The Bottom Line
- Connecticut’s Governor has signed into law Public Act No. 26-64, “An Act Concerning Consumer Privacy and Protection,” which introduces substantial new compliance obligations for businesses that operate as data brokers, engage in targeted advertising, or use algorithmic pricing.
- The law takes effect October 1, 2026, with key data broker registration requirements beginning January 1, 2027, and the state’s accessible deletion mechanism program launching by July 1, 2028.
- Connecticut’s approach shares significant structural similarities with California’s Delete Act but goes further in several respects—including banning surveillance pricing by retail sellers, and expanding consumer rights related to profiling and automated decision-making.
Overview of the Connecticut Law
On May 27, 2026, Connecticut’s Governor signed into law Public Act No. 26-64, “An Act Concerning Consumer Privacy and Protection,” (the Act) a sweeping consumer privacy bill that requires data broker registration, creates new consumer rights regarding personal data and restricts surveillance pricing, among other issues. The Act is a multi-faceted privacy and consumer protection statute organized around several distinct regulatory pillars.
Data Broker Registration and Regulation
The Act requires data brokers selling or licensing “brokered personal data” in Connecticut to register with the Department of Consumer Protection, pay a $2,500 annual registration fee, and comply with detailed disclosure requirements. Data brokers must establish privacy policies ensuring compliance and are subject to independent audits beginning July 1, 2031.
Accessible Deletion Mechanism
By July 1, 2028, Connecticut will establish a centralized deletion mechanism enabling consumers to submit a single request directing all registered data brokers to delete their personal data. Registered data brokers must access this mechanism at least once every 45 days and comply with verified deletion requests.
Amendments to Connecticut’s Existing Data Privacy Act
The Act significantly amends Connecticut’s existing consumer privacy law by expanding the definition of “sensitive data” to include financial account information and government-issued identification numbers, strengthening consumer rights around profiling and automated decision-making, prohibiting the sale of consumers’ precise geolocation data by controllers and third parties, and imposing additional obligations on controllers regarding anti-discrimination testing and consent revocation (within 15 days).
Surveillance Pricing Restrictions
Follows a number of other states by regulating retail sellers and third-party delivery services from engaging in “surveillance pricing”—establishing customized prices based on a consumer’s personal data collected through tracking technologies. Businesses using “price setting devices” online must disclose: “THIS PRICE WAS INCREASED BY A PRICE SETTING DEVICE USING YOUR PERSONAL DATA.”
Streaming Video Advertisement Volume
Requires streaming video services, beginning July 1, 2027, to ensure commercial advertisements are not louder than accompanying video content—extending FCC loudness rules to streaming platforms.
Connecticut vs. California: What the Differences Mean for You
The Connecticut Act has many similarities to California’s “Delete Act” frameworks requiring data broker registration and establishing centralized deletion mechanisms; however, there are notable differences.
Scope and Definitions
Connecticut’s definition is different because it applies to any business or individual that sells or licenses “brokered personal data,” while California’s definition focuses on the absence of direct relationships with a consumer.
- Connecticut: Defines “data broker” as any business that sells or licenses “brokered personal data” to another person, with “brokered personal data” (including name, address, date of birth, biometric data and SSN) plus any information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.
- California: Defines “data broker” as a business that knowingly collects and sells personal information of consumers with whom it does not have a direct relationship; using broad definitions of those terms from the California Consumer Privacy Act (CCPA).
Registration Requirements
- Connecticut: Registration with the CT Department of Consumer Protection; annual fee of $2,500; disclosure of collection practices, coverage under federal laws (Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), and how consumers can exercise rights.
- California: Registration with the California Privacy Protection Agency (CPPA) by January 31 each year; annual fee of $6,000; extensive disclosure requirements including whether data has been shared with foreign actors, law enforcement, GenAI developers, or the federal government.
Accessible Deletion Mechanism
- Connecticut: Commissioner must establish the mechanism by July 1, 2028; verified through consumer’s motor vehicle operator’s license number; registered data brokers must check every 45 days.
- California: Called the “Delete Request and Opt-out Platform” or “DROP”; operational since January 1, 2026; detailed regulations governing hashing, matching, status reporting, and processing timelines.
Enforcement
- Connecticut: Civil penalties of up to $200/day per violation of data broker provisions; enforced by the Commissioner of Consumer Protection after notice and hearing. Surveillance pricing and genetic testing violations are enforced by the Attorney General as unfair trade practices. No private right of action for any provision.
- California: Administrative fines of $200/day for failure to register; $200 per deletion request per day for failure to delete; enforced by the CPPA; no private right of action; 5-year statute of limitations.
Audit Requirements
- Connecticut: Independent audits beginning July 1, 2031, and triennially; reports submitted to Department of Consumer Protection within 5 business days of request; maintained for 6 years.
- California: Independent third-party audits beginning January 1, 2028, and every three years; reports must be submitted to CPPA within 5 business days of request; maintained for 6 years.
How Connecticut Exceeds California in Critical Areas
Connecticut’s law is broader than California’s Delete Act in several significant respects.
Surveillance Pricing Ban
Connecticut is one of a number of states that have recently proposed or enacted laws to explicitly prohibit “surveillance pricing” – the use of personal data by retail sellers and third-party delivery services to dynamically change pricing for a consumer based upon such data. California’s data broker law does not address pricing practices.
Expanded Consumer Rights for Profiling
Connecticut’s amendments to its existing privacy law significantly strengthen consumer rights regarding automated decision-making, including the right to question profiling results, be informed of reasoning, review data used, and (for housing decisions) correct data and have decisions reevaluated. These provisions go beyond California’s CCPA/CPRA framework.
Right to List of Third Parties
Connecticut grants consumers the right to obtain from controllers a list of specific third parties to which their personal data has been sold—a more specific right than California’s analogous provisions.
Precise Geolocation Sale Ban
Connecticut prohibits controllers and third parties from selling consumers’ precise geolocation data outright—a categorical ban that goes beyond California’s opt-out framework.
Impact and Action Items for Businesses
- Assess Whether Your Business Is a “Data Broker” Under Connecticut Law: The Connecticut law’s definition of “data broker” is specific: any business (or portion thereof) that sells or licenses enumerated categories of “brokered personal data” to another person. Businesses should carefully evaluate whether their data practices—including data licensing arrangements, lead generation, people-search services, or marketing data operations—bring them within scope. Registration is required by January 1, 2027, for those that do.
- Review Pricing Practices for Surveillance Pricing Compliance: Retail sellers and third-party delivery services doing business in Connecticut must ensure they are not engaging in “surveillance pricing”—using personal data collected through tracking technologies to set individualized prices. Businesses using dynamic or personalized pricing algorithms should evaluate whether their practices fall within the statutory definition and whether any exemptions (loyalty programs, volume discounts, publicly disclosed uniform terms) apply.
- Prepare for the Accessible Deletion Mechanism: Data brokers should begin preparing operational processes to interface with Connecticut’s centralized deletion mechanism when it becomes available in mid-2028, similar to preparations required for California’s DROP system. This includes developing matching, deletion, and status-reporting capabilities.
- Coordinate Multi-State Compliance: Businesses already complying with California’s Delete Act will find significant overlap with Connecticut’s framework—including 45-day access cycles, audit requirements, and deletion processing. However, differences in definitions, registration timelines, fee structures, and the scope of exemptions mean that California compliance alone will not satisfy Connecticut’s requirements. A coordinated multi-state approach is advisable.
- Monitor Rulemaking: The Commissioner of Consumer Protection has broad authority to adopt implementing regulations. Businesses should monitor the rulemaking process closely, as regulations will fill in operational details—particularly regarding the accessible deletion mechanism—that may significantly affect compliance obligations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]