Data Broker Regulation: Connecticut Senate Passes S.B. 4

On April 23, 2026, the Connecticut State Senate delivered a resounding message to the trillion-dollar “shadow economy” of personal information. In a decisive 31-4 vote, lawmakers passed Senate Bill 4 (S.B. 4), an ambitious expansion of the state’s privacy framework that fundamentally alters the power dynamic between residents and the companies that profit from their digital footprints. Modeled largely after California’s landmark “Delete Act,” this legislation represents one of the most aggressive maneuvers in the nation to curtail the largely unregulated industry of data harvesting.

For decades, the data broker industry has operated in the periphery of public awareness, aggregating billions of data points—from home addresses and purchasing habits to precise GPS coordinates—without the direct consent or even the knowledge of the individuals involved. With the passage of S.B. 4, Connecticut moves from a “notice and consent” model toward a “control and deletion” era, providing residents with a centralized, legally-enforced “off-switch” for their personal information. This editorial explores the technical architecture of the bill, its implications for Data Broker Regulation, and why its anti-doxxing provisions are being hailed as a new gold standard for personal safety in the digital age.

The Mechanics of Data Broker Regulation under S.B. 4

The centerpiece of S.B. 4 is the establishment of a robust regulatory framework for Data Broker Regulation. Unlike previous iterations of privacy law that required consumers to play a “Whac-A-Mole” game—sending individual deletion requests to hundreds of different companies—S.B. 4 mandates a centralized solution. The bill requires the Connecticut Department of Consumer Protection (DCP) to establish an “accessible deletion mechanism” by January 1, 2027.

This mechanism functions as a unified portal where a resident can submit a single request that triggers a mandatory deletion across every registered data broker in the state. To facilitate this, the bill introduces several technical and administrative requirements:

• Mandatory Annual Registration: All data brokers operating within the state must register with the DCP by January 1 of each year, paying a $600 registration fee. This creates a public-facing registry of entities that trade in resident data.
• 45-Day Compliance Cycles: Beginning in early 2027, data brokers are required to check the centralized deletion portal at least once every 45 days. Any new deletion requests or updates must be processed and verified within this window.
• Data-Level Accountability: S.B. 4 removes several “entity-level” exemptions. Previously, large financial institutions or healthcare organizations could claim broad immunity from certain privacy rules if they were regulated by federal laws like the Gramm-Leach-Bliley Act (GLBA). The new law shifts the focus to the data itself, ensuring that any information not explicitly covered by federal mandates remains subject to the resident’s right to delete.
• Independent Auditing: Starting in 2030, data brokers will be required to undergo independent third-party audits every three years to certify that they are actually deleting data as requested rather than merely “hashing” or “archiving” it.

The Anti-Doxxing Shield: Privacy as Physical Safety

While the economic aspects of Data Broker Regulation are significant, the moral heart of S.B. 4 lies in its anti-doxxing and harassment protections. In an era where malicious actors can purchase a victim’s home address, cell phone number, and relative’s details for a few dollars on a “people search” site, S.B. 4 grants residents the legal right to pull their personal information off the internet.

Proponents of the bill, including Senator James Maroney, argue that the “weaponization of public records” has become a primary tool for scammers and domestic abusers. By prohibiting the sale and sharing of precise geolocation data, the bill aims to prevent the real-time tracking of individuals. Under S.B. 4, precise geolocation is defined as information derived from technology—including GPS and cell tower data—that can identify a person’s location within a radius of 1,750 feet. By cutting off the supply chain of this data to brokers, the state effectively neuters the ability of third-party “surveillance” apps to sell movement patterns to the highest bidder.

Protecting the “Final Frontier”: Genetic and Neural Data

The 2026 version of S.B. 4 also anticipates the next wave of privacy threats: biological and genetic data. As direct-to-consumer DNA testing and neuro-technology (brain-sensing wearables) become more common, the risk of “biological doxxing” has increased. S.B. 4 treats genetic data as “sensitive data” of the highest order, requiring:

1. Explicit, Affirmative Consent: No genetic or neural data can be processed or sold without a clear “opt-in” from the consumer.
2. Right to Destruction: Consumers have the right not just to “delete” their account, but to demand the physical destruction of biological samples and the purging of neural patterns from algorithmic training sets.
3. Prohibition on Secondary Use: Data collected for an ancestry test or health diagnosis cannot be repurposed for marketing or “surveillance pricing” without a new, separate consent agreement.

Combatting Algorithmic Harassment and “Surveillance Pricing”

Another technical layer of S.B. 4 involves the regulation of personalized algorithmic pricing. The bill introduces transparency requirements for businesses that use “surveillance pricing”—a practice where algorithms adjust prices for goods or services in real-time based on an individual’s personal data, such as their browsing history, zip code, or device type.

By requiring companies to disclose the use of these algorithms, Connecticut is attempting to prevent “digital redlining,” where certain demographics might be surreptitiously charged more for the same services. Furthermore, S.B. 4 expands the Connecticut Data Privacy Act (CTDPA) by defining “facial recognition technology” and imposing strict signage and notice requirements for its use in public or commercial spaces, ensuring that residents are aware when their biometric signatures are being harvested.

Enforcement and Penalties: The Cost of Non-Compliance

A law is only as strong as its enforcement mechanism, and S.B. 4 provides the Connecticut Attorney General with significant “teeth.” Violations of the data broker provisions are categorized as unfair or deceptive trade practices. The financial stakes for non-compliance are high:

• Civil Penalties: Data brokers who fail to register or ignore deletion requests can face fines of up to $5,000 per day per violation.
• No Private Right of Action (with a caveat): While the bill does not currently allow individuals to sue data brokers directly, it mandates that the Attorney General’s office prioritize enforcement actions that involve the data of minors or vulnerable populations.
• Transparency Reports: Starting in 2027, the DCP must publish an annual report detailing which data brokers have the highest rates of “deletion rejection,” effectively “naming and shaming” bad actors in the industry.

The National Implications of Connecticut’s Bold Move

The passage of S.B. 4 is not an isolated event; it is a signal that the Data Broker Regulation movement is gaining momentum across the United States. Following California’s lead, Connecticut has proven that there is a bipartisan appetite (as evidenced by the 31-4 vote) for reining in Big Data. As more states adopt “Delete Act” style legislation, a “Brussels Effect” is likely to take hold, where data brokers find it more cost-effective to adopt high-privacy standards nationwide rather than managing a patchwork of 50 different state portals.

However, the bill faced significant pushback from groups like the Connecticut Business and Industry Association (CBIA). Critics argued that the definitions of “data broker” and “data service provider” are overly broad and could unintentionally sweep in small businesses or retailers who engage in routine commercial activities. There are also concerns that the $600 fee and the audit requirements could create a barrier to entry for smaller tech innovators. Despite these objections, the Senate prioritized consumer safety and the “right to be forgotten” over the operational convenience of the data industry.

Conclusion: Reclaiming the Digital Self

The passage of S.B. 4 marks a watershed moment for the residents of Connecticut. By targeting the middlemen of the internet—the data brokers—the state has begun the difficult work of dismantling the infrastructure of digital surveillance. Through the centralized deletion mechanism, the protection of genetic data, and the curtailment of precise geolocation tracking, Connecticut is providing its citizens with the tools to reclaim their digital identities.

As the law takes effect on October 1, 2026, the eyes of the nation will be on Hartford to see how effectively these measures can be enforced. For the data broker industry, the message is clear: the era of operating in the shadows is over. For the consumer, the “off-switch” has finally been installed.