Privacy & Cybersecurity Law Blog

On May 27, 2026, Connecticut Governor Ned Lamont signed Senate Bill 4 into law, amending the Connecticut Data Privacy Act (“CTDPA”). Two additional bills making minor adjustments and technical fixes to the CTDPA—HB 5222 and HB 5563—are expected to be signed, and together these changes are referred to herein as the “CTDPA Amendments.”

The CTDPA Amendments create data broker registration and compliance requirements, ban the sale of geolocation data, and set limits on surveillance pricing and the processing of genetic data.

• Data Brokers
  • Effective Date: January 1, 2027 (registration requirements).
  • Scope: “Data broker” is defined as any business, or portion of a business, that sells or licenses brokered personal data to another person. “Brokered personal data” means personal data that is categorized or organized for sale or license to a third party.
  • Registration: Beginning January 1, 2027, data brokers must annually register with the Connecticut Department of Consumer Protection (“DCP”) and pay an annual fee. The DCP will publish the information included in each data broker’s registration application.
  • Deletion Mechanism: By July 1, 2028, the DCP must create an accessible universal deletion mechanism that allows consumers to submit a single data deletion request to all registered data brokers. By October 2028, data brokers will be required to regularly check the mechanism and process deletion requests, including by flowing such requests downstream to service providers.
  • Audits: Beginning 2031, data brokers will be subject to independent third-party audit requirements every three years.
  • Exemptions: Entities regulated under HIPAA, GLB, FCRA, and DPPA, among other laws, are exempt from the data broker requirements.
  • Enforcement: The DCP may impose civil penalties of up to $200 per day, per consumer, for each violation.
• Privacy Updates.
  • Effective Date: October 1, 2026.
  • Relevant CTDPA Amendments:
    • ban on the sale of precise geolocation;
    • narrowed definition of “publicly available information”;
    • expansion of deletion right to include certain publicly available data and inferences; and
    • new transparency requirements around the use of facial recognition technology for security or fraud prevention purposes.
  • Surveillance Pricing.
    • Effective Date: October 1, 2026.
    • Price Setting Device Mandatory Disclosure: The CTDPA Amendments require any person doing business in Connecticut using a “price setting device” to provide the following disclosure: “THIS PRICE WAS INCREASED BY A PRICE SETTING DEVICE USING YOUR PERSONAL DATA,” unless the price setting device is used solely to offer a discounted price in an online transaction.
      • “Price setting device” means any automated or programmed process that uses a consumer’s personal data to establish a price for a consumer good or service to be sold, leased, exchanged, or provided to the consumer.
    • Surveillance Pricing Ban: The CTDPA Amendments ban “surveillance pricing” by “retail sellers” and “third-party delivery services,” subject to certain carve-outs.
      • “Surveillance pricing” means establishing a customized price for a consumer for a consumer good or service based on personal data collected through any technology and by the person establishing the customized price, directly or indirectly.
      • The prohibition on surveillance pricing applies to “retailer sellers” (e., an entity or business (including a retail food establishment) that sells, leases, or rents consumer goods or services (including digital goods) directly to end-users) and “third-party delivery service providers” (i.e., an entity—outside of the operation of a retail food establishment’s business—that facilitates delivery or online ordering services to customers of a retail food establishment).
      • Exceptions:
        • The following pricing activities are exempted from the ban on surveillance pricing:
          • Customer retention discounts: Businesses may offer discounted prices to retain existing customers.
          • Price differences for legitimate business reasons: Different prices may be offered based on factors such as delivery costs, consumer choices, delivery timing, or supply-and-demand-driven price fluctuations.
          • Broadly available discount programs: Businesses may offer discounts through publicly disclosed promotions, group-based discounts (e.g., for veterans, students, or seniors), or loyalty and rewards programs, provided the terms are clearly posted and available to all eligible consumers.
        • Exempt entities: Entities subject to Connecticut’s insurance laws, the GLBA, and certain banks or holding companies are exempt from the surveillance pricing provisions.
      • Genetic Testing
        • Effective Date: October 1, 2026.
        • Requirements and Restrictions: The CTDPA Amendments require direct-to-consumer genetic testing companies to:
          • disclose certain information to consumers;
          • obtain express consent prior to collecting, using, or disclosing a consumer’s genetic data, including obtaining separate express consent for the disclosure or transfer of genetic data to any person other than a vendor or service provider;
          • limit the disclosure of genetic testing results to the consumer or a person acting pursuant to a court order, warrant, or subpoena;
          • not disclose a consumer’s genetic data to the consumer’s employer, insurers, or third parties whom the company knows, or reasonably should know, intend to use the data for marketing or targeted advertising purposes;
          • implement reasonable security measures to protect consumers’ biological samples and genetic data; and
          • provide consumers with the ability to exercise their rights to access, delete, destroy, and revoke consent for certain genetic data processing activities.

The CTDPA Amendments also provide consumers with a “property right in, and . . . the right to exercise exclusive control over,” their biological samples used by direct-to-consumer genetic testing companies, as well as results of DNA testing by such companies.