
Understand why CIPA lawsuits are rising and how to minimize privacy risk on your website.
Thank you!
Please check your email to view the guide.

On May 27, 2026, the Governor of Connecticut signed SB 4, an omnibus privacy law that amends the Connecticut Data Privacy Act (CTDPA), creates a data broker registry and accessible deletion mechanism, restricts surveillance pricing, and regulates direct-to-consumer genetic testing.
A data broker is any business, or portion of a business, that sells or licenses brokered personal data to a third party. From January 1, 2027, data brokers covered by this Connecticut law must register annually with the Department of Consumer Protection and pay a fee.
Registrations must disclose a set of mandated details, including how consumers can exercise their CTDPA rights, whether the broker collects categories such as minors' data or precise geolocation data, and the extent to which the broker is regulated under the FCRA, GLBA, or HIPAA.
The Commissioner may impose civil penalties of up to $200 per day per consumer for each violation.
SB 4 requires the Commissioner to establish an accessible deletion mechanism by July 1, 2028. This lets a consumer submit a single request to have all registered data brokers delete their personal data and exclude specific brokers if they choose.
From October 1, 2028, registered data brokers must check the mechanism at least once every 45 days and act on verified deletion requests, subject to a defined list of exceptions. Independent third-party audits of compliance begin in 2031.
This is the second such mechanism in the US after California's Delete Act, and it directly targets the data broker resale market that underpins much downstream data sharing.
SB 4 restricts pricing practices built on personal data. Anyone who uses a "price setting device" to raise an advertised online price using a consumer's personal data must display a prescribed disclosure stating that the price was increased by a price setting device using the consumer's personal data.
The law also prohibits retail sellers and third-party delivery services from engaging in "surveillance pricing," meaning customized pricing based on personal data gathered through device tracking or sensors. Discounts, loyalty programs, and pricing based on justifiable cost differences are excluded.
These provisions take effect on February 1, 2027, and are enforced by the Attorney General.
Separately, SB 4 sets requirements for facial recognition technology used for fraud prevention, including signage and a published FRT policy.
Privado AI's Dynamic Data Maps build real-time inventories where personal data is collected, sold, and shared, giving teams the inventory they need to assess data broker registration obligations and respond to deletion requests at scale.