. Gen. Stat. §§ 42-515(28), (35). Citations to the Connecticut General Statutes are to the version in effect after Public Act No. 26-64 was enacted, unless otherwise noted.

15. Conn. Gen. Stat. § 42-515(34) (as in effect before Pub. Act No. 26-64).  Most other state comprehensive privacy laws define “publicly available information” in a similar fashion.  However, Vermont’s newly approved comprehensive privacy law, signed by Vermont’s governor on June 16, 2026, defines “publicly available information” similarly to Connecticut’s new definition.  See Vt. S.71 (2026), § 1.  Vermont’s new law will take effect January 1, 2028.  Id. § 4.  [Hyperlink underlined text to https://legislature.vermont.gov/Documents/2026/Docs/BILLS/S-0071/S-0071%20As%20Passed%20by%20Both%20House%20and%20Senate%20Official.pdf]

16. Conn. Gen. Stat. § 42-515(34).

17. Compare Conn. Gen. Stat. § 42-515(34)(B) (as in effect before Pub. Act No. 26-64), with id. § 42-515(35)(B)(i) (as reenacted by Pub. Act No. 26-64).

18. Conn. Gen. Stat. § 42-515(7).

19. Pub. Act No. 26-64, § 12(35).

20. Conn. Gen. Stat. § 42-518(a)(3)(B)-(C).

21. Conn. Gen. Stat. § 42-524(a)(1)(I). 

22. Conn. Gen. Stat. § 42-524(a)(2).

23. Conn. Gen. Stat. § 42-515(29), (40).

24. Conn. Gen. Stat. § 42-520(a)(1)(D).  The form of consent required by Connecticut’s comprehensive privacy law is defined in Conn. Gen. Stat. § 42-515(7).

25. Conn. Gen. Stat. §§ 42-520(a)(3)(A), 42-521(a)(2)(A).

26. Wash. Rev. Code § 19.373.080.  Nevada imposes a similar restriction.  See Nev. Rev. Stat. § 603A.540.

27. Pub. Act No. 26-64, § 11(c), (d). “[S]urveillance pricing” is defined as “the practice of establishing a customized price for a consumer good or consumer service that is specific to a consumer based, in whole or in part, on the consumer's personal data collected (A) through any technology or technological method, system or tool, including, but not limited to, any biometric monitoring, camera, device tracking or sensor, that is capable of gathering personal data concerning a consumer's behavior, characteristics, location or other personal attributes in a physical or digital environment, and (B) by the person establishing the customized price either directly or indirectly by gathering, purchasing or otherwise acquiring such personal data from a third party.”  Id. § 11(a)(9).

28. Pub. Act No. 26-64, § 11(b)(1), (d).  A “price setting device” is defined as “any automated or programmed process that uses a consumer's personal data to establish a price for a consumer good or consumer service to be sold, leased, exchanged or provided to the consumer.” Id. § 11(a)(7).

29. Pub. Act No. 26-64, § 11(b).

Subscribe To Viewpoints