Connecticut's New AI Law Creates Broad Compliance Requirements Across Multiple Sectors
Connecticut enacted one of the nation's most expansive state AI laws on May 27, 2026. Senate Bill 5 addresses AI companions, frontier model developers, employment decision tools, content provenance, and social media platforms-with compliance deadlines staggered from October 2026 through January 2028.
The law's breadth means companies cannot assume compliance with one state's AI requirements will satisfy Connecticut's. Key definitions vary. Connecticut's "AI companion" definition differs from Oregon's. Its threshold for automated employment decision technology-a "substantial factor in making or materially influencing" decisions-differs from Colorado's "consequential decision" standard. The same tool might be in scope under one law but not another.
Companies should map each AI system against Connecticut's requirements and compare them to rules in other states where they operate.
AI Companions: Disclosure and Harm Prevention
Connecticut defines AI companions as systems with a natural language interface that provide adaptive, human-like responses and sustain relationships across multiple interactions. The law excludes business chatbots not marketed as companions, video game chatbots, and narrowly tailored educational tools.
Operators must implement evidence-based methods to detect users at risk of suicide, self-harm, or imminent physical violence. They must refer at-risk users to mental health resources and prevent the AI from generating output encouraging these behaviors.
Operators must disclose that users are communicating with AI, not a person. The disclosure must be visible throughout the interaction or appear at the beginning of each 24-hour period. For users under 18, disclosures must appear hourly. For older users, every three hours.
For minors, operators face additional restrictions. The AI cannot encourage self-harm, suicidal ideation, violence, disordered eating, or unlawful substance use. It cannot offer mental health services or discourage professional help. It cannot engage in romantic or sexually explicit interactions.
The law prohibits "manipulative techniques" designed to extend interactions with minors. These include excessive praise, simulating emotional distress when the user tries to disengage, encouraging users to hide AI use from parents, and mimicking romantic relationships.
Operators must provide parents and guardians tools to manage screen time and account settings. An operator avoids liability for minor-protection violations if it verified-before providing the AI-that the user was 18 or older. This creates pressure to implement age assurance mechanisms.
Connecticut's Attorney General enforces these provisions solely. Violations are treated as unfair trade practices.
Frontier Model Developers: Internal Reporting Requirements
Connecticut defines "large frontier developers" as companies training foundation models with annual revenues exceeding $500 million. These companies must establish anonymous internal reporting processes for employees to flag activities posing specific and substantial danger to public health or safety from catastrophic risks.
Companies must provide reasonable updates to employees who submit reports and share reports with officers and directors at least quarterly. If a report alleges wrongdoing by an officer or director, that person is excluded from receiving the report.
Companies must display notices in workplaces informing employees of their right to report violations.
Violations carry civil penalties up to $1,000 each. The Attorney General can recover investigation costs, expert fees, and attorney fees.
Automated Employment Decision Tools: Transparency Without Consumer Rights
Connecticut's employment AI rules focus on transparency, not consumer rights. The law applies to technologies that process personal data and are a "substantial factor in making or materially influencing" employment decisions like hiring, promotion, discipline, or termination.
Deployers must disclose to employees and applicants that they are interacting with an automated decision system. Before making an employment decision, deployers must provide written notice including the system's trade name, the categories and sources of personal data processed, and the deployer's contact information.
Developers must provide deployers all information necessary for these disclosures, or they can contractually assume the disclosure obligations themselves. Both vendors and customers should review procurement agreements to clarify who bears compliance responsibility.
These obligations take effect October 1, 2027. The Attorney General enforces them with a 60-day cure period available until December 31, 2027.
The law creates no private right of action. However, it amends Connecticut's employment discrimination law to state that use of an automated system "shall not be a defense" against discrimination claims. Courts and the Commission on Human Rights and Opportunities can consider evidence of anti-bias testing as a factor in adjudicating complaints.
This creates incentive for deployers to implement and document bias testing programs now, before disclosure obligations take effect.
AI-Generated Content: Provenance Data Requirements
Providers of generative AI systems with more than one million monthly users must embed provenance data into audio, image, and video content to allow consumers to assess whether the content was created or materially altered by AI. Text content is excluded.
Provenance data must be difficult to tamper with using commercially and technically reasonable methods, including those established by the Coalition for Content Provenance and Authenticity (C2PA).
The law carves out personally identifiable information from provenance data, trade secrets, confidential AI system design information, video game and interactive experiences, and technical functions like noise reduction.
These requirements take effect October 1, 2026. Violations are enforceable by the Attorney General under Connecticut's unfair trade practices law.
Social Media Platforms: Algorithmic Recommendations and Minor Protections
Connecticut regulates platforms that recommend, select, or prioritize user-generated content for display. Educational platforms and those primarily facilitating goods sales are excluded.
Covered platforms cannot deliver personalized algorithmic recommendations to minors unless they use commercially reasonable methods to verify the user is 18 or older, or obtain verifiable parental consent.
For identified minors, platforms must set default configurations including a one-hour daily limit on algorithmically recommended content, private account mode, notification curfews between 8 a.m. and 9 p.m., and blocking of sensitive content. Parents and guardians can adjust these defaults.
Platforms must display a Surgeon General warning in black lettering on white background: "The Surgeon General has warned that while social media may have benefits for some young users, social media is associated with significant mental health harms and has not been proven safe for young users."
Platforms must annually disclose total user counts, the portion of users for whom parental consent was obtained, default setting usage rates, and average usage time by age and hour of day.
These requirements take effect January 1, 2028. The Attorney General enforces them under unfair trade practices law.
AI Subscription Disclosures and Other Requirements
Businesses offering AI technologies by subscription must disclose quantitative or qualitative limitations-such as usage caps or feature restrictions-and any discretion to reduce quantity, quality, or functionality during the subscription period. These disclosures take effect October 1, 2026.
Connecticut also established an independent verification pilot program allowing up to five third-party organizations to certify AI model adherence to safety and privacy standards. The program begins July 1, 2027 and terminates June 30, 2030. Evidence of third-party verification is admissible in private civil actions but not in government enforcement actions, and is forfeited if a company acted willfully or recklessly.
The state created an AI working group tasked with proposing legislation on general-purpose AI models and requiring platforms to signal synthetic content. The group may recommend establishing a technology court for AI and data privacy disputes.
Practical Compliance Steps
Companies should prioritize three areas. First, review AI systems against Connecticut's definitions to identify what falls in scope. Second, audit procurement agreements to clarify developer-deployer responsibility allocation for AEDT disclosures. Third, inventory existing privacy and data governance infrastructure-risk assessments, vendor diligence, data inventories-that transfers to Connecticut compliance.
Companies with existing privacy frameworks will find much of that work transferable. However, expect to build supplemental processes for Connecticut-specific requirements like provenance embedding, real-time interaction disclosures, and age assurance mechanisms.
The staggered effective dates create compressed compliance timelines. Provenance requirements, AEDT anti-discrimination amendments, subscription disclosures, and AI-layoff reporting all take effect October 1, 2026. Plan accordingly.
Your membership also unlocks:
