Connecticut expands privacy law with geolocation ban and data broker registry
Connecticut has significantly expanded its privacy framework with new laws (SB 4, HB 5222, HB 5563) that amend the CTDPA and introduce new requirements for data brokers, personalized pricing, and facial recognition technology. The new regulations prohibit the sale of precise geolocation data, mandate transparency for facial recognition, and require annual registration for data brokers. These changes, taking effect from October 2026, necessitate that organizations review their data collection and usage practices to ensure compliance.
Key Takeaways
- Bans the sale of precise geolocation data, defined as GPS or technology identifying a consumer within a 1,750-foot radius.
- Mandates annual registration for data brokers starting January 1, 2027, including a $2,500 annual fee.
- Implements a 'Delete Act' style centralized mechanism by July 2028, allowing residents to request global data deletion from all registered brokers.
- Introduces 'surveillance pricing' restrictions effective July 1, 2027, targeting dynamic pricing based on browsing history or location.
- Requires retail facial recognition to use only internal databases and display physical signage for security or fraud prevention.
Why It Matters
The ban on selling precise geolocation data directly impacts ad-tech firms and streaming services using location-based targeting for high-value localized inventory. By adopting a California-style centralized deletion mechanism, Connecticut signals that 'opt-out of sale' is evolving into 'bulk deletion,' creating a higher operational burden for data aggregators. This shift forces a move away from third-party facial recognition datasets toward first-party, on-premises solutions for security. Organizations should watch for the state's rollout of the online deletion portal by 2028, which will likely serve as a blueprint for other East Coast regulators.
Additional Context
Connecticut’s legislative surge follows a broader trend of states sharpening existing privacy frameworks to match or exceed California’s standards. Per the International Association of Privacy Professionals (IAPP) in October 2025, eight states—including Colorado, Texas, and Virginia—have already amended their initial comprehensive privacy laws to add stricter secondary-use requirements and minor-specific protections. This 'versioning' of state laws reflects growing regulatory impatience with the lack of a cohesive federal standard, such as the stalled American Privacy Rights Act (APRA) proposed in April 2024. The specific focus on 'surveillance pricing' in HB 5563 aligns with recent scrutiny from the Federal Trade Commission (FTC), which launched an inquiry into 'surveillance pricing' practices among massive retailers and software providers in mid-2024. Per a March 2025 report from the California Privacy Protection Agency (CPPA), California has already collected $3.3 million in registration fees from nearly 500 data brokers, demonstrating the revenue-generating potential of these registries. Connecticut’s $2,500 annual fee and 45-day deletion audit cycle mirror California's DROP platform, suggesting a move toward standardized multi-state compliance interfaces for data brokers by late 2026.
Read full article at jdsupra.com