← Back to Blog
Connecticut's New Data Broker Law: California's Delete Act Is Going National
Zane Witherspoon, CIPP/US3 min read

Connecticut's New Data Broker Law: California's Delete Act Is Going National

tl;dr

  • On May 27, 2026, Connecticut signed Public Act No. 26-64 into law, becoming the 5th state to require data broker registration (after VT, TX, OR, and CA).

  • Registration with the CT Department of Consumer Protection is required starting January 1, 2027, with a $2,500 annual fee.

  • Connecticut is the first state to copy California's single-request deletion mechanism, launching in 2028.

  • If you sell or license personal data and touch Connecticut residents, it's time to prepare to be in compliance.

What Connecticut actually requires

Connecticut signed PA 26-64 (originally SB 4) into law on May 27, 2026. It's a broad consumer-privacy law with particulars for data brokers.

  • Registration: annual registration with the Connecticut Department of Consumer Protection, with a $2,500 yearly fee. CT publishes the registry publicly.

  • Required disclosures and a consumer-rights page: registering means disclosing a set of things about your operation, including whether you collect minors' data, precise geolocation, or reproductive or sexual health data, the measures you take to avoid selling or licensing data unlawfully, and whether you're regulated under FCRA, GLBA, or HIPAA. You also have to maintain a public, dark-pattern-free page on your site explaining how consumers exercise their CTDPA rights (accessing and deleting their data, etc.).

  • The deletion mechanism (2028): CT must stand up a single-request deletion portal by July 1, 2028; registered brokers have to check it every 45 days and honor verified deletions starting October 1, 2028. This models California's DROP system.

  • Audits: independent third-party audits start in 2031 and happen every three years.

  • Enforcement: fines are up to $200/day per violation, run by the Department of Consumer Protection, with no private right of action.

Heads up: there's no guarantee that CT's deletion mechanism will use the same hashing system as California's, and may possibly require its own unique approach.

Why this matters beyond Connecticut

  • California passed the first Delete Act. Connecticut is the first state to copy California's model.

  • While nobody can predict the future, we expect a pattern to emerge: more states requiring data brokers to register, and likely including the deletion portal design.

Why this matters for Data Brokers

The cost and complexity of compliance is growing. Every new state adds a registration, a renewal, its own quirks, and potentially its own deletion portal, if others follow California and Connecticut's lead. Keeping up with multiple states' databases and potentially varying hashing and identifying approaches across different states represents a major technical and operational challenge for data brokers.

What to do now

  1. Figure out if Connecticut's Data Broker definition captures you (most companies that sell or license personal data about non-customers are in scope).

  2. Plan to register by the deadline of January 1, 2027.

  3. Stand up your consumer-rights page with your required disclosures.

  4. Don't treat compliance on a state-by-state basis. Build (or buy) one system that handles all of them.

Superset helps you comply with Data Broker Laws in the US, determining which states you need to register in and automating your compliance for you.

Superset has already built a DROP module to help Data Brokers comply with California's DROP system, and will be ready to support customers with Connecticut's system starting in 2028.