Connecticut Just Passed SB4 By 141-6 in the House and 31-4 in the Senate—Forcing Every Data Broker to Register With the State, Letting You Wipe Your Records From the Whole Industry Through One Free Deletion Request, Banning Surveillance Pricing, and Sending the Bill to Governor Ned Lamont's Desk On May 4

Sen. James Maroney's Senate Bill 4 cleared the Connecticut House 141-6 on May 4, 2026, after the Senate had already approved it 31-4 the week before. Governor Ned Lamont is expected to sign. The legislation does four things at once: it forces every business that sells or licenses Connecticut residents' personal data to register with the state Department of Consumer Protection, it builds a single deletion mechanism that wipes you from every registered broker at once, it bans surveillance pricing in Connecticut commerce, and it rewrites the rules on facial recognition, geolocation, and genetic data for any company doing business inside the state. Most provisions take effect October 1, 2026.

Key Takeaways

• The Connecticut House passed SB4 on May 4, 2026, by a 141-6 vote, following 31-4 Senate passage the prior week.
• Sen. James Maroney (D-Milford) is the lead author; Rep. Roland Lemar (D-New Haven) and Rep. Hubert Delany (D-Stamford) co-chaired the bill.
• The bill creates a Department of Consumer Protection registry that every data broker selling or licensing brokered personal data must join, plus a free statewide deletion request that wipes a consumer's records from every registered broker at once.
• SB4 bans surveillance pricing in Connecticut, making it the second state to do so after Maryland signed its Protection from Predatory Pricing Act on April 28, 2026.
• Most provisions take effect October 1, 2026, with phased implementation; Governor Ned Lamont is expected to sign the bill, having already committed to signing the companion AI bill SB5.

What Does the Data Broker Registry Do?

SB4 requires every business that "sells or licenses brokered personal data" to third parties to register with the Connecticut Department of Consumer Protection. The registry comes with mandatory fees, public listing requirements, and—critically—a duty to disclose every trade name and website the broker operates under. That last requirement directly addresses a problem the California Privacy Protection Agency flagged in December 2025: brokers were hiding behind subsidiaries to avoid the published list.

Once a broker is on the registry, Connecticut residents get a tool the state will build and run: a single deletion request that propagates to every registered broker at once. The mechanism is patterned on California's Delete Request and Opt-Out Platform (DROP), which went live on January 1, 2026. The Connecticut version is free to use and does not require the consumer to identify which brokers hold their data—the registry handles the routing.

What Is Surveillance Pricing and Why Did Connecticut Ban It?

Surveillance pricing is the practice of charging individual consumers different prices for identical goods or services based on personal data—location, browsing history, device, employer, income proxies. The Federal Trade Commission opened an investigation into the practice in 2024 under Chair Lina Khan, sending compulsory process orders to eight companies including Mastercard, Revionics, and McKinsey. The investigation found that retailers were quietly varying prices in ways that consumers could not see or compare.

Maryland was the first state to act, with Governor Wes Moore signing the Protection from Predatory Pricing Act on April 28, 2026. Connecticut is the second. SB4's ban applies to any business charging Connecticut residents algorithmically derived personalized prices based on personal data. Disclosure rules apply where personalized pricing is allowed—for example, time of day surge pricing or volume discounts—but data driven individual pricing is prohibited outright. As with Maryland, loyalty programs and uniform discounts get a carveout, which advocates have already flagged as the most likely loophole.

How Does SB4 Change Facial Recognition Rules?

The bill introduces new definitions, disclosure requirements, and a consumer right to request the removal of images—particularly for facial recognition used in public spaces. Businesses deploying the technology must disclose where and how it operates, log retention periods for face templates, and respond to deletion requests within statutory deadlines. The law does not ban facial recognition outright, but it puts Connecticut closer to the Illinois Biometric Information Privacy Act model than to the Texas or Washington frameworks.

SB4 also strengthens protections for genetic and biometric data, expanding the consent requirements that the 2023 Connecticut Data Privacy Act already imposed on sensitive data. Geolocation data gets restrictions: companies that derive precise location from device sensors or app SDKs face new limits on resale and require affirmative consent before sharing with third parties.

How Does Connecticut Compare to Other States?

Connecticut became the fifth state in the country to pass a comprehensive privacy law when the 2023 Connecticut Data Privacy Act took effect. SB4 amends and strengthens that statute, putting Connecticut among the most aggressive enforcers in the U.S. as federal privacy legislation remains stalled. The state's first CTDPA enforcement report in 2026 already showed an aggressive posture from Attorney General William Tong's office.

California's Delete Act and the DROP mechanism that went live January 1, 2026, were the obvious precedent. Maryland's Protection from Predatory Pricing Act, signed April 28, 2026, set the surveillance pricing template. SB4 combines both approaches in a single statute. The companion AI bill, SB5, is moving on a parallel track and Governor Lamont has already committed to signing it. Together, the two laws give Connecticut the strongest combined privacy and AI framework on the East Coast.

When Do These Rules Take Effect and What Should You Do?

The bulk of SB4's provisions become operative on October 1, 2026, with phased rollout for the deletion mechanism (the state needs time to stand up the technical infrastructure) and for the data broker registry (existing brokers get a window to register). Penalties for non compliance escalate after October 1, with civil enforcement vested in the Attorney General's office.

If you live in Connecticut, the practical impact arrives in two waves. October 1, 2026: data broker registry is searchable, surveillance pricing is illegal, and facial recognition disclosure rules apply. Sometime in 2027: the unified deletion request goes live, and a single submission to the state portal will remove your records from every registered broker at once. For businesses operating in Connecticut, the implementation timeline is shorter than it looks—the registry requires advance work to inventory data flows, and the surveillance pricing ban means auditing every algorithm that touches Connecticut customers before October.

The Wider Pattern

SB4 is the third state level data broker statute in 2026, alongside California's DROP rollout and Maryland's surveillance pricing law. The federal SECURE Data Act introduced in the U.S. House on May 12, 2026, attempts to do at the federal level what Connecticut has done at the state level—but with federal preemption baked in, which would override the very state laws now leading enforcement. Until Congress acts, states like Connecticut, California, Maryland, Texas, and Colorado are the operational privacy regulators for the U.S. market. The next 18 months will determine whether SB4's deletion mechanism becomes the national template or another state level patchwork that businesses route around.