Connecticut Privacy Law Updates: Data Broker Rules, Geolocation Sale Ban, Surveillance Pricing Restrictions, and Genetic Data Regulations
Publish Date: 2026-06-05 09:15:00
Source Domain: www.hunton.com
Connecticut Privacy Law Updates: Data Broker Rules, Geolocation Sale Ban, Surveillance Pricing Restrictions, and Genetic Data Regulations
On May 27, 2026, Connecticut Governor Ned Lamont signed Senate Bill 4 into law, amending the Connecticut Data Privacy Act (“CTDPA”). Two additional bills making minor adjustments and technical fixes to the CTDPA—HB 5222 and HB 5563—are expected to be signed, and together these changes are referred to herein as the “CTDPA Amendments.”
The CTDPA Amendments create data broker registration and compliance requirements, ban the sale of geolocation data, and set limits on surveillance pricing and the processing of genetic data.
- Data Brokers
- Effective Date: January 1, 2027 (registration requirements).
- Scope: “Data broker” is defined as any business, or portion of a business, that sells or licenses brokered personal data to another person. “Brokered personal data” means personal data that is categorized or organized for sale or license to a third party.
- Registration: Beginning January 1, 2027, data brokers must annually register with the Connecticut Department of Consumer Protection (“DCP”) and pay an annual fee. The DCP will publish the information included in each data broker’s registration application.
- Deletion Mechanism: By July 1, 2028, the DCP must create an accessible universal deletion mechanism that allows consumers to submit a single data deletion request to all registered data brokers. By October 2028, data brokers will be required to regularly check the mechanism and process deletion requests, including by flowing such requests downstream to service providers.
- Audits: Beginning 2031, data brokers will be subject to independent third-party audit requirements every three years.
- Exemptions: Entities regulated under HIPAA, GLB, FCRA, and DPPA, among other laws, are exempt from the data broker requirements.
- Enforcement: The DCP may impose civil penalties of up to $200 per day, per consumer,…
