Connecticut AG Clarifies AI Compliance Obligations Under CTDPA
Connecticut AG Clarifies AI Compliance Obligations Under CTDPA
Publish Date: 2026-03-30 12:35:00
Source Domain: www.hunton.com
On February 25, 2026, the Connecticut Attorney General (“CT AG”) issued a legal memorandum regarding the application of existing Connecticut laws, such as the Connecticut Data Privacy Act (“CTDPA”), to the use of artificial intelligence (“AI”).
Addressed to state officials, agencies and other concerned parties, the memorandum is organized into four main sections, each outlining Connecticut state laws the CT AG may use to enforce AI-related regulations: (1) civil rights laws; (2) the CTDPA; (3) safeguards and breach notification laws; and (4) the Connecticut Unfair Trade Practices Act.
With respect to the CTDPA, the memorandum emphasizes that businesses developing or using AI systems must comply with existing CTDPA requirements, including the following:
- clearly disclosing the use of Connecticut consumers’ personal data in AI models through their privacy notices;
- ensuring that any use or sharing of personal data obtained from third parties is properly disclosed by the original data collector – otherwise, such use is unlawful; and
- notifying consumers of any changes to privacy practices related to AI and providing a mechanism for consumers to withdraw consent for new uses of their data.
The memorandum also underscores that businesses have specific obligations under the CTDPA regarding the collection and use of sensitive data, such as consumer health information, biometric data, and precise geolocation data. In particular, data controllers are required to conduct data protection assessments for processing activities that present a heightened risk of harm to consumers, including any handling of sensitive data. Accordingly, AI models that process Connecticut consumers’ personal data in these high-risk contexts must undergo regular data protection assessments to ensure compliance with the CTDPA.
In addition, the memorandum highlights that businesses have heightened responsibilities under the CTDPA when collecting or processing minors’ data….
