Insights
Privacy & Security

Trust Issues: June 2026

A monthly newsletter from DWT's Privacy and Security team highlighting data governance developments in privacy, cybersecurity, and AI
By   Michael T. Borgia, Adam H. Greene, Andrew M. Lewis, Nancy Libin, David L. Rice, Christopher W. Savage, John D. Seiver, Robert Stankey, Kara K. Trowell, and Rebecca L. Williams
06.03.26
Print this page

In This Issue

Connecticut Amends Data Privacy Act and Regulates Data Brokers and Algorithmic Pricing

New sections and amendments to the CTDPA substantially limit the sale of personal data, algorithmic pricing, use of facial recognition technology, and more.

The Connecticut legislature passed new legislation (the Act) on May 14, 2026, amending the Connecticut Data Privacy Act (CTDPA) and making Connecticut the fifth state to enact comprehensive legislation to regulate data brokers, joining California, Texas, Vermont, and Oregon, and the second state—after Maryland—to regulate algorithmic pricing. Governor Ned Lamont signed the Act on May 27, 2026.

The Act, among other things, will require entities doing business in Connecticut to: (1) determine whether they are data brokers, and if so, get ready for compliance with the new obligations that include registration, data deletion, and audits; (2) provide mandatory disclosures, if using personalized algorithmic pricing; (3) implement new processes related to the use of facial recognition technology; (4) recategorize certain "publicly available information" used; and (5) implement new restrictions on precise geolocation data.

Data Broker Registration and Regulation

The Act establishes a comprehensive regulatory framework for data brokers operating in Connecticut. It defines "data broker" broadly to include any business—or portion of such business, if the business is not an individual—that sells or licenses brokered personal data to another person. The definition is not limited to companies whose primary business model is data brokerage, so any business that sells or licenses such data for monetary or other consideration—even as a secondary revenue stream—may be a covered data broker. The Act does not define "sale," but the term is defined broadly under the CTDPA to mean the exchange of personal data for monetary or other valuable consideration. "License" is also broadly defined in the Act to mean the granting of access to, or the distribution of, brokered personal data in exchange for consideration. Licensing does not include using personal data for the sole benefit of the person who provided such data, so long as that person maintains control over its use. This limitation ensures that a controller that discloses personal data to a processor under a data processing agreement will not be deemed a data broker based solely on that disclosure.

Beginning January 1, 2027, any business that sells or licenses "brokered personal data"—defined as one or more personal data elements (including, but not limited to, name, address, date or place of birth, mother's maiden name, and other information that, alone or in combination with other information sold or licensed, would allow a reasonable person to identify a "consumer" with reasonable certainty) that the business categorizes or organizes for sale or to license to a third party—must register as a "data broker" with the Department of Consumer Protection (Department) and pay a $2,500 registration fee before selling or licensing such data. Registration must be renewed and the fee paid annually. "Consumer" has the meaning given to that term under the CTDPA and thus excludes people acting in a commercial or employment context.

The data broker initial registration or renewal application must include the following information:

  • Applicant's name, mailing address, an actively monitored email address, and telephone number;
  • Address of the applicant's primary website;
  • Address of publicly available consumer rights webpage that includes certain information;
  • Whether the applicant collects minors' personal data or consumers' precise geolocation data or reproductive or sexual health data;
  • Information about the applicant's regulatory status under other legal regimes, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and Connecticut's Insurance Data Security Act; and
  • Measures the applicant will take to ensure that no personal data are sold or licensed in violation of the Act or the CTDPA.

For registration renewals after July 1, 2029, applicants must post the statement disclosing the statistics described below under "Annual Disclosures." For registration renewals after July 1, 2031, applicants also must disclose whether they have undergone an audit pursuant to the Act and, if so, the most recent year for which they submitted an audit report to the Department.

Privacy Policy

Registered data brokers must establish a privacy policy that includes measures designed to ensure that they do not sell or license personal data in violation of the Act or the CTDPA.

Four Key Changes for Businesses: 1) Data Broker Regulation. Businesses selling or licensing personal data may qualify as data brokers. 2) Limits on Algorithmic (Surveillance) Pricing. New rules for prices based on consumer data. 3) Restrictions on Facial Recognition Technology. New rules for businesses using FRT. 4) New Data Use Restrictions. Expanded protections for consumer data.

Centralized Deletion Mechanism for Consumers

By July 1, 2028, the Commissioner of Consumer Protection (the Commissioner) must establish a centralized, accessible deletion mechanism (ADM) through which consumers can submit a single verified deletion request directing all registered data brokers to delete the consumer's personal data. Consumers may selectively exclude specific data brokers from a deletion request. The ADM also must allow consumers to securely submit additional personal data—including information sufficient to establish that the consumer is a resident of Connecticut—to assist in processing their requests, determine the status of requests, and submit an update to existing requests. If a consumer submits their motor vehicle operator license number for the purpose of verifying a deletion request, the Commissioner must use that information to verify the request and for no other purpose. The ADM must enable registered data brokers to determine whether a consumer has excluded them from their requests but preclude them from accessing any additional personal data.

Beginning August 15, 2028, the Commissioner must verify that the consumer who purportedly submitted or updated a deletion request actually did so by using information submitted by such consumer sufficient to establish that the consumer is a resident of Connecticut and, following verification, update the ADM to inform each registered data broker that the request has been verified. If the Commissioner cannot do so, then all registered data brokers who are not specifically excluded from the unverified request may retain any personal data concerning the consumer so long as they process the unverified request as a request to opt out of the "sale" of personal data under the CTDPA.

Also beginning October 1, 2028, registered data brokers must access the ADM at least once every 45 days to process verified deletion requests or updates that do not exclude the data broker by deleting relevant personal data or—for unverified requests—retaining personal data concerning the consumer but opting the consumer out of the "sale" of such data. The Commissioner may impose a fee on registered data brokers for access to the ADM.

After deleting a consumer's personal data pursuant to a deletion request, the registered data broker may not maintain, use, or disclose any personal data subsequently acquired concerning that consumer, subject to a list of enumerated exceptions, which include:

  • Compliance with legal obligations; cooperation with law enforcement; investigation, establishment, exercise, or preparation for or defense of legal claims;
  • Prevention of fraud and other malicious or illegal activity;
  • Cybersecurity protection;
  • Providing products or services specifically requested by the consumer;
  • Performance of contracts to which the consumer is a party;
  • Taking steps to protect the life or physical safety of the consumer or another individual;
  • Conducting internal research for developing, improving, or repairing any product, service, or technology;
  • Effectuating product recalls, repairing technical errors, or fulfilling a warranty;
  • Conducting certain kinds of research; and
  • Performing internal operations reasonably aligned with the expectation of the consumer based on the consumer's relationship with the registered data broker.

The last exception may be difficult to implement in practice because brokered personal data—by definition—is personal data that the data broker obtains from a third party. Registered data brokers may maintain personal data to the extent necessary to comply with its obligations under the Act but may not use such data for any other purpose.

Annual Disclosures

No later than July 1, 2029, each business that was a registered data broker during the preceding calendar year must annually post on a publicly available webpage on its primary website aggregate statistics regarding the total number of deletion requests received and the disposition of each (e.g., deleted, retained, or a combination), with retention categorized according to the applicable exception.

Independent Audits

By July 1, 2031, and every three years thereafter, each registered data broker, at its expense, must retain an independent auditor to assess compliance with the ADM access and deletion obligations and prepare an audit report and maintain audit reports in a form and manner prescribed by the Commissioner for six years. Registered data brokers must submit these audit reports to the Department within five business days of receiving a request from the Department.

Exemptions

The Act exempts certain entities from coverage, including those subject to FCRA and GLBA; businesses (and service providers and agents of businesses) that collect personal data about consumers who are in a contractual relationship with the business; an investor in, or donor to, the business; or in a similar relationship with the business; service providers of governmental entities; businesses collecting data for chemical regulation under 21 U.S.C. § 830; certain candidate and political committees; and covered entities and business associates governed by HIPAA.

Moreover, the Act does not prohibit unregistered data brokers from selling or licensing brokered personal data if such selling or licensing exclusively involves:

  • Publicly available information that concerns a consumer's business or profession, is sold or licensed as part of a health or safety alert service, or is lawfully available from government records, unless such information is combined to create a consumer profile made available online for compensation or free of charge and used to generate inferences about consumers;
  • The development or maintenance of an e-commerce service or providing directory assistance for a telecommunications carrier;
  • Providing access to books, periodicals, educational work, or similar content; or
  • The disposition of assets related to a change in corporate control.

The Commissioner may adopt regulations to implement that Act and may impose civil penalties of up to $200 per day per consumer for each violation.

Personalized Algorithmic Pricing

The Act also imposes obligations and restrictions related to the use of "surveillance pricing," defined as the practice of establishing a customized price for consumer goods or services that is specific to the consumer based—in whole or in part—on the consumer's personal data collected (1) through any technology or technological method, system, or tool—including, but not limited to, any biometric monitoring, camera, device tracking or sensor—capable of collecting personal data concerning a consumer's behavior, characteristics, location, or other personal attributes in a physical or digital environment, and (2) by the person establishing the customized price either directly or indirectly by gathering, purchasing, or otherwise acquiring such personal data from a third party. The following practices are not "surveillance pricing": (1) establishing or offering a discounted price for a consumer service for the purpose of retaining a consumer as a customer; (2) establishing or offering different prices to different consumers for the same good or service due to justifiable cost differences in providing the good or service (e.g., delivery distance) or justifiable temporal differences, such as due to price fluctuations based on supply and demand; or (3) establishing or offering a discounted price for a good or service based on publicly disclosed uniform terms and conditions that may be satisfied by any consumer by, for instance, signing up for a mailing list, disclosing personal data, registering for promotional communications, or participating in a promotional event, so long as this is available to all consumers who are members of a broadly defined group or participants in a loyalty, membership, or rewards program in which the consumer must affirmatively enroll.

Specifically, any person doing business in Connecticut who uses a price setting device for any reason other than to establish a discounted price for a consumer good or service provided as part of an online transaction, and who directly or indirectly advertises, promotes, offers, announces, labels, or displays that price online, must make the following or substantially similar disclosure readily visible to the average consumer: "THIS PRICE WAS INCREASED USING YOUR PERSONAL DATA."

The Act also prohibits any retail seller or third-party delivery service doing business in Connecticut from engaging in surveillance pricing. A "retail seller" means a seller, at retail, of tangible property, including retail food establishments. A "third-party delivery service" means an entity outside of a retail food establishment's business that facilitates delivery or online ordering services to customers of a retail food establishment.

The following entities are exempt from these restrictions, prohibitions, and obligations: persons licensed, authorized to operate, or registered under the state insurance laws; financial institutions or their affiliates subject to the Gramm-Leach-Bliley Act; and certain banks and holding companies. These provisions become effective on October 1, 2026.

Violations constitute unfair or deceptive trade practices under the Connecticut Unfair Trade Practices Act (CUTPA).

Amendments to the Connecticut Data Privacy Act

The Act also amends several provisions of the CTDPA. These amendments become effective on October 1, 2026.

Restrictions Regarding the Use of Facial Recognition Technology

The Act imposes new restrictions on controllers and consumer health data controllers regarding the use on their premises of facial recognition technology (FRT) that analyzes facial images in still images or video to identify a specific individual. Specifically, FRT may not be used to protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems, or law enforcement-related purposes unless the controller or consumer health data controller that uses such FRT (1) does so exclusively to match still images or video against a database maintained exclusively by such controller or consumer health data controller, and (2) posts clearly legible signage at public entrances to the premises where FRT is deployed. Such signage must alert consumers that FRT is in use and include a conspicuous hyperlink or QR code linking to the entity's FRT policy.

These entities' FRT policies must provide contact information for the Connecticut Office of Attorney General and may disclose the controller's or consumer health data controller's policies concerning interactions between consumers and such controller's or consumer health data controller's loss prevention officers.

The obligations related to FRT do not apply if the controller or consumer health data controller has obtained the consumer's consent to use FRT in the course of a commercial transaction.

Definition of "Publicly Available Information" Narrowed

The CTDPA excludes "publicly available information" from the definition of "personal data." The Act amends the CTDPA and substantially narrows the scope of such information by excluding from the definition data such as biometric data collected without the consumer's knowledge; data collated into consumer profiles available for compensation or free of charge; data made available for sale; inferences derived from such data; obscene visual depictions; data combining precise geolocation information with other personal data; genetic data (unless made public by the consumer); information posted by a consumer on a public platform where the consumer maintained a reasonable expectation of privacy; and intimate synthetic images known to be nonconsensual.

Exemptions of Certain Types of Data and Entities from the CTDPA

The Act excludes from the application of the CTDPA any personal data collected, processed, sold, or disclosed in compliance with the Driver's Privacy Protection Act, and covered entities, business associates, and protected health information under HIPAA.

Ban on Certain Processing of Precise Geolocation Data

The Act prohibits controllers from selling, sharing, transferring, or allowing any other person to access such data.

Restrictions Regarding Any New Use of Personal Data

The Act prohibits controllers from processing personal data for any new purpose—not just for "material" new purposes—without consent if the new purpose is neither reasonably necessary to nor compatible with the purposes for which the data were collected, as disclosed to the consumer at the time of collection. This raises the bar for secondary use for analytics, product development using customer data, and data sharing with affiliates for new programs. Controllers must consider the consumer's reasonable expectations at the time of collection, the relationship between the new purposes and original purposes, the potential impact on the consumer, and any additional safeguards, such as encryption or pseudonymization.

Takeaways

Businesses should pay heed to the various effective dates and do the following:

  • Determine whether you are a "data broker" and develop a plan for compliance:
    • Audit your data flows now, including data sharing arrangements with affiliates and downstream partners to identify any arrangements that could trigger coverage.
    • Map current data sales and licensing arrangements and begin remediation.
    • Build internal processes to query the ADM on a regular basis, and track which consumers have submitted or updated deletion requests.
    • Build a logging and reporting infrastructure for aggregate statistics regarding deletion requests, how they were resolved, and the basis for retention decisions.
    • Assemble data needed to prepare your data broker registration, due January 1, 2027.
    • Select qualified auditors and design audit-ready compliance frameworks.
  • Determine whether you use surveillance pricing and advertise or display those prices online. If so, review your pricing engine and marketing technology stack to determine whether any price optimization tools use personal data as an input, and, if so, update your digital advertising and product display interfaces to include the required disclosure. Separately, determine whether you qualify as a retail seller or third-party delivery service and if so, discontinue surveillance pricing by October 1 of this year.
  • If you use FRT on your premises, determine whether your use of FRT will qualify for the exception. If not, develop an FRT policy and design conspicuous signage with hyperlinks and QR codes to your FRT policy.
  • If you have relied on CTDPA's exclusion of publicly available information to avoid treating certain information as "personal data," determine whether any of information you treat as publicly available is in the data categories that can no longer be excluded from the definition and exempted from restrictions on use of personal data.
  • If you collect precise geolocation data, determine whether you sell, share, transfer, or allow third parties to access such data. If so, you must implement processes to stop these practices by October 1, regardless of consumers' consent.
  • Before repurposing personal data for any new use, conduct and document a compatibility analysis and build this process into your data governance workflow.

Contact: Nancy Libin and David Rice

Back to top

Reg S-P Amendments for "Small Entities" Effective on June 3, 2026

"Smaller entities" subject to Regulation S-P (Reg S-P) must comply with new cybersecurity and data breach-related requirements starting June 3, 2026. Reg S-P applies to broker-dealers, registered investment advisers (RIAs), investment companies (funds), funding portals (crowdfunding intermediaries), and transfer agents regulated by the Securities and Exchange Commission (SEC) (collectively, covered institutions). The new requirements, which were introduced through the SEC's amendments to Reg S-P in 2024, require each covered institution to establish an incident response program, establish procedures to notify customers of certain data breaches within 30 days, oversee service providers, and maintain compliance documentation. "Larger institutions" were required to comply with the amendments by December 3, 2025.

The SEC has identified compliance with Reg S-P as a priority for regulatory examinations in fiscal year 2026. Among other things, the SEC's Division of Examinations will assess whether covered institutions "have developed, implemented, and maintained policies and procedures in accordance with the rule's new provisions that address administrative, technical, and physical safeguards for the protection of customer information."

Read more about the amendments and next steps for compliance in our recent blog post.

Contact: Michael Borgia

Back to top

NYDFS Issues Guidance on Frontier AI Cyber Risks

The New York Department of Financial Services (NYDFS) issued new guidance to entities subject to its cybersecurity regulation, including guidance on cybersecurity threats associated with frontier AI models. On May 21, 2026, NYDFS issued two industry letters: an advisory to chief information security officers (CISOs) of regulated entities on heightened cybersecurity risks posed by "frontier AI models" capable of accelerating discovery and exploitation of vulnerabilities, and broader guidance on measures regulated entities should consider when operating in a "heightened cybersecurity threat environment."

NYDFS advises regulated entities to consider numerous steps to strengthen their cybersecurity posture, including expediting vulnerability remediation processes, validating third-party software, adopting secure software coding practices, and improving business continuity and disaster recovery procedures.

Other regulators, including the U.S. Office of the Comptroller of the Currency, the Cybersecurity Agency of Singapore, and the Australian Signals Directorate, also recently issued guidance on addressing the heightened cybersecurity risks posed by frontier AI models.

Read more about the NYDFS guidance and related issues in our recent blog post.

Contact: Michael Borgia

Back to top

Recent and Upcoming Events and Key Deadlines

  • June 15: The Cybersecurity & Infrastructure Security Agency (CISA) will hold the first of its re-scheduled town halls on proposed cybersecurity incident notification rules to be issued under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). CISA originally scheduled these town halls for March and April 2026 but rescheduled them given the recent partial government shutdown that affected appropriations to the Department of Homeland Security (DHS). Additional town hall sessions will be held throughout June. View the full schedule here.
  • June 16: Michael T. Borgia will be joining a panel at this year's Identiverse conference in Las Vegas to discuss privacy, security and identity management in the age of AI. He will be joining the panel with Heidi Wachs and Gaurav Sheth, managing directors at Kroll.
  • June 24: Michael T. Borgia will speak at this year's Rocky Mountain Information Security Conference in Denver. He will be speaking with Brian Bahtiarian, Senior Consultant at Google Cloud Security–Mandiant, and Scott Takaoka, Cyber Analytic and Quantification Solutions Leader, Alliant Insurance Services, on best practices and key differentiators in cybersecurity incident response.

Back to top

Related Insights