Connecticut has just become the second state in the country to require data brokers to participate in a centralized, state-run consumer deletion platform — a major escalation in data broker regulation that compliance and privacy professionals cannot afford to ignore. Signed by Governor Ned Lamont, the new law doesn’t stop at registration. It bans the sale of precise location data, restricts personalized pricing practices, and tightens controls over genetic and biometric information. But the data broker provisions are the centerpiece, and they set a new national benchmark.
If your organization collects, aggregates, or sells personal information about individuals with whom you have no direct relationship, this law almost certainly applies to you. Here’s what you need to know.
Connecticut Joins California in Building a Centralized Deletion Infrastructure for Data Brokers
Connecticut’s new law requires data brokers to register with the state and — critically — to check a state-built deletion platform every 45 days for new consumer requests to delete their personal information. This mirrors the framework California implemented through its Delete Request and Opt-Out Platform (DROP Act), which was the first centralized deletion system of its kind in the United States.
We’ve written extensively about how California’s DROP system works and what it demands from data brokers. Connecticut’s law closely mirrors those obligations — but applies them to a second major state’s consumer population. With two states now running centralized deletion platforms, businesses that operate as data brokers or rely heavily on third-party data pipelines face compounding compliance obligations across state lines.
The 45-day check cycle is not aspirational — it is a legal requirement. Data brokers must build this into their operational cadence, document their responses, and be prepared to demonstrate compliance. For organizations that have not yet built structured processes around deletion requests, Connecticut’s October 1 deadline creates real urgency.
Who Counts as a Data Broker Under Connecticut’s Law?
The law targets companies that collect and sell or license personal data about consumers with whom the business has no direct relationship. This is the classic definition that has been applied in California, Vermont, and other state broker registration regimes — and it captures a wide range of businesses, including data aggregators, people-search platforms, marketing data suppliers, analytics resellers, and enrichment services.
Businesses that are not traditional “data brokers” but that monetize personal data as a side activity — sharing or selling customer lists, behavioral signals, or derived data to third parties — should assess whether they fall within scope. The lines are not always obvious, and regulators have made clear they will scrutinize businesses that obscure or minimize their data broker activities.
The Location Data Sales Ban: A Direct Hit on Data Broker Revenue Models
One of the most consequential provisions in Connecticut’s new law is the outright prohibition on selling precise location data. This is not a disclosure requirement or an opt-out mechanism — it is a flat ban. For many data brokers, the sale of location signals derived from mobile devices and connected apps has been a significant revenue stream. That practice is now prohibited for Connecticut residents’ data.
“Precise location data” refers to information that can identify an individual’s whereabouts within a sufficiently small geographic radius — enough to reveal where they live, work, worship, receive medical care, or travel. The sensitivity of this data has attracted increasing regulatory attention at both the state and federal level, and Connecticut’s ban reflects a growing consensus that location data is too closely linked to personal safety and privacy to be treated as a routine commercial commodity.
For compliance teams, this requires a granular audit of data products and third-party data-sharing arrangements. If your data pipelines involve location signals — whether collected directly, purchased from SDKs, or embedded in advertising technology stacks — you need to determine whether Connecticut residents are included and whether that data is being sold or licensed to third parties.
Connecticut’s Enforcement Track Record Makes These Requirements Serious
This isn’t a law being passed in a state with a passive enforcement posture. Connecticut has one of the most active state-level privacy enforcement programs in the country. Attorney General William Tong has used the existing Connecticut Data Privacy Act (CTDPA) aggressively — investigating companies, issuing enforcement reports, and levying fines. Connecticut fined TicketNetwork $85,000 for data privacy violations, and AG Tong’s enforcement reports have made clear that Connecticut expects meaningful compliance — not just nominal acknowledgment of requirements.
The CTDPA Enforcement Report laid out the AG’s priorities in detail, and data brokers, personalized targeting, and consumer deletion rights have all featured prominently. Connecticut’s new law expands the AG’s toolkit and creates new categories of violation. Businesses that already struggled to meet the foundational requirements of the Connecticut Data Privacy Act (CTDPA) will now need to layer these additional obligations on top.
AG Tong has also been vocal about the need to regulate AI and algorithmic systems — his sweeping AI enforcement blueprint for Connecticut signals that data practices feeding algorithmic decision-making are firmly in the AG’s crosshairs.
What the Law Also Covers: Personalized Pricing, Facial Recognition, and Genetic Data
Beyond the data broker framework, the new law introduces restrictions in three additional areas:
Personalized pricing: Retail sellers and third-party delivery services are prohibited from using personal data, browsing history, or location information to set prices for individual consumers. Other businesses must disclose when a price-setting mechanism has used personal data to determine the price a consumer sees. This reflects a broader trend — multiple states are moving to limit or regulate the use of behavioral and location data to charge different consumers different prices for the same goods or services.
Facial recognition technology: New restrictions on how businesses may use facial recognition will limit certain deployment scenarios. Compliance teams working with identity verification, access control, or retail analytics should review these provisions carefully.
Genetic and biometric data: Consumers gain additional control over how their genetic information is collected, used, and shared. Combined with the existing Connecticut Data Privacy Act’s treatment of sensitive data categories, this represents a significant expansion of the protections around information that is, by nature, permanent and highly personal.
Phased Implementation: Two Key Deadlines
Connecticut’s new requirements roll out in two waves. A set of amendments to the existing CTDPA framework takes effect in July 2025, expanding the range of businesses that must comply with state privacy requirements, creating new restrictions on the use of sensitive data, and prohibiting targeted advertising directed at minors. The data broker registration mandates, location data sales ban, personalized pricing rules, and the new deletion platform requirements then take effect on October 1, 2025.
The Connecticut Senate Bill 4 package that contains these amendments is also notable for its breadth — it represents not just new privacy rules but a signal that the Connecticut legislature is prepared to continue expanding the state’s privacy framework in step with national enforcement trends.
What Data Brokers and Data-Intensive Businesses Need to Do Now
The combination of the July and October deadlines means there is no time for a wait-and-see approach. Here are the core steps organizations should be taking now:
- Determine whether you qualify as a data broker. Review your data collection, aggregation, and sharing practices against Connecticut’s definition. If you sell or license personal data about consumers you have no direct relationship with, you are almost certainly in scope.
- Register with the state. Data broker registration requirements are active as of October 1. Build registration compliance into your legal and operations calendar.
- Integrate the 45-day platform check into your workflow. This is not a one-time task — it must be a recurring operational process. Consider automation tools designed specifically for DROP Act and deletion platform compliance to handle this at scale.
- Audit location data flows immediately. Map where precise location data enters your pipelines and trace it downstream. Terminate any sale or licensing of Connecticut residents’ location data.
- Assess your pricing mechanisms. If your pricing engine uses personal data, behavioral signals, or location information, determine whether you fall under the ban or the disclosure requirement, depending on your business category.
- Review your CTDPA compliance baseline. The July 2025 amendments to the CTDPA expand its reach. If you haven’t conducted a thorough assessment of your obligations under the CTDPA, now is the time. A fine like the one outlined in the Connecticut Data Act fine guidance is a real risk for non-compliant businesses.
The National Picture: Connecticut and California Are Setting the Template
The significance of Connecticut’s law extends beyond its geographic reach. By building a centralized deletion platform modeled on California’s, Connecticut has validated the DROP framework as a replicable model for other states. If a third and fourth state adopt similar platforms, the operational demands on data brokers will compound significantly — each requiring periodic platform checks, documented deletion responses, and state registrations on separate timelines.
Organizations that treat these state requirements as isolated compliance events rather than part of a coherent national shift will find themselves perpetually scrambling. The pattern is clear: location data, data broker accountability, consumer deletion rights, and personalized pricing are all areas where state legislation is accelerating, not slowing down.
If your organization needs help mapping your data broker obligations, building deletion workflows, or preparing for Connecticut’s new requirements, Captain Compliance is here to help.
