Connecticut Adopts AI Transparency, Safety, and Consumer Protection Law

On May 1, 2026, the Connecticut legislature passed SB 5 (the Act), a wide-ranging law that imposes obligations on developers, deployers, and providers of artificial intelligence (AI) technologies and establishes several distinct regulatory frameworks. Governor Ned Lamont intends to sign the Act. When he does, Connecticut will join California, Colorado, and other U.S. states that have enacted AI-specific laws notwithstanding President Trump's executive order that was intended to encourage AI development and ensure the U.S. "wins the AI race" by preempting or penalizing burdensome state regulation.

Unless otherwise specified, the provisions of Connecticut's new AI law become effective on October 1, 2026. While most of the provisions are enforceable exclusively by the Connecticut Attorney General under the Connecticut Unfair Trade Practices Act (CUTPA), the Act allows a private right of action for violations of the provisions regarding minors' use of AI companions.

Disclosure Obligations for Subscription-Based Providers

Entities that offer AI technologies to consumers on a subscription basis—broadly defined to include any computer system, application, or other product using or incorporating AI, provided in exchange for any fee or remuneration—may not collect fees or enter into or renew a subscription with a consumer before providing the consumer written pre-contract disclosures and receiving written notice from the consumer accepting the key terms and conditions of the subscription. Required disclosures for an initial subscription must include material information sufficient to enable a reasonable consumer to decide whether to purchase the subscription, including the quantitative and qualitative limitations that the provider may impose based on consumer conduct and whether the provider has discretion to limit or eliminate the consumer's access to, or reduce the quantity or quality of, any functionality of the AI technology. For subscription renewals, the provider must disclose any quantitative or qualitative limitations that will be imposed for the first time during the subscription renewal term and any discretion described above that the provider will be able to exercise for the first time during the renewal term or that has been modified for the subscription renewal term. Violations are enforceable exclusively by the Connecticut attorney general as unfair or deceptive trade practices under CUTPA.

Frontier Model Developers: Whistleblower Protections and Catastrophic Risk

Frontier developers and large frontier developers are prohibited from making, adopting, or enforcing any rule, policy, or contract that allows the discharge, discipline, or penalization of (1) a whistleblower, as defined in Connecticut law, or (2) an employee responsible for assessing, managing, or addressing "catastrophic risks" and who has reasonable cause to believe that the frontier developer has engaged in any activities posing a specific and substantial danger to public health or safety due to such risk. Frontier developers must affirmatively disclose employees' and the developers' rights and responsibilities in this regard.

Definitions

The Act defines "frontier developer" as any person doing business in Connecticut who intends to train, initiate the training of, or trains a foundation model using a quantity of computer power that is greater than 10²⁶ floating-point operations ("FLOPs"), inclusive of compute used for original training, fine-tuning, reinforcement learning, and material modifications to preceding frontier models. A "large frontier developer" is a frontier developer whose annual gross revenues, aggregated with those affiliates under common control, exceeded $500 million during the preceding calendar year. "Catastrophic risks" are foreseeable and material risks that the development, storage, use, or deployment of a frontier model will materially contribute to the death or serious injury of more than 50 individuals or more than $1 billion in property damage from a single incident, where the model either (1) provides expert-level assistance in the creation or release of a chemical, biological, radiological, or nuclear weapon, or (2) autonomously engages—without meaningful human oversight—in conduct that constitutes a cyberattack, or, if an individual had engaged in such conduct, would constitute certain enumerated crimes. The definition expressly excludes foreseeable and material risks posed by outputs publicly accessible in substantially similar form elsewhere, lawful government activity, and risks arising from a combination of the model and other software where the model did not materially increase the risk.

Internal Reporting Mechanisms

By January 1, 2027, large frontier developers must establish an anonymous internal reporting channel through which "covered employees"—those responsible for assessing, managing, or addressing relevant risks—may report good-faith beliefs that the developer has engaged in any activity posing a danger of catastrophic risk. The developer receiving the report must provide monthly status reports to each reporting employee, while preserving anonymity, and with the officers and directors of the large frontier developer at least quarterly, excluding officers and directors whom the reporting employee has alleged to have engaged in wrongdoing. Each frontier developer must provide its employees clear notice—posted and displayed at all times within the workplace and provided separately at least annually—of such employees' rights and responsibilities under this section.

Enforcement

The Connecticut Attorney General may bring enforcement actions seeking penalties of up to $1,000 per violation, injunctive relief, and other equitable remedies.

New Obligations Regarding Automated Employment-Related Decisions

Beginning October 1, 2027, deployers of automated employment-related decision technologies (AERDTs) that are intended to interact with employees or applicants in Connecticut must disclose to employees or job applicants that they are interacting with an AERDT (where not obvious to a reasonable person), and before any such employment-related decision is made: (1) that the deployer has deployed an AERDT; (2) the purpose of the AERDT and nature of the employment-related decision; (3) the trade name of the AERDT; (4) the categories of personal data that will be analyzed or processed and how the personal data will be assessed in reaching a decision; (5) the sources of personal data; and (6) the deployer's contact information. Developers that advertise, market, configure, contract for, or sell or license AERDTs to be used to materially influence an employment-related decision must provide deployers with all information necessary to comply with the foregoing obligations or may contractually assume those obligations directly.

Definitions

The Act defines AERDTs as any technology that processes personal data and uses computation to generate outputs—including, but not limited to, a rank, score, classification, or recommendation that is a substantial factor used to make or materially influence an employment-related decision. Standard office productivity and networking software, and information that is purely descriptive, diagnostic, or statistical in nature and not relied on to materially influence or make or materially influence such decisions, are excluded. An "employment-related decision" means a decision made based on personal data to recruit, hire, promote, discipline, or discharge such individual; renew employment; select an individual for training; or with respect to tenure or other conditions of employment. It does not include a decision that results in a nonmaterial change to job tasks, work responsibilities, work assignments, and so forth, or one that is made with respect to workplace health and safety, scheduling and planning, or productivity monitoring. "Substantial factor" means a factor, including a ranking or score, that meaningfully alters the outcome of an employment-related decision concerning an individual in Connecticut. A "developer" is any person who develops or intentionally and substantially modifies an AERDT.

Employees Who Are Subjects of Automated Adverse Employment-Related Decisions

Deployers must provide additional disclosures directly to employees or job applicants who are the subjects of adverse employment-related decisions in the deployer's usual language and in a format accessible to persons with disabilities. Specifically, deployers must provide a high-level statement disclosing the principal reasons for the adverse decision, including the degree to which the AERDT output contributed to the decision, the type and source of data processed, and—where the output was based on personal data not provided by the individual—information enabling the individual to examine and correct that data. Trade secrets need not be disclosed, but the deployer must identify what was withheld and the basis for withholding.

Enforcement

The Connecticut attorney general has exclusive authority to enforce the Act under CUTPA. Violations of the provisions above related to the use of AERDT that occur on or before December 31, 2027, are subject to a discretionary 60-day right to cure if the attorney general determines a cure is possible.

Anti-Discrimination Provisions

The Act also amends the Connecticut employment discrimination law in several ways, including that the use of AERDT will not be a defense against allegations of discriminatory conduct. In any enforcement proceeding, the courts and the Commission for Consumer Protection must consider whether the employer conducted anti-bias training or otherwise made proactive measures to prevent discriminatory outcomes.

AI Companions: Operator Obligations

Beginning January 1, 2027, operators of AI companions are prohibited from providing or operating an AI companion unless it does the following:

• Incorporates a protocol, posted prominently on the operator's website, that uses evidence-based methods (1) designed to detect and address user expressions clearly indicating a risk of self-harm, suicide, or imminent violence, and to prevent the AI companion from generating any output that encourages the same; (2) refer users to appropriate mental health resources, including the National Suicide Prevention Lifeline, if it detects same; and (3) if it detects such expression after the user was referred to mental health resources, refer the user to mental health services in a manner consistent with clinical best practices and expertise; and
• Implements reasonable measures to prohibit and prevent the AI companion from (1) claiming that the AI companion is a human being; or (2) generating any output that refutes or conflicts with any disclosure that the AI companion is not a human being.

If an AI companion would cause a reasonable person to believe that the individual is interacting with another human being and not an AI companion, the operator must also provide clear and conspicuous notice that the AI companion is not a human being either in static written form throughout the interaction or in an audible or written form at the beginning of the first interaction daily and, if the user is under 18 years of age, at least hourly during continuous interactions, or, if the user is 18 or older, at least once during each three-hour period of continuous interaction. The Connecticut attorney general has exclusive authority to enforce the law under CUTPA.

Definitions

An "AI companion" is any form of AI with a natural language interface that (1) provides adaptive human-like responses to user inputs, and (2) is able to sustain a relationship across multiple interactions. AI companions do not include the following:

• A chatbot used solely for internal business purposes, customer service, employee productivity, or assisting patient or resident care services in a facility, education, or financial services, so long as it is not marketed to consumers as a companion;
• Any chatbot that is a feature of a video game, gaming system, or app; is limited to replies related to such game, gaming system, or app; and cannot discuss topics related to mental health, self-harm, or sexually explicit conduct or maintain a dialogue on other topics unrelated to the video game, gaming system, or app;
• Any stand-alone consumer electronic device that (1) functions as a speaker and voice command interface, (2) acts as a voice-activated virtual assistant, and (3) does not sustain a relationship across multiple interactions or generate outputs likely to elicit emotional attachment;
• Any narrowly tailored educational tool that is used in school or instructional settings, is designed solely for particular learning objectives, and does not provide open-ended conversational companionship;
• Any AI system used solely to provide healthcare-related education, clinical support, reminders, disease-management guidance or other treatment-support functions so long as it does not present itself as a human being, does not use anthropomorphic features, and is not designed to meet a user's social or emotional needs;
• Any narrow, task-specific tool that provides outputs relating to a discrete topic or function, so long as the primary function is not to discuss topics related to mental health; and
• Any individual or entity that develops, licenses, or provides an AI model or system to another individual or entity and that does not determine the specific use case, user interface, or deployment context in which such model or system interacts with end users.

An "operator" is any individual or business entity who provides an AI companion to, or operates an AI companion for, an individual who uses the AI companion for personal use within Connecticut.

Special Restrictions Related to Minors

Operators are prohibited from providing AI companions to users whom the operator knows, or has reason to believe, are under 18 years of age unless the operator has instituted measures that meet industry standards and prevent the AI companion from doing the following:

• Encouraging self-harm, suicide, violence, disordered eating, or unlawful substance abuse;
• Offering unauthorized mental health services, unless the AI companion is designed for such purposes and meets certain standards, and is not marketed or designated as a substitute for a licensed mental health professional;
• Discouraging engagement with licensed mental health professionals or trusted adults;
• Encouraging harm to others;
• Engaging in any romantic, erotic, or sexually explicit interaction;
• Using certain manipulative techniques to extend interaction; or
• Optimizing user engagement in any manner that disregards any of the above.

Operators that know, or have reason to believe, a user is under 18 years of age also must make screen time and account settings controls available to minor users and their parents. Operators that knew or had reason to believe that a user was 18 or older before providing access will not be liable under this section. The Connecticut attorney general has exclusive authority to enforce this provision under CUTPA.

Watermarking Requirements for Synthetic Digital Content

Any person who creates, codes, or otherwise produces a generative AI system that (1) has more than 1 million users per month, and (2) is publicly accessible to consumers for personal use (a "covered provider") must do the following:

• Include provenance data in any audio, image, or video content created or materially altered by such covered provider's generative AI system, to the extent technically feasible, in a manner that allows a consumer to assess whether such content was created or materially altered by such system; and
• Use commercially and technically reasonable methods, including the relevant standard established by the Coalition of Content Provenance and Authority, to make the provenance data difficult to tamper with, remove, or disassociate from such content.

"Materially alter" means to substantially alter the data of any content and does not include any minor modification that does not lead to a significant change in the perceived content or meaning of such content.

Covered providers are not required to include any information relating to an identified or reasonably identifiable individual in the provenance data included in any content or materially altered by the generative AI system or to disclose a trade secret or other proprietary information. Exemptions apply to such systems used or licensed in a business-to-business context and products, services, websites and online services that solely provide video game or interactive experiences, including direct sales of goods and services online.

The attorney general has exclusive authority to enforce this provision under CUTPA.

Additional Provisions

Regulatory Sandbox. The Commission of Economic and Community Development must, by July 1, 2027, develop a plan for an AI regulatory sandbox program permitting temporary limited-basis testing of AI products and services under reduced licensing and regulatory requirements. The Commission of Economic and Community Development must submit recommendations for this program to the governor and certain committees of the general assembly by January 1, 2028.

Working Group. The Act establishes a multistakeholder working group as part of Connecticut's legislature to recommend AI best practices for public services and state employees; recommend methods and resources to assist small businesses in adopting; develop proposals to create a "technology court" to adjudicate AI, data privacy and other technology-related issues; propose legislation regulating the use of AI and requiring social media platforms to provide a signal when displaying synthetic digital content; and review and make other recommendations concerning the use and deployment of AI.

Takeaways

• If you provide AI technology to consumers in exchange for any fee or other compensation, you must provide written pre-contract disclosures covering key terms and conditions—including any quantitative or qualitative limitations that can be imposed on the consumer's use of the technology and your ability to limit or eliminate access to, or reduce the quantity, quality, or functionality of, the service. Review and update your subscription agreements and onboarding flows and watch for implementing regulations from the commissioner.
• If you are a frontier developer training foundation models at or above 10²⁶ FLOPs—or if you do so and have revenues exceeding $500 million—you face specific whistleblower obligations and must post notices explaining employees' rights and obligations. Prohibitions on retaliation take effect this year, so immediately audit any policies, employment contracts, or nondisclosure agreements that could be read to permit penalizing employees who raise concerns about "catastrophic risks." Large frontier developers must also establish an anonymous internal reporting channel by January 1, 2027, and begin quarterly board-level reporting on reported risks. Engage HR, legal, and compliance teams now to design these processes.
• Audit technology tools used in recruiting, screening, promotion, discipline, and termination processes to determine whether any qualifies as an AERDT, and review contracts with vendors who supply these tools. Developers of these tools may be required to give deployers the information they need to comply with the Act, depending on how the developer markets or configures the tool. If the vendors are not required or not able to do so, take steps now to renegotiate agreements or find alternatives. In addition, assess whether these tools create discrimination risks under the Connecticut anti-discrimination law. Develop anti-bias testing and other proactive measures to prevent discriminatory outcomes.
• Begin to develop the disclosures and processes you will need to deliver pre-decision notices and explanations of adverse decisions.
• If you operate a product that qualifies as an AI companion, develop and implement a self-harm and violence detection protocol and begin delivering mandatory disclosures to users. Determine whether any such tools you offer qualify for an exemption. Implement additional policies and procedures with respect to minors.
• If you code, create, or otherwise produce a generative AI system, determine whether you are a "covered provider" required to provide provenance data for images, audio, or video content generated by the system. Determine whether your products may fall within one of the exceptions.

+++

Nancy Libin is a partner in the Washington, D.C. office of DWT. She is co-chair of the technology, communications, privacy & security practice and is the Chair of the privacy & security practice. For more any questions or more insights, please reach out to Nancy or another member of our privacy & security team and sign up for our alerts.