Connecticut Passes Its Own Data Broker Registration and Deletion Mechanism Law
Connecticut has passed a law mirroring California’s Delete Act, requiring data brokers to not only register with the state, but also, beginning in 2028, to honor deletion requests from consumers via a state-provided ‘accessible deletion mechanism’ nearly identical to the California Delete Request and Opt-out Platform (DROP). This is the first data broker law in Connecticut, which has not previously required data broker registration (Connecticut is now the 5th state requiring data brokers to register with the state, joining California, Texas, Vermont, and Oregon).
Who is a Data Broker?
Under the Connecticut law, “‘Data broker’ means any business or, if such business is not an individual, any portion of such business that sells or licenses brokered personal data to another person.” There is no volume or revenue threshold of applicability. It should also be noted that the law points to the Connecticut Data Privacy Act for its definition of ‘Consumer’ which does not include an individual acting in a commercial or employment context. In other words, selling employee data or data about individual’s operating in a commercial/business context does not make a business a data broker (Texas excludes employee data. Oregon excludes both employee data and data regarding investors, donors, agents, and other similar relationships).
It should also be noted that, if you register in one state, but not Connecticut, you may receive a letter from Connecticut stating that you must register as a data broker in Connecticut. We’ve seen similar letters come from Oregon, where data brokers are registered in California or Texas, but not Oregon because it is common for each state to review their own registered data brokers against the public data broker registries of other states.
Data Broker Registration
Data brokers need to register as a data broker by January 1, 2027 and pay an annual registration fee of $2,500. Registrations will expire on December 31 each year, so data brokers must remember to renew and pay the $2,500 fee before December 31 each year.
The Accessible Deletion Mechanism
In addition to registration, the law requires Connecticut to provide the accessible deletion mechanism by July 1, 2028. We’ve heard rumors that California may license its DROP mechanism to other states and the Connecticut law specifically says Connecticut may license a mechanism, but it is unconfirmed whether or not Connecticut will license California’s DROP.
Like the California DROP mechanism, Consumers will be able to create an account and submit requests to any and all registered data brokers, and data brokers will be required to access the accessible deletion mechanism to process requests every 45 days. Upon receiving a verifiable deletion request, the data broker must process the deletion and forward the request to all of the data broker’s service providers with whom the data broker has disclosed the consumer’s personal information. If a request is unverifiable, the data broker must treat the deletion request as an opt out request (just like the California Delete Act).
The Commissioner of Connecticut Consumer Protection (Commissioner) has the right to issue regulations on the accessible deletion mechanism and we expect they will to provide further guidance on how consumers, authorized agents, and data brokers must utilize the accessible delete mechanism, similar to the California DROP regulations which provided guidance on what constitutes a match between brokered personal data and consumer provided data in DROP.
It’s also worth noting that Connecticut has the right to impose a fee for the data broker to access the accessible deletion mechanism. The California Delete Act had a similar right, but has not implemented any such fee to date.
Public Metrics
By July 1, 2029, and annually thereafter, data brokers will need to post on the data broker’s public webpage certain metrics regarding the number of requests processed by the data broker via the accessible deletion mechanism, namely: (1) the total number of deletion requests that the data broker accessed during the preceding calendar year; (2) of the total number of deletion requests accessed by the data broker, which the data broker: (A) deleted; (B) retained; or (C) deleting in part and retained in part; and (3) if the data broker retained consumer personal data, the total number retained as part of an enumerated exception (e.g., retained because the consumer is in a contractual relationship with the data broker, the data broker is acting as an agency, or the data is subject to FCRA, GLBA, or HIPAA).
Data Broker Audit Requirement
Similar to the California Delete Act, data brokers subject to the Connecticut law will need to undergo an independent audit to verify compliance with the requests received via the accessible deletion mechanism. Data brokers must complete the first audit no later than July 1, 2031 and every 3 years thereafter. Moreover, data brokers must maintain each audit report for at least 6 years. If requested by the Commissioner, the data broker must submit to the Commissioner data broker audit(s) within 5 business days of the request.
Penalties for Non-Compliance
If a data broker fails to comply with any portion of this act, the Commissioner may impose a civil penalty up to $200 per day per violation. Like we’ve previously warned data brokers subject to the California Delete Act, this fine may be astronomical. Currently, there are over a quarter of a million registered DROP users in California (1day of noncompliance x $200 x 250,000users = $50million in fines). That being said, Connecticut is a much smaller state, so we anticipate fewer individuals to sign up with Connecticut’s accessible deletion mechanism than California’s DROP.
What’s Next?
We can safely assume Connecticut will introduce regulations regarding the accessible deletion mechanism in the next year or so. Connecticut’s regulations process is similar to California’s, following a 5-step lifecycle: agency drafting, public notice and comment, Attorney General review, Legislative Regulation Review Committee approval, and final filing with the Secretary of the State.
Beyond Connecticut, we know that CalPrivacy has been talking to other states to help introduce accessible deletion mechanism legislation and to potentially license California’s DROP mechanism, and we expect more states to pass similar accessible deletion mechanisms laws. IHP attended a privacy conference earlier this year where Tom Kemp, executive director of CalPrivacy, stated that 9 or 10 states (including Connecticut) were interested in passing laws mirroring the California Delete Act requiring data broker registration and providing a state-sponsored accessible deletion mechanism like DROP. It’s also possible that a federal accessible deletion mechanism law passes, the concept for which was included in the recently introduced federal ‘SECURE Act’.
As a reminder, California’s DROP comes into effect in less than 2 months on August 1, 2026 with enforcement penalties beginning in September. If you are licensing third-party data from any business entity that is not yet registered, you may want to inform them that they need to register with DROP otherwise the third-party data licensor could be in breach of their own licensing terms.
