The landscape for privacy and AI have once again shifted on the state level. In Connecticut, Democratic Gov. Ned Lamont signed two new bills into law on May 29. In 2022, the state’s comprehensive privacy bill, Connecticut Data Privacy Act, was enacted and there have been several updates to the law since then. This session, two of the updates to the state’s privacy landscape include SB 4, a data broker bill most similar to California’s Delete Act and SB 5, an AI online safety bill, despite federal calls for a ban on state-level AI bills. Other states have also passed significant bills this session, including Illinois (SB 315) and New York.
No Federal AI Preemption Yet: In March, the Trump administration issued its National Policy Framework for Artificial Intelligence, which among its legislative recommendations was a request for a federal law that would preempt most state-level AI legislation. In the last few weeks the Trump administration reportedly delayed their plan to issue a new AI Executive Order related to new AI large language model review. In the continued absence of meaningful federal action, states like Connecticut are moving forward with laws and regulations.
Taking California’s lead with a Data Brokers Law: A law most similar to California’s Delete Act, this new law means that Connecticut is the fifth state to create a data broker registry, that list also includes California, Oregon, Texas and Vermont. It requires companies that buy and sell personal data about consumers to register with the state. Connecticut will create a centralized system that allows residents to submit a single request to have their information deleted by registered data brokers. Businesses are also banned from selling geolocation data and must provide disclosures when using personalized algorithms to adjust prices. The law goes into effect October 1, 2026.
Boldly going forward with an AI Online Safety Act: SB 5 is a broad technology and artificial intelligence regulation package that creates new rules for AI systems, online platforms, employers, developers, and state agencies. Companies offering AI chatbots that simulate human relationships must follow new consumer protection rules. Certain practices involving minors are restricted, and providers must make disclosures that users are interacting with AI rather than a human. Subscription based AI services must provide disclosures about how their systems operate and what limitations or risks may exist. Synthetic or AI generated content must be identifiable as artificial in certain circumstances. Companies developing powerful frontier AI models must implement internal safety, testing, risk management, and incident response processes.
Other states have also progressed further when it comes to privacy and AI this session: In Illinois, SB 315 (the Artificial Intelligence Safety Measures Act) would impose new obligations on developers of the most powerful “frontier” AI models, requiring them to assess and mitigate catastrophic risks, maintain AI safety frameworks, publicly disclose key safety information, and report serious incidents. In New York, the “Safe By Design Act” was negotiated into the final, long-delayed 2027 state budget agreement. The legislation claims that it is designed to protect children from online predators, scammers and harmful AI chatbots integrated on online platforms.
FOCUS will continue to monitor developments on privacy and AI in state legislatures across the country.
by Alexis Caswell 6/1/26
