Connecticut expands privacy law with facial recognition, age assurance rules

Connecticut has enacted a sweeping package of privacy, online safety, and AI measures that places the state among the most active in the country in regulating the commercial data economy and emerging algorithmic harms.

Gov. Ned Lamont signed Senate Bill 4 into law last Friday, creating a new state deletion system modeled on California’s Delete Act and expanding Connecticut’s existing consumer privacy framework.

The action follows Lamont’s signing of Senate Bill 5, a separate online safety and AI law that imposes new rules on AI companion chatbots, automated employment decision tools, synthetic media, and social media platforms used by minors.

Taken together, the two laws move Connecticut beyond a conventional consumer privacy model and toward a broader technology accountability framework.

SB 4 targets the underlying data economy by regulating data brokers, precise geolocation data, facial recognition, automated profiling, and automated license plate reader records.

SB 5 addresses the systems that use data and algorithms to influence behavior, simulate human interaction, make employment-related decisions, or expose minors to addictive online design features.

SB 4 directs the state to create an online deletion mechanism allowing residents to request removal of personal information from registered data brokers through a single portal, similar to California’s Delete Act framework. The law also requires broker registration, prohibits the sale of geolocation data and expands consumer rights over profiling and AI-related data uses.

The privacy package also expands the Connecticut Data Privacy Act, enacted in 2023. Beginning in July, the law will apply to businesses handling data from at least 35,000 consumers, down from 100,000. The law will also cover organizations that process sensitive data or sell personal information regardless of size, extending its reach to smaller but data-intensive firms.

The law also brings facial recognition more directly into Connecticut’s privacy framework. Businesses using facial recognition technology must provide notice and comply with restrictions on how biometric databases are maintained and used.

SB 4 also expands oversight of automated profiling and AI-related data practices, including new transparency requirements and consumer rights related to automated decision-making.

SB 5, meanwhile, creates a separate but related law governing online safety and AI.

SB 5 combines targeted rules for AI companion chatbots, automated employment decision tools, synthetic media, youth online safety, workforce development initiatives and planning for a state AI regulatory sandbox.

The AI companion chatbot provisions are among the most consequential parts of SB 5.

The law requires chatbot operators to adopt protocols to detect self-harm, provide clear notices that users are communicating with an AI companion, and restrict access by minors when a system can encourage self-harm or provide mental health-related interactions.

The law also requires initial and hourly disclosures that the bot is not human.

For users under 18, the law prohibits access to AI companions where it is reasonably foreseeable that the system can encourage self-harm, violence, disordered eating, unlawful alcohol or drug use, romantic or sexually explicit interaction, or engagement-maximizing techniques that supersede safety protections.

The social media provisions prohibit covered platforms from exposing minors to addictive algorithms and notifications without parental consent. They also establish default protections involving account privacy, time of use, and notifications, including a ban on notifications to minors between 9 p.m. and 8 a.m. unless a parent consents to changing the default settings.

The law also requires social media companies to report annually to the state on the number of minors using their platforms, the number of minors with parental consent to use addictive algorithms, and the average amount of time minors spend on the platform per day, broken down by age and time of day.

Platforms must also display a warning label pop-up when a minor opens a social media app, informing the user of mental health risks associated with social media use.

Attorney General William Tong framed the provisions as child safety measures rather than a ban on social media use by minors. Connecticut has pursued investigations involving major platforms including Meta and TikTok over concerns about harms to young users.

SB 5 also contains synthetic media transparency provisions. Developers of AI systems or models capable of generating synthetic digital content must ensure that such content is marked and detectable as synthetic, as far as technically feasible, beginning October 1, 2027.

The law includes exceptions, including for some artistic, satirical, public interest and assistive editing uses.

Together, SB 4 and SB 5 move Connecticut beyond a traditional consumer privacy model toward a broader framework governing data brokers, AI systems, digital platforms and biometric technologies. The package reflects a growing trend of states stepping into regulatory areas where Congress has yet to establish comprehensive federal privacy or AI rules.

Article Topics

biometrics  |  chatbots  |  Connecticut  |  data protection  |  facial recognition  |  social media  |  United States