Privacy Law Expansion Has Major Business Implications

State lawmakers passed an expansive consumer privacy and consumer protection measure that reshapes how businesses handle personal data, pricing practices, and emerging technologies.

While the final version of SB 4 reflects meaningful improvements made in response to business community concerns—including clarity, exemptions, and enforcement limitations—the legislation still imposes new compliance obligations that companies will need to carefully assess. 

The bill significantly expands state oversight of data brokers and allows data delete mechanisms for consumers, places new restrictions on surveillance pricing and automated price‑setting, creates rules for facial recognition surveillance technologies, and updates several portions of Connecticut’s existing consumer data privacy law.  

“CBIA worked closely with legislators throughout the process to ensure the final bill avoids many unintended consequences, limits duplicative regulation, and provides guardrails for businesses operating in a competitive digital economy,” said CBIA’s vice president of public policy Chris Davis.

“Although all of our member’s concerns were not addressed in full, the final bill allows for more effective compliance and less punitive penalties for companies that inadvertently lapse in compliance.” 

New Regulatory Framework 

A central feature of SB 4 is the creation of a comprehensive regulatory regime governing data brokers—businesses that sell or license personal data about consumers. 

Beginning Jan. 1, 2027, data brokers must register annually with the Department of Consumer Protection before selling or licensing brokered personal data in Connecticut.

Registration requires disclosure of business practices, privacy controls, and whether sensitive categories of data—such as minors’ data or precise geolocation information—are collected.

Each registration comes with a $2,500 annual fee.

Each registration comes with a $2,500 annual fee and ongoing reporting obligations. 

Registered data brokers must also adopt formal privacy policies, comply with Connecticut’s broader consumer privacy statutes, and certify that personal data is not sold or licensed in violation of state law.

Over time, businesses may also be subject to independent compliance audits, further increasing operational costs. 

While SB 4 ultimately limited applicability to entities primarily engaged in data brokerage activities—and preserved key exemptions for financial institutions, HIPAA‑regulated entities, and businesses maintaining direct consumer relationships—the registration, reporting, and audit provisions add a new layer of regulatory oversight that could discourage data‑driven investment and expansion in Connecticut. 

Centralized Consumer Deletion Mechanism 

The bill also directs DCP to develop a statewide accessible deletion mechanism, allowing consumers to submit a single request requiring registered data brokers to delete the consumer’s personal data. 

Once fully implemented, data brokers will be required to regularly access the system, verify deletion requests, and ensure that downstream service providers also delete covered data.

DCP is authorized to charge participating businesses additional fees to cover system costs. 

“Even with added protections, the deletion mechanism introduces ongoing compliance and monitoring obligations.”

CBIA’s Chris Davis

CBIA raised concerns about security, liability, and feasibility early in the process.

The final bill includes important safeguards—such as confidentiality protections, clear verification standards, and extensive exceptions allowing data retention when legally necessary or operationally justified. 

“Even with added protections, the deletion mechanism introduces ongoing compliance and monitoring obligations for registered data brokers, particularly for companies that maintain large or complex datasets or rely on third‑party vendors,” said Davis. 

Pricing Restrictions 

SB 4 also restricts the use of surveillance pricing, defined as setting personalized prices for consumer goods or services based on personal data collected about an individual. 

Retailers and third‑party delivery platforms are largely prohibited from using surveillance pricing that increases a price, with carefully negotiated exceptions for loyalty programs, broadly available discounts, supply‑and‑demand pricing shifts, and cost‑based price differences.

When automated tools are used to increase prices based on consumer data, businesses must clearly disclose that fact to consumers. 

“Businesses using advanced analytics or AI‑driven pricing tools will need to review their systems carefully.”

Davis

Importantly, insurers, banks, and certain regulated financial entities are excluded from these provisions, reflecting CBIA’s concerns about overlapping and conflicting regulatory standards. 

In an unusual process, the surveillance pricing sections of the bill were modified in another bill, HB 5222, the day after passage of SB 4. 

“While the final bill avoids banning dynamic pricing models used to attract and retain customers, businesses using advanced analytics or AI‑driven pricing tools will need to review their systems carefully to ensure compliance and avoid triggering disclosure or enforcement risks,” warned Davis. 

Expanded Consumer Data Rights 

Beyond data brokers, SB 4 updates Connecticut’s broader consumer data privacy law by expanding definitions, clarifying consent standards, and strengthening consumer rights related to data access, correction, deletion, and opt‑out. 

Key updates include: 

• Expanded definitions of sensitive data, including biometric, genetic, neural, and precise geolocation data 
• New limits on selling precise geolocation information 
• Additional obligations related to profiling and automated decision‑making 
• Updated processor responsibilities and contractual requirements 

The bill also establishes new rules governing facial recognition technology used in physical retail spaces, requiring signage and publicly available policies when such systems are deployed for loss prevention or security purposes. 

SB 4 includes targeted provisions affecting direct‑to‑consumer genetic testing companies, granting consumers property rights over biological samples and imposing strict consent, disclosure, and security requirements.

Violations are enforceable solely by the attorney general, avoiding private litigation exposure. 

The bill also adds consumer protections for streaming video services, prohibiting commercials from being broadcast at higher volumes than accompanying content—mirroring existing federal standards for traditional broadcasters. 

‘Far-Reaching’

Most violations under SB 4 are enforceable by the attorney general or DCP, with civil penalties capped and no private right of action created.

CBIA strongly advocated for this structure to avoid open‑ended litigation risk and preserve regulatory certainty for employers. 

“While many CBIA concerns were addressed through amendments and clarifications, SB 4 remains a far‑reaching expansion of state regulation affecting data use, pricing practices, and digital innovation,” Davis said.

“Businesses operating in Connecticut should begin reviewing their data practices, consumer disclosures, and compliance strategies.”

Davis

“Businesses operating in Connecticut should begin reviewing their data practices, consumer disclosures, and compliance strategies well in advance of the bill’s effective dates.” 

The bill now awaits action by the governor, with his signature expected in the coming weeks. 

CBIA will continue to engage with regulators during implementation and provide members with guidance as agencies develop regulations and technical standards under the new law. 

---

 For more information, contact CBIA’s Chris Davis (860.244.1931).