Connecticut’s New Data Broker Law (SB 4): What Businesses Need to Know
External Source means this preview stays on Qubicweb while the full article lives on the publisher site.
Brief points
Key points will appear here after this read is condensed for Qubicweb. Use the source link below if you need the full article immediately.
Connecticut has enacted a sweeping new data broker law (SB 4, as amended by HB 5222), making it one of a growing number of states to regulate the collection, sale, and licensing of third‑party personal data. Effective October 1, 2026, the law requires data brokers to register with the state, imposes detailed compliance obligations, and, like California’s DELETE Act, creates a centralized mechanism for consumers to request deletion of their data. At the same time, Connecticut takes a more tailored approach, with broader carve‑outs and structural features that may reduce friction for covered businesses.
What do you need to know?
Does it apply to you? Individuals are in!
The new law applies to companies that regularly engage in commercial activities for the purpose of generating income and sell or license brokered personal data (or control, are controlled by, or are under common control with such a person). This can be an individual, and you do not need to meet any minimum number of records. It can apply even to banks, Connecticut credit unions, federal credit unions, out-of-state banks, out-of-state trust companies, or out-of-state credit unions to the extent they engage in non‑GLBA‑regulated data broker activity.
There are carve outs, and they are more forgiving than California’s.
The act does not apply to entities to the extent they engage in activities regulated under GLBA. It also exempts a business that collects information about a consumer who is or was (A) in a contractual relationship with the business, (B) an investor in the business, (C) a donor to the business, or (D) in a similar relationship. There are also carve outs for publicly available information that (A) concerns a consumer’s business or profession, or (B) is sold or licensed as part of a service that provides health or safety alerts, unless that information is collated into a consumer profile made available online or used to generate inferences. Importantly, this relationship-based carve-out is broader than the GLBA exemption: it can exclude certain non‑GLBA data so long as it relates to a direct relationship with the consumer, reinforcing that the law primarily targets third‑party data aggregation rather than first‑party customer data.
Some definitions:
“Brokered personal data” is not all personal data; it is an enumerated list of identifying elements (name, address, date of birth, place of birth, mother’s maiden name, certain unique biometric data, the name or address of an immediate family or household member, Social Security or other government ID number, or other information that would let a reasonable person identify the consumer with reasonable certainty), if categorized or organized for sale or license to a third party. This is narrower than the approach taken in some of the states.
“License,” a term used in other data broker laws too, is defined here to mean (A) to grant access to, or distribute, brokered personal data in exchange for consideration, and (B) does not include using personal data for the sole benefit of the person who provided it if that person maintains control over its use. This definition captures not only discrete transfers but also ongoing access models (e.g., APIs, data platforms), expanding the scope beyond traditional ‘sales.’
The definition of publicly available information was amended and now no longer includes biometric data collected without the consumer’s knowledge, an obscene visual depiction, personal data created by combining personal information with publicly available information, genetic data unless made publicly available by the consumer, information provided by a consumer on a publicly accessible Internet web site or online service (I) which Internet web site or online service is made available to the general public for compensation or free of charge, and (II) where the consumer has maintained a reasonable expectation of privacy in such information, including, but not limited to, by restricting such information to a specific audience, intimate image known to be nonconsensual, or an intimate image known to be nonconsensual, or an intimate synthetically created image known to be nonconsensual.
A central registry for deletion, a la California’s DROP.
The act orders the Commissioner of Consumer Protection to establish a central “accessible deletion mechanism” by July 1, 2028, through which consumers can ask all registered data brokers to delete their personal data. Different from California’s DROP, the Connecticut mechanism anticipates a key unintended consequence, the fear of companies registering as data brokers: it lets individuals specifically exclude one or more registered data brokers from a deletion request and lets data brokers check the mechanism to see whether they have been excluded. Connecticut data brokers are also not left guessing on identity: the Commissioner (or an authorized agent) verifies, beginning August 15, 2028, that the consumer who purportedly submitted the request actually did, using sufficient information to establish that the consumer is a Connecticut resident. One amendment from HB 5222 to fold in: the “data service provider” concept was deleted, so the mechanism and exclusions now operate at the registered data broker level.
You do not need to delete information necessary to (1) provide a product or service specifically requested by the participating consumer, (2) perform pursuant to any contract to which the consumer is a party, including by fulfilling the terms of a written warranty, or (3) take any step at the consumer’s request prior to entering into a contract, along with a few additional exceptions including public-interest scientific research.
If you are a data broker under this new law, you will need to:
- Register, with no selling or licensing of brokered personal data in Connecticut on or after January 1, 2027 unless actively registered (the initial and renewal fees are $2,500).
- Have a compliant privacy policy and not sell or license data in violation of the law.
- Beginning October 1, 2028, participate in the central deletion platform and check it at least every 45 days.
- As of July 1, 2031, and triennially, engage an independent auditor to ensure compliance.
- As of July 1, 2029, and annually, post metrics regarding requests received and how they were honored.
Violation is punishable by a daily fine of up to $200 per day per consumer (note this is per-consumer after the HB 5222 amendment, not the flat $500 figure in some early summaries).
What to do now?
Connecticut signals a rising trend in State enforcement of data brokers and joins the laws of California, Texas, Oregon, Vermont and Nevada in regulating the activities of companies that source data from third parties and make it available to third parties. The California DELETE Act, was recently amended to increase penalties, as was the Vermont Data Broker law, which also added a new “KYC like” obligation for vetting data recipients. Enforcement is ramping up, with recent public enforcements, accompanied by fines, in California and daily fines for violations. Companies collecting data not directly from individuals would do well to vet their practices and ensure that they are compliant with the latest requirements.