CIPA Litigation Prevention Guide

Understand why CIPA lawsuits are rising and how to minimize privacy risk on your website.

Thank you!
Please check your email to view the guide.

Connecticut passes law to establish data broker registry and one-stop deletion mechanism

July 6, 2026
5
 mins read
Robert Bateman
Robert Bateman
Senior Partner at Privacy Partnership law firm
Connecticut data broker registry law

On May 27, 2026, the Governor of Connecticut signed SB 4, an omnibus privacy law that amends the Connecticut Data Privacy Act (CTDPA), creates a data broker registry and accessible deletion mechanism, restricts surveillance pricing, and regulates direct-to-consumer genetic testing.

  • The CTDPA amendments, data-driven pricing provisions, and genetic testing provisions take effect on October 1, 2026, while data broker registration begins on January 1, 2027
  • SB 4 prohibits controllers and third parties from selling a consumer's precise geolocation data, and broadens deletion rights over publicly available information used to build consumer profiles
  • Enforcement is split between the Commissioner of Consumer Protection (data broker rules) and the Attorney General (surveillance pricing), with no private right of action

What does the data broker registry require?

A data broker is any business, or portion of a business, that sells or licenses brokered personal data to a third party. From January 1, 2027, data brokers covered by this Connecticut law must register annually with the Department of Consumer Protection and pay a fee.

Registrations must disclose a set of mandated details, including how consumers can exercise their CTDPA rights, whether the broker collects categories such as minors' data or precise geolocation data, and the extent to which the broker is regulated under the FCRA, GLBA, or HIPAA. 

The Commissioner may impose civil penalties of up to $200 per day per consumer for each violation.

How does the accessible deletion mechanism work?

SB 4 requires the Commissioner to establish an accessible deletion mechanism by July 1, 2028. This lets a consumer submit a single request to have all registered data brokers delete their personal data and exclude specific brokers if they choose.

From October 1, 2028, registered data brokers must check the mechanism at least once every 45 days and act on verified deletion requests, subject to a defined list of exceptions. Independent third-party audits of compliance begin in 2031.

This is the second such mechanism in the US after California's Delete Act, and it directly targets the data broker resale market that underpins much downstream data sharing.

What are the new limits on data-driven pricing and tracking?

SB 4 restricts pricing practices built on personal data. Anyone who uses a "price setting device" to raise an advertised online price using a consumer's personal data must display a prescribed disclosure stating that the price was increased by a price setting device using the consumer's personal data.

The law also prohibits retail sellers and third-party delivery services from engaging in "surveillance pricing," meaning customized pricing based on personal data gathered through device tracking or sensors. Discounts, loyalty programs, and pricing based on justifiable cost differences are excluded. 

These provisions take effect on February 1, 2027, and are enforced by the Attorney General.

Separately, SB 4 sets requirements for facial recognition technology used for fraud prevention, including signage and a published FRT policy.

Key takeaways

  • Determine whether any part of your business sells or licenses brokered personal data and therefore must register as a Connecticut data broker by January 1, 2027
  • Build the operational capability to receive and action deletion requests through the accessible deletion mechanism every 45 days once it goes live
  • Review online pricing, precise geolocation data flows, and facial recognition use against the new SB 4 restrictions and disclosure duties

Privado AI's Dynamic Data Maps build real-time inventories where personal data is collected, sold, and shared, giving teams the inventory they need to assess data broker registration obligations and respond to deletion requests at scale.

Industry insights you won’t delete. Delivered to your inbox.

Get regular updates from Privado AI

Request free website audit

Request Privado AI demo

Robert Bateman
Robert Bateman
Senior Partner at Privacy Partnership law firm

Get regular updates from Privado AI

Request free website audit

Request Privado AI demo

Continue Reading