Senate Advances Far-Reaching Data Privacy Bill

After much debate, the state Senate approved a far-reaching measure expanding consumer privacy laws and data-driven regulatory requirements for Connecticut employers April 23.  

The amended version of SB 4 passed by a decisive 31-4 vote and moves to the House for consideration.

Although lawmakers clarified several provisions of the bill since the General Law Committee advanced it, SB 4 represents a significant expansion of compliance obligations for businesses—particularly companies that collect, analyze, sell, or otherwise rely on consumer data as part of their operations. 

The bill imposes new regulatory obligations on data brokers, restricts certain surveillance‑based pricing practices, and establishes additional statutory requirements governing biometric, genetic, and location data.  

“We appreciate the opportunity to have open discussions with lawmakers about the unintended consequences this bill will have on businesses throughout Connecticut,” CBIA vice president of public policy Chris Davis said.  

“While many of the concerns raised by the business community were addressed to clarify scope, exemptions, and enforcement, companies remain concerned that several provisions still represent a significant compliance burden for businesses that rely on data-driven tools to operate effectively.” 

Data Broker Registration

The bill builds off the 2023 Connecticut Data Privacy Act that outlines consumer rights and the responsibilities of groups that collect online data. 

The amended bill establishes a new statewide regulatory framework for data brokers, modeled on programs previously adopted in California, Oregon, and Vermont.  

Under the bill, entities that meet the definition of a data broker must register with the Department of Consumer Protection by Jan. 1, 2027.  

The bill also creates a state‑run, centralized deletion mechanism allowing consumers to submit a single request to eliminate their personal data across all registered data brokers. 

Data brokers must submit third‑party compliance audits every three years and may face civil penalties of up to $200 per day. 

Beginning in 2031, registered data brokers must submit third‑party compliance audits every three years and may face civil penalties of up to $200 per day, per violation, for failure to comply. 

Participating data brokers will be required to routinely access the deletion system, verify consumer requests, delete covered personal data, and permanently cease use of that data, subject to enumerated exceptions, including fraud prevention and legal compliance. 

For businesses that sell or license personal data, the bill introduces new registration, reporting, auditing, and deletion obligations that will generate ongoing compliance costs.

Companies that rely on data brokers for marketing, analytics, or lead generation may also experience reduced data availability and higher costs as a result of these restrictions. 

‘Surveillance Pricing’ Practices 

SB 4 also restricts the use of “surveillance pricing,” defined as the practice of setting individualized prices for consumers based on personal data collected through tracking technologies or obtained from third parties. 

Under the bill, retail sellers and third‑party delivery services are prohibited from engaging in surveillance pricing unless they disclose when an automated pricing system increases a price using a consumer’s personal data.  

Dynamic pricing models remain permissible when based on neutral factors.  

Dynamic pricing models remain permissible when based on neutral factors—such as time, distance, or supply and demand—rather than individualized consumer profiling. 

The legislation preserves common and well‑established business practices through explicit exemptions, including loyalty programs, uniform discounts, demand‑based pricing, and cost‑based price differentiation.  

Financial institutions and insurers regulated under federal or state law are also exempt from these provisions. 

Data Privacy Act Obligations  

The bill further amends the Connecticut Data Privacy Act by expanding consumer deletion rights to include certain publicly available data when that data is aggregated or sold.  

It also clarifies limits on the repurposing of personal data without consumer consent. 

In addition, it bans the sale of precise geolocation data by controllers and third parties, subject to narrow utility‑related exceptions, including the operation of smart meters. 

Businesses who use facial recognition technology for security of loss-prevention must follow new regulations under the bill. 

Businesses must also clearly post signage notifying consumers facial recognition technology is in use. 

Companies may only deploy facial recognition systems that compare images or video against databases that they maintain exclusively themselves.  

Businesses must also clearly post signage at each public entrance notifying consumers facial recognition technology is in use. 

Covered entities are also required to maintain a publicly accessible facial recognition policy, including contact information for the Office of the Attorney General.  

These requirements introduce additional transparency, documentation, and compliance obligations for retailers and other businesses using these systems. 

Direct‑to‑Consumer Genetic Testing Restrictions  

The amended bill incorporates language previously advanced in HB 5128, establishing new consumer property rights over biological samples and genetic data. 

SB 4 requires express, informed consumer consent before the collection, use, disclosure, or retention of genetic testing materials, with separate consent required for research activities, third‑party sharing, and long‑term storage.  

The legislation also places limits on disclosures to insurers, employers, and marketers. 

SB 4 requires express, informed consumer consent.

The amendment also incorporates provisions from SB 232, applying federal commercial loudness standards to streaming video services.  

Beginning July 1, 2027, streaming platforms will be prohibited from delivering advertisements that are louder than accompanying content. 

Enforcement authority is limited to the Office of the Attorney General, and the bill does not create a private right of action. 

CBIA will continue to track SB 4 and provide updates on additional amendments as it moves through the legislative process.  

---

For more information, contact CBIA’s Chris Davis (860.244.1931).