Connecticut Attorney General William Tong recently issued an advisory memorandum (“Advisory”) to all “State Officials, Agencies and Concerned Parties” about how existing Connecticut laws apply to artificial intelligence (“AI”).
In the Advisory, Attorney General Tong hints at enforcement priorities and offers businesses a roadmap for compliance in describing how Connecticut’s civil rights, privacy and data security, competition, and consumer protection laws apply to AI system use. Businesses operating in Connecticut are reminded that, even without a statewide AI law, obligations under these laws regulate their AI system use. Those Connecticut residents who read the Advisory are reminded of their rights and encouraged to report AI related harms to the Connecticut Office of the Attorney General (“OAG”).
The Advisory discusses how the AG views these laws as applied to AI:
Civil Rights Laws
- The Advisory notes that an AI system is deployed by businesses in several contexts in which civil rights violations can occur, including for hiring, employment, healthcare, housing, insurance and lending and credit decision-making.
- Although the Trump administration is focused on AI deregulation, the Advisory notes that federal antidiscrimination laws remain in effect and the Connecticut OAG can enforce them (Con. Gen. Stat. § 3-129g), as well as Connecticut’s own antidiscrimination laws.
Privacy and Data Security Laws
- Connecticut Data Privacy Act (“CTDPA”) (Conn. Gen. Stat. § 42-515, et seq.): The Advisory reminds businesses that personal data used in connection with AI system is subject to the CTDPA’s data minimization, data protection assessment, notice, consent, sensitive data processing and other requirements. Businesses also are reminded that consumer privacy rights apply to personal data ingested into an AI system model, which presents unique data deletion challenges (among others).
- In June 2025, the CTDPA was amended to add notice provisions related to training data for an AI model. Specifically, as of July 1, 2026, a business must include in its privacy notice a statement disclosing whether it “collects, uses or sells personal data for the purpose of training large language models” (Con. Gen. Stat. § 42-520(b)(1)(H)). In discussing this requirement, the Advisory also explains that an AI system developer, “integrator” (which means refers to a business that “combines data from different sources”), or user that “buys datasets from third party controllers that contain Connecticut consumers’ personal information (i.e., data brokers)” must ensure that the Connecticut consumers whose personal data is included in the dataset received proper notice from the third party controllers (Advisory, page 5). The Advisory also includes a reminder that, when a privacy notice is updated to cover “any retroactive material change” (such as use for training an AI model), Connecticut consumers must receive notification and a mechanism to withdraw previously granted consent (Con. Gen. Stat. § 42-520(b)(3) (effective July 1, 2026)).
- Connecticut’s Safeguards and Data Breach Laws (Con. Gen. Stat. § 42-471, § 36a-701b): The Advisory reminds businesses of their obligations (i) to protect personal information when deploying an AI system and (ii) to notify individuals of unauthorized access to or acquisition of their personal information.
Consumer Protection Laws
- Connecticut Unfair Trade Practices Act (“CUTPA”) (Con. Gen. Stat. § 42-110b, et seq.): The Advisory describes how the CUTPA can apply to AI system use. The Advisory provides a non-exhaustive list of examples of potential violations, such as using an AI system to advertise a product or service in a manner that misrepresents the price, quality or other characteristics of the product or service. The Connecticut Department of Consumer Protection and the Connecticut Office of the Attorney General enforce the CUTPA, with broad authority to investigate potential violations by demanding documents and records, compelling testimony and entering establishments. The CUTPA also provides Connecticut consumers with a private right of action to sue any person who suffers a measurable loss of money or property as a result of an unfair or deceptive act. Penalties for violations of CUTPA can include injunctive relief, civil penalties of up to $5,000 per violation, restitution and remediation.
- Connecticut Antitrust Act (“CAA”) (Con. Gen. Stat. § 35-24, et seq.):The Advisory provides a non-exhaustive list of examples of potential violations of the CAA associated with AI system use: using an AI system in coordination with competitors to fix prices, allocate markets, or rig bids for AI products or for other goods and services.
* * * * *
In addition, the Advisory flags recent enforcement actions by the OAG in which businesses were held accountable for “misusing algorithms” to deploy design features that purposefully addict children and teens and create monopolies in internet search, smart phone markets and live event ticketing.
Meanwhile, the Connecticut legislature also is considering the following bills related to the topics covered in the Advisory:
- SB4 – An Act Concerning Consumer Privacy and Protection, which addresses registration of data brokers; use of personalized algorithmic pricing; CTDPA amendments defining “facial recognition technology” and requirements, preventing sale, sharing, transfer or allowance of access to geolocation (among other proposed amendments).
- SB 5 – An Act Concerning Online Safety, which would require that an operator of an “artificial Intelligence companion” include a protocol to “take reasonable efforts to detect and address any user expression indicating a risk of suicide, self-harm or imminent violence” and notice and other requirements similar to laws passed in California and Washington, as well as restrictions on how an “automated employment-related decision process” is deployed.
- HB 5037 – An Act Promoting the Safety of Minors on Social Media Platforms, which includes restrictions on the times of day that a “covered platform” can send notifications to minors and requires that a covered platform track the number of minors users and display mental health warnings when a minor logs in and at specific intervals throughout an online session.
- SB 435 – An Act Concerning Automated Decision Systems Protections For Employees, which, like SB 5, relates to deployment of an “automated employment-related decision process.”
All of the bills are in the early stages of the legislative process and seem unlikely to pass before the legislative session ends on May 6, 2026.
The authors are grateful to Mary Aldrich, Paralegal, New York, for her assistance.
