Connecticut has taken a proactive yet measured approach to regulating artificial intelligence through amendments to its comprehensive consumer privacy framework and new targeted AI legislation. The state’s flagship law, the Connecticut Data Privacy Act (CTDPA), was significantly amended in 2025, with key provisions taking effect on July 1, 2026. These changes expand applicability thresholds, broaden sensitive data definitions, and introduce specific AI-related disclosures.
In May 2026, the legislature passed Senate Bill 5 (the Connecticut Artificial Intelligence Responsibility and Transparency Act), a comprehensive measure addressing AI in employment, synthetic content, chatbots, and frontier models. Governor Ned Lamont is expected to sign it, with most provisions effective October 1, 2026.
Key Features of Connecticut’s Framework
• Privacy Law Enhancements (CTDPA): Controllers must disclose in privacy notices whether they collect, use, or sell personal data to train large language models (LLMs). The law also strengthens consumer rights regarding profiling and automated decisions with legal or significant effects, including expanded opt-out rights and impact assessments for certain processing.
• AI-Specific Obligations (SB 5): Focuses on Automated Employment Decision Technology (AEDT) with notice, disclosure, and adverse action explanation requirements. It includes protections against discriminatory use, requirements for synthetic digital content labeling, safeguards for AI chatbots (especially for minors), and whistleblower protections for frontier model developers.
• Enforcement and Balance: Primarily enforced by the Attorney General, with cure periods available. The approach leverages existing privacy and consumer protection laws while adding targeted transparency measures, reflecting challenges like algorithmic bias, data privacy in training, and risks to vulnerable users.
Connecticut’s strategy aims to protect consumers—particularly in employment and for minors—while fostering responsible AI innovation. Businesses should review their data practices, update privacy notices by mid-2026, and prepare for AEDT compliance obligations.
Businesses operating in or targeting Connecticut residents are encouraged to monitor Attorney General guidance and begin compliance planning.