Connecticut SB 4: Proposed CTDPA Amendments Add Data Broker Rules, Facial Recognition, and Algorithmic Pricing Protections

Connecticut Is Expanding Its Privacy Law — Again

Connecticut was one of the first states to pass a comprehensive data privacy law when it enacted the Connecticut Data Privacy Act (CTDPA) in 2022. Now the state is preparing its most ambitious update yet. Senate Bill 4 (SB 4), which was amended and voted out of the Joint Committee on General Law in March 2026, would add three major new regulatory frameworks to the existing CTDPA: data broker registration requirements, facial recognition technology restrictions, and algorithmic pricing transparency rules.

If enacted, SB 4 would make Connecticut one of the most comprehensive state privacy regimes in the country — moving well beyond the Virginia-model template that most states have followed.

What SB 4 Would Change

1. Data Broker Registration Requirements

SB 4 would require data brokers operating in Connecticut to register with the state. This follows a growing national trend: California, Vermont, Oregon, and Texas already require data broker registration. The proposed requirements include:

• Annual registration with the Connecticut Attorney General's office
• Public disclosure of data categories collected and sold
• Consumer access rights — individuals can find out which brokers hold their data
• Opt-out obligations — brokers must provide a clear mechanism for consumers to request deletion

For businesses, this means that if you buy, sell, or aggregate consumer data without a direct relationship with those consumers, you may need to register as a data broker in Connecticut — in addition to any registration requirements in California, Vermont, Oregon, and Texas.

2. Facial Recognition Technology Restrictions

The facial recognition provisions in SB 4 would impose new rules on how businesses and government entities use biometric facial recognition technology. Key proposals include:

• Notice requirements — entities must clearly disclose when facial recognition is in use
• Consent obligations — certain uses of facial recognition may require affirmative consent
• Accuracy and bias auditing — operators may need to test systems for demographic accuracy disparities
• Use limitations — restrictions on using facial recognition for mass surveillance or profiling without specific justification

This would put Connecticut alongside Illinois (whose Biometric Information Privacy Act, or BIPA, remains the strictest biometric law), Washington, and Texas in having specific facial recognition regulations.

3. Algorithmic Pricing Transparency

Perhaps the most novel provision in SB 4 is its approach to algorithmic pricing — the practice of using personal data, browsing history, location, or other consumer information to set individualized prices. The proposed requirements include:

• Disclosure — businesses must inform consumers when they use personal data to determine pricing
• Opt-out right — consumers may be able to opt out of personalized pricing and receive a "standard" price
• Non-discrimination — prices cannot be set in ways that discriminate based on protected characteristics

Algorithmic pricing has become a flashpoint for consumer advocates after reports of surge pricing, dynamic pricing, and personalized pricing across industries from e-commerce to insurance. If SB 4 passes, Connecticut would be one of the first states to directly regulate this practice through its privacy law.

Current Status and Timeline

SB 4 was voted out of the Joint Committee on General Law with amendments in March 2026. It still needs to pass the full Connecticut Senate and House, and be signed by the Governor. Key dates:

• March 2026 — Voted out of Joint Committee on General Law (current status)
• Spring 2026 — Full Senate and House votes expected
• If enacted — Effective date would likely be late 2026 or January 1, 2027

The bill still faces the legislative process, so changes are possible. Businesses should monitor its progress but begin assessing the potential impact now.

How This Compares to Other States

Feature	Connecticut (SB 4 proposed)	California (CCPA/CPRA)	Maryland (MODPA)
Data broker registration	Proposed	Required (Delete Act)	Not required
Facial recognition rules	Proposed (notice + consent)	Limited (ADMT regulations pending)	Not specifically addressed
Algorithmic pricing transparency	Proposed	Not specifically addressed	Not specifically addressed
Data minimization	Existing (reasonable)	Existing (reasonable)	Strictest (necessary + proportionate)
Universal opt-out (GPC)	Required	Required	Not required

What Businesses Should Do Now

1. Assess Data Broker Status

Determine whether your business qualifies as a data broker. If you collect and sell consumer data without a direct relationship, you may need to register. Check our data broker registration guide to see where you already have obligations.

2. Audit Biometric Data Practices

If your business uses facial recognition, fingerprint scanning, or other biometric technologies, document your current practices. Even if SB 4 doesn't pass, the trend toward biometric regulation is clear — Illinois, Texas, and Washington already have laws, and more states are following.

3. Review Pricing Algorithms

If you use personal data to set individualized prices, document how the algorithm works and what data inputs it uses. Consider whether you can offer a "standard price" option for consumers who opt out.

4. Ensure CTDPA Baseline Compliance

Before worrying about SB 4 additions, make sure you're compliant with the existing Connecticut Data Privacy Act. This includes honoring universal opt-out signals, processing consumer data requests, and conducting data protection assessments.

5. Use the Privacy Law Calculator

Check whether Connecticut's privacy laws apply to your business by using our Privacy Law Calculator. If they do, Connecticut SB 4's new requirements will likely apply as well.

Frequently Asked Questions

Is Connecticut SB 4 law yet?

No. As of March 2026, SB 4 has been voted out of the Joint Committee on General Law with amendments. It still needs to pass the full Connecticut Senate and House, and be signed by the Governor. The bill could be amended further during the legislative process.

What is a data broker under Connecticut law?

While the final definition in SB 4 may be refined, data brokers are generally defined as entities that collect and sell personal data about consumers with whom they do not have a direct relationship. This is similar to the definition used in California, Vermont, and other states with broker registration laws. Check our Data Broker Classification Quiz to assess your status.

Does SB 4 affect small businesses?

SB 4 would amend the existing CTDPA, which applies to entities that conduct business in Connecticut and either control or process personal data of at least 100,000 consumers, or 25,000 consumers with revenue derived from data sales. Small businesses below these thresholds would generally not be affected. Use our calculator to check.

What about the CTDPA's existing requirements — do those change?

SB 4 adds new provisions on top of the existing CTDPA framework. The existing requirements — consumer rights, data protection assessments, opt-out preference signals, sensitive data protections — remain in effect. The new data broker, facial recognition, and pricing provisions would be additional obligations.

When would SB 4 take effect if enacted?

The effective date would be specified in the final version of the bill. Based on prior Connecticut privacy legislation, it would likely take effect either immediately upon signing, at the start of the next calendar year (January 1, 2027), or after a specified compliance period.

Last updated: March 29, 2026.