Key point: For the third time since the law was enacted in 2022, Connecticut lawmakers have modified the state’s consumer data privacy law.

In late May, Connecticut Governor Ned Lamont signed Senator James Maroney’s SB 4 into law. The forty-one-page bill creates a new data broker registration law, requires companies to disclose if they increase a price through a price-setting algorithm based on an individual’s personal data, amends the state’s consumer data privacy law, and creates a new genetic privacy law.

This post analyzes the changes to the consumer data privacy law – the Connecticut Data Privacy Act or CTDPA. The bill narrows the publicly available information exception, expands the right to deletion, prohibits the sale of precise geolocation data, and tightens restrictions on facial recognition technology.

The enactment of SB 4 marks the third time Connecticut’s law has been revised since its passage in 2022. The 2023 amendments added consumer health and children’s privacy provisions. The 2025 amendments revised the applicability standard, exemptions, definitions, consumer rights, data minimization provisions, children’s privacy sections, and approach to profiling.

Narrowing of Publicly Available Information Exception

SB 4 excludes the following from the definition of publicly available information:

• Intermingled data, which is personal data created by combining personal data with any information that is otherwise exempt as publicly available information (e.g., information made available through government records)
• Restricted audience data on publicly available websites, i.e., information provided by a consumer on a publicly accessible web site or online service, which web site or online service is made available to the general public for compensation or free of charge, and where the consumer has maintained a reasonable expectation of privacy in such information, including, but not limited to, by restricting such information to a specific audience
• Genetic data, unless it is made publicly available by the consumer
• Obscene visual depictions as defined in 18 USC 1460
• Intimate images or intimate synthetically created images as defined under Connecticut law if they are known to be nonconsensual

SB 4 also changes the treatment of biometric data. Specifically, it prohibits treating biometric data as publicly available information when a business collects it without the consumer’s knowledge. The prior standard excluded such data when it was associated with a specific consumer and collected without consent.

The amendment comes in the wake of the Connecticut attorney general’s 2025 enforcement report, which called on the legislature to amend the exception, arguing that it was too broad. Specifically, the report stated that nearly one third of the complaints the office received in 2025 “involved entities or data potentially exempt under the CTDPA. For example, many of these complaints involved people search websites that purportedly combine ‘publicly available’ records and post individual profiles online. These profiles, which are often extensive, unwanted and inaccurate, are a far cry from public information and should not be carved out from the reach of the CTDPA. We continue to recommend that the legislature narrow the too-broad definition of “publicly available information” to ensure that people search sites and data brokers are fully covered under the CTDPA.”

Expanded Deletion Right

SB 4 also expands the law’s right to deletion to cover “publicly available information that is (i) collated and combined to create a consumer profile that is made available to a user of a publicly accessible Internet web site for compensation or free of charge, or (ii) made available for sale” – and any inferences drawn from such information.

Prohibition on Selling Precise Geolocation Data

SB 4 prohibits controllers and third parties from selling precise geolocation data — making Connecticut the fourth state to enact such a ban, alongside Maryland, Oregon, and Virginia (which added this prohibition earlier this year via SB338). The prohibition does not cover the content of communications or data generated by or connected to advanced utility metering infrastructure systems.

Restrictions on Use of Facial Recognition Technology

In its 2024 enforcement report, the attorney general’s office described sending a cure notice to a local grocery store following media reports and consumer complaints about the store’s use of biometric software to prevent or detect shoplifting. The store defended the practice by invoking Connecticut’s law, which expressly permits controllers to detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activity, or any other illegal activity.

SB 4 responds directly to that enforcement action by imposing new requirements on controllers that deploy facial recognition technology on their premises for fraud prevention or security purposes. Those entities must now:

1. Only use facial recognition technology to match still images or video to a database maintained exclusively by the controller; and
2. Post clearly legible signage at each entrance to the premises where the facial recognition technology is in use (other than an entrance to an area where access is restricted to authorized employees)

The signage must alert consumers to the controller’s use of facial recognition technology and include a conspicuous hyperlink or QR code linking to the controller’s facial recognition technology policy. That policy must include contact information for the attorney general and may disclose the controller’s policies on interactions between loss prevention officers and consumers.

The amendments also add a statutory definition of “facial recognition technology”: “any technology that analyzes facial features in still images or video to uniquely and personally identify a specific individual.”

Effective Date

The amendments are effective October 1, 2026.