Connecticut Biometric Privacy Laws: Collection, Consent & Penalties (2026)
Connecticut offers some of the strongest biometric privacy protections in the northeastern United States. Rather than enacting a standalone biometric law like Illinois did with BIPA, Connecticut folded biometric data protections into its comprehensive Connecticut Data Privacy Act (CTDPA), signed into law as PA 22-15 on May 10, 2022, and effective since July 1, 2023.
The CTDPA treats biometric data as sensitive data, which triggers a higher standard of protection than ordinary personal data. Any business that collects fingerprints, facial scans, voiceprints, or similar identifiers from Connecticut residents must obtain affirmative consent first.
For broader context on Connecticut's overall privacy framework, see the parent guide to Connecticut Data Privacy Laws.
How the CTDPA Defines Biometric Data
Under Conn. Gen. Stat. 42-515(3), "biometric data" means data generated by automatic measurements of an individual's biological characteristics. The statute lists specific examples:
- Fingerprints collected through scanners or touch-based devices
- Voiceprints captured through voice recognition systems
- Eye retinas and irises scanned for identification
- Other unique biological patterns or characteristics used to identify a specific individual
The definition includes an important carve-out. Photographs, audio recordings, and video recordings do not qualify as biometric data unless they are processed specifically to generate a biometric identifier template. A security camera recording a lobby, for example, is not biometric data. But running that footage through facial recognition software to extract facial geometry measurements would create biometric data subject to the CTDPA.
2025 Expanded Definition
The 2025 amendments to the CTDPA broadened what qualifies as protected biometric information in two significant ways. First, the law now covers "information derived from" biometric data, not just the raw biometric data itself. Second, the legislature added "neural data" as a new category of sensitive data, making Connecticut one of the first states alongside California and Colorado to protect brain-computer interface data.
The amendments also removed the requirement that biometric data must be "processed for the purpose of uniquely identifying an individual" to qualify as sensitive data. Under the updated law, biometric data is sensitive regardless of whether the controller is actively using it for identification.
Who Must Comply
The CTDPA applies to any person who conducts business in Connecticut or produces products or services targeted to Connecticut residents and meets one of these thresholds during the prior calendar year:
- Controlled or processed the personal data of at least 100,000 consumers (excluding data processed solely for payment transactions), or
- Controlled or processed the personal data of at least 25,000 consumers and derived more than 25% of gross revenue from the sale of personal data
The 2025 amendments added a critical expansion. Beginning July 1, 2025, any entity that controls or processes any sensitive data (which includes biometric data) must comply with the CTDPA regardless of whether it meets the numerical thresholds above. The only exception is sensitive data processed solely to complete a payment transaction.
This means even small businesses that collect fingerprints for employee time clocks or use facial recognition for building access now fall under the CTDPA if they handle biometric data from Connecticut residents.
Exemptions
The CTDPA exempts certain entities and data types from coverage:
- Government agencies and entities acting on behalf of state or local government
- Nonprofit organizations
- Higher education institutions
- Data protected under HIPAA, GLBA (Gramm-Leach-Bliley Act), and certain other federal frameworks
- Employee and business contact data (though the 2025 amendments narrowed this exemption for sensitive data processing)
Consent Requirements for Biometric Data
Because biometric data qualifies as sensitive data, controllers must obtain the consumer's opt-in consent before processing it. This is a higher bar than the standard for ordinary personal data, where controllers need only provide notice and honor opt-out requests.
The consent must be:
- Freely given by the consumer without coercion
- Informed, meaning the consumer understands what biometric data is being collected and how it will be used
- Specific to the biometric processing activity
- Unambiguous, demonstrated through a clear affirmative action
Controllers cannot bury consent in a general terms-of-service agreement. The CTDPA requires that consent for sensitive data processing be separate and distinct from other permissions.
Facial Recognition Technology Requirements
The 2025 amendments added specific obligations for businesses deploying facial recognition technology (FRT). Organizations using FRT must:
- Provide reasonably accessible, clear, and meaningful notice about the use of facial recognition
- Obtain informed and freely given consent before processing biometric data through FRT
- Provide an effective mechanism for consumers to revoke consent
- Conduct data protection assessments that specifically address bias and discrimination risks
The Connecticut Attorney General has signaled that FRT compliance is an enforcement priority. After receiving complaints about supermarkets using biometric software for shoplifting detection, the AG's office stated that "businesses that deploy FRT must comply with the CTDPA" with no blanket exception for loss prevention.
Data Protection Assessments
Controllers that process biometric data must conduct data protection assessments (DPAs) before beginning that processing. Under Conn. Gen. Stat. 42-520, a DPA is required for any processing that presents a "heightened risk of harm to a consumer," which explicitly includes processing sensitive data.
Each assessment must weigh the benefits of the processing against the potential risks to consumers, considering:
- The use of de-identified data where possible
- Consumers' reasonable expectations
- The relationship between the processing and the stated purpose
- Any safeguards the controller has implemented
For biometric data used in profiling that produces legal or similarly significant effects, the 2025 amendments require controllers to document data inputs, outputs, performance metrics, and specific safeguards against bias and discrimination. Controllers must also provide "FRT-specific bias and discrimination training" for relevant staff.
DPAs must be made available to the Attorney General upon request.
Enforcement and Penalties
The Connecticut Attorney General holds exclusive enforcement authority over the CTDPA. There is no private right of action, which means individuals cannot file lawsuits against businesses for biometric privacy violations.
Enforcement Timeline
The CTDPA's enforcement framework has evolved since the law took effect:
- July 1, 2023 to December 31, 2024: The AG was required to give businesses a 60-day cure period before pursuing enforcement action
- January 1, 2025 onward: The cure period expired. The AG can now pursue immediate enforcement for violations without offering an opportunity to fix them first
Penalties
Violations of the CTDPA are treated as unfair trade practices under the Connecticut Unfair Trade Practices Act (CUTPA, Conn. Gen. Stat. 42-110a et seq.). Penalties include:
- Civil penalties up to $5,000 per willful violation
- Injunctive relief to stop ongoing violations
- Restitution to affected consumers
- Disgorgement of profits gained through violations
2025 Enforcement Activity
Attorney General William Tong released a 2025 enforcement report documenting the office's first full year of active CTDPA enforcement. Key findings include:
- The office issued 63 warning letters and dozens of notices of violations
- Multiple data breach settlements were finalized, including a $200,000 settlement with PharMerica (affecting 105,000 Connecticut residents) and a $200,000 settlement with WebTPA Employer Services
- TicketNetwork paid $85,000 for privacy notice violations including hard-to-read notices and inoperable rights mechanisms
- Active investigations were opened into connected vehicles, social media platforms, gaming platforms, AI chatbots, and data brokers
While the AG's office has not yet announced a biometric-specific enforcement action, the office has made clear that biometric data compliance is a focus area, particularly around facial recognition technology deployment.
Biometric Data and Breach Notification
Connecticut's separate data breach notification statute (Conn. Gen. Stat. 36a-701b) provides an additional layer of protection for biometric data.
Any person who owns, licenses, or maintains computerized data containing personal information must notify the Attorney General and affected Connecticut residents within 60 days of discovering a breach. Connecticut law includes biometric data within its definition of personal information that triggers breach notification requirements.
If a breach involves biometric data, the affected entity must:
- Notify the AG no later than when residents are notified
- Notify affected residents without unreasonable delay and within 60 days
- Describe the categories of information involved in the breach
- Provide contact information for the entity and relevant government agencies
Failure to comply with breach notification requirements constitutes a violation of CUTPA, carrying the same penalty framework as CTDPA violations.
Employer Obligations for Biometric Data
Connecticut employers who use biometric technology in the workplace face specific compliance requirements under the CTDPA. Common workplace uses include fingerprint scanners for time and attendance, facial recognition for building access, and palm or hand geometry readers for secure areas.
Employers must:
- Obtain opt-in consent from employees before collecting any biometric data
- Provide clear notice explaining what biometric data is collected, why, and how long it will be retained
- Limit collection to what is reasonably necessary for the stated purpose
- Implement appropriate security measures to protect stored biometric data
- Establish retention and deletion schedules and follow them
- Conduct a data protection assessment before deploying biometric systems
The 2025 amendments narrowed the employee data exemption, meaning employers can no longer broadly rely on the employment context to avoid CTDPA obligations when processing biometric data.
Consumer Rights Over Biometric Data
Connecticut residents have several rights regarding their biometric data under the CTDPA:
- Right to know: Consumers can confirm whether a controller is processing their biometric data and access that data. However, under the 2025 amendments, controllers cannot directly disclose the biometric data itself in response to access requests. Instead, they must inform consumers "with sufficient particularity" about what biometric information was collected.
- Right to correct: Consumers can request correction of inaccurate biometric data.
- Right to delete: Consumers can request deletion of their biometric data.
- Right to data portability: Consumers can obtain a copy of their data in a portable format.
- Right to opt out: Consumers can opt out of the sale of biometric data, targeted advertising based on biometric data, and profiling using biometric data.
- Right to revoke consent: Consumers can withdraw previously given consent for biometric data processing. Controllers must stop processing within 15 days of receiving the revocation.
Controllers must respond to consumer rights requests within 45 days, with the possibility of a 45-day extension when reasonably necessary.
Pending Legislation (2026)
The Connecticut General Assembly's 2026 session (February 4 to May 6, 2026) includes proposed legislation that would further strengthen biometric privacy protections:
- Expanded facial recognition regulation: Proposals to define facial recognition technology more specifically and impose additional deployment requirements
- Restrictions on geolocation and biometric data sales: Bills to prohibit the sale, sharing, or transfer of precise geolocation data and biometric identifiers
- Standalone genetic data privacy: The AG's office has recommended the legislature consider separate genetic data privacy legislation
The AG's 2025 enforcement report also recommended narrowing the definition of "publicly available information" to strengthen oversight of data brokers who may handle biometric data.
How Connecticut Compares to Other States
Connecticut's biometric privacy framework sits in a middle tier among U.S. states:
| Feature | Connecticut (CTDPA) | Illinois (BIPA) | Texas (CUBI) |
|---|---|---|---|
| Law type | Comprehensive privacy law | Standalone biometric law | Standalone biometric law |
| Private right of action | No | Yes | No |
| Consent required | Yes (opt-in) | Yes (written) | Yes (informed) |
| Penalties | $5,000/violation (CUTPA) | $1,000-$5,000/violation | $25,000/violation |
| Cure period | Expired Dec 2024 | None | 30 days |
| Covers employees | Yes (limited exemptions) | Yes | Yes |
| Data protection assessment | Required | Not required | Not required |
Connecticut's approach of embedding biometric protections within a comprehensive privacy law provides broader coverage than standalone biometric statutes, but the lack of a private right of action limits individual enforcement options compared to Illinois.
More Connecticut Laws
- Connecticut Recording Laws
- Connecticut Data Privacy Laws
- Connecticut Whistleblower Laws
- Connecticut Recording Laws
- Connecticut Recording Laws
- Connecticut Hit and Run Laws
- Connecticut Child Support Laws
- Connecticut Recording Laws
Disclaimer
This article provides general legal information about Connecticut biometric privacy laws and is not legal advice. Laws and regulations change frequently, and their application varies based on specific circumstances. Consult a qualified attorney licensed in Connecticut for guidance on your particular situation.
Sources
- Connecticut Data Privacy Act (Conn. Gen. Stat. 42-515 et seq.)
- CT Attorney General: The Connecticut Data Privacy Act
- PA 22-15 (SB 6): An Act Concerning Personal Data Privacy
- PA 25-113 (SB 1295): Data Privacy Amendments
- AG Tong 2025 CTDPA Enforcement Report
- CT AG Press Release: Consumer Rights Under the CTDPA
- CT Breach Notification Requirements
- SB 1356 (2025): Data Privacy, Online Monitoring Amendments
Sources and References
- Connecticut Data Privacy Act full statutory text(cga.ct.gov).gov
- CT Attorney General CTDPA overview and guidance(portal.ct.gov).gov
- PA 22-15 (SB 6) original CTDPA enactment(cga.ct.gov).gov
- PA 25-113 (SB 1295) 2025 CTDPA amendments(cga.ct.gov).gov
- AG Tong 2025 CTDPA enforcement report(portal.ct.gov).gov
- CT AG consumer rights advisory(portal.ct.gov).gov
- CT breach notification reporting requirements(portal.ct.gov).gov
- SB 1356 (2025) bill status and analysis(cga.ct.gov).gov