On May 11, 2026, the Connecticut General Assembly passed Senate Bill 5, “An Act Concerning Online Safety” (“SB 5” or the “Act”), which Governor Ned Lamont signed into law on May 27, 2026. Connecticut's SB 5 is among the most ambitious state artificial intelligence (“AI”) laws enacted to date. While many of the state AI laws that have passed in other jurisdictions focus on a single use case—such as Colorado’s revised automated decision-making technology Act or Washington’s AI companion chatbot law—Connecticut's omnibus approach is notable for its breadth. The 39-section statute tackles a wide range of topics related to AI and imposes obligations on consumer-facing AI chatbots, frontier AI model developers, developers and deployers of automated employment decision tools, and social media platforms, among others. Each of the areas addressed in the Act have their own compliance timeline, with effective dates staggered from October 2026 through January 2028.

The areas addressed in the Act reflect issues and concerns that have been top of mind for state lawmakers and should not be a surprise to companies that have been closely following the evolution of state AI laws. However, the broad coverage of the law across various issues means that companies will need to carefully review what is included in the law to understand whether or not they are subject to any of its varied requirements. In addition, companies operating in multiple jurisdictions may now be subject to several laws which may or may not have requirements consistent with the Connecticut law. For example, companies offering subscriptions to AI technologies—something which will sweep in many types of services with an AI element—will need to comply with this law, as well as with state laws addresses subscriptions more generally.  And companies using automated decision-making technologies in the employment context, will need to add Connecticut to the list of state AI laws, like California and Colorado, that they will need to design their disclosures around. In addition, key statutory definitions vary across jurisdictions. While we assess the Connecticut law overall as imposing fewer requirements than similar laws in other states, close parsing is still needed. Companies operating in multiple states should not assume that compliance with one state’s AI law will satisfy another’s. For example, Connecticut's “AI companion” definition—covering AI with a “natural language interface” that provides “adaptive, human-like responses” and sustains a relationship across multiple interactions is different than what is in Oregon’s SB 1546. Similarly, Connecticut’s automated employment-related decision technology (“AEDT”) framework applies to technologies that are a “substantial factor in making or materially influencing” employment decisions, a threshold that differs from Colorado’s “consequential decision” standard. Each of these formulations could capture—or exclude—different tools and use cases within the same organization. Companies should conduct a jurisdiction-by-jurisdiction mapping exercise that identifies precisely which AI systems and use cases fall within scope under each applicable law, paying particular attention to differences in defined terms, covered decision types, and exemptions.

From an operational standpoint, several features of SB 5 warrant near-term attention. First, the Act's staggered effective dates create a compressed compliance runway: provenance requirements, AEDT anti-discrimination amendments, subscription disclosures, and the WARN Act AI-layoff reporting obligation all take effect on October 1, 2026, while AEDT deployer disclosure obligations become operational on October 1, 2027 and social media platform requirements on January 1, 2028.  Second, Section 13’s provision that use of an AEDT “shall not be a defense” against employment discrimination claims—combined with amendments to the Connecticut Fair Employment Practices law contained in the Act which add “evidence of anti-bias testing” as a factor in adjudicating complaints—creates an incentive for deployers to implement and document proactive bias testing programs now, even before the disclosure obligations become operational. Third, the Act’s developer-deployer allocation model—under which AEDT developers must provide deployers with all information necessary to comply with disclosure obligations, or may “contractually assume” those obligations—means that both vendors and customers should be reviewing AI procurement agreements for allocation of compliance responsibilities, indemnification obligations, and information-sharing commitments. Companies that have already invested in privacy and data governance infrastructure— risk assessment frameworks, vendor diligence processes, data inventories— for AI adoption will find that much of that is transferable to compliance with the Connecticut law, but should expect to build supplemental processes to address new state specific requirements such as provenance embedding, real-time interaction disclosures, and age assurance mechanisms. 

I. AI Companions

A. Scope

Sections 4 and 5 of the Act address “AI companions,” which are defined as any AI with a “natural language interface” that provides “adaptive, human-like responses” and can sustain a relationship across multiple interactions. The definition contains several categories of exclusions, including business-operations chatbots not marketed as companions, video game chatbots, standalone voice assistant speakers, narrowly tailored educational tools, healthcare support systems without anthropomorphic features, and narrow task-specific tools. Because chatbot definitions still vary widely across jurisdictions, a product outside Connecticut’s definition may still be captured by other states’ laws, and vice versa.

B. Obligations

1. Harm Detection

Operators, or those providing AI companions to users, must implement “evidence-based methods” to detect users indicating a risk of “suicide, self-harm or imminent physical violence,” as well as to prevent the AI from generating output encouraging those behaviors. Operators must refer at-risk users to mental health evaluation and treatment resources, including suicide prevention hotlines.

2. AI Interaction Disclosure

Operators must also disclose to users that the users are communicating with AI and not another person—either in written form visible throughout the interaction or at the beginning of each 24-hour period, plus once hourly for minors, or once every three hours for older users. Minors are defined as any covered user under the age of 18. Operators are responsible for preventing the AI companion from claiming to be human or generating any output that refutes that the AI companion is not a human.

3. Minor-Specific Protections (“Manipulative Techniques”)

When an operator “knows, or has reason to believe” that a user is under 18, it must institute additional measures to prevent the AI companion from, among other things:

• Encouraging self-harm, suicidal ideation, violence, disordered eating or unlawful substance consumption;
• Offering mental health services (absent narrow conditions);
• Discouraging the user from seeking professional help;
• Encouraging the user to harm others;
• Engaging in romantic or sexually explicit interactions;
• Using “manipulative techniques” to extend the interaction; or
• Optimizing engagement in any manner that disregards the foregoing.

“Manipulative techniques” include several different prohibited practices, such as the following:

• Prompting the user to seek emotional support or companionship from the AI;
• Praising the user excessively;
• Simulating emotional distress, loneliness, guilt or abandonment when the user tries to disengage;
• Generating output “designed to isolate” the user from family or friends;
• Encouraging users to withhold information from parents or guardians;
• Discouraging users from taking breaks from using AI companions;
• Soliciting gifts or purchases to maintain users’ relationship with AI; and
• Mimicking a romantic relationship.

Operators must also provide parents and guardians tools to manage minor screen time and account settings. An operator will not be deemed in violation of these minor-specific protections if, before providing AI to the user, it “knew, or had reason to believe . . . that the user was eighteen years of age or older,” underscoring the growing importance of age assurance mechanisms for operators.

C. Enforcement

Violations of these AI companion provisions are enforceable solely by the state Attorney General under the Connecticut Unfair Trade Practices Act (“CUTPA”).

II. Frontier Models

A. Scope

A “large frontier developer” is any frontier developer—any person doing business in the state who intends to train, initiates the training of or trains a foundation model and had annual gross revenues in excess of $500 million for the most recently completed calendar year.

B. Obligations

Large frontier developers must establish and maintain a reasonable internal process for employees to anonymously submit a report to such large frontier developer disclosing any information that the covered employee believes, in good faith, indicates that such large frontier developer has engaged in any activity that poses a specific and substantial danger to public health or safety due to a catastrophic risk. Large frontier developers must provide reasonable and specific updates to each covered employee who submits any such reports.

Each report submitted and each reasonable update provided must be shared with the officers and directors of the large frontier developer at least quarterly. If the report alleges wrongdoing by an officer or director of the large frontier developer, the Act provides that the report should not be shared with such officer or director.

In addition, frontier developers must ensure a clear notice is provided to covered employees and is displayed at all times within any workplace maintained by such frontier developer, disclosing the employees’ rights and responsibilities to report a violation of the Act.

C. Enforcement 

A violation of the large frontier model provisions exposes the developer to a civil penalty of up to $1,000 per violation. The Attorney General may bring an action in the Superior Court for the judicial district of Hartford to collect such civil penalty and for any injunctive or equitable relief, and the state can recover the costs of any investigation, expert witness fees, costs of the action and reasonable attorneys’ fees.

III. Automated Employment-Related Decision Technologies 

A. Scope

The new law also reflects the continued concerns of legislatures and policymakers regarding the use of AI for employment-related decisions such as hiring, promotion, discipline or termination. Sections 7 through 12 of the Act create disclosure obligations for AEDTs, defined as “technologies that process personal data and use computation to generate outputs” that are a “substantial factor in making or materially influencing” employment decisions. A “substantial factor” is a factor (e.g., a constraint, ranking, score, recommendation or classification) that meaningfully alters the outcome of an employment-related decision concerning an individual in Connecticut.

B. Obligations

The obligations on developers and deployers are transparency-based. There are no consumer rights created by the Act, unlike under the revised version of Colorado’s ADMT Act. Instead, under the Act, deployers of AEDTs must disclose to employees or applicants that they are interacting with an AEDT, in plain language where not otherwise obvious to a reasonable person. In addition, where a deployer uses AEDT to generate output for the purpose of making, or as a substantial factor in making, an employment-related decision, it must provide written notice, before the employment-related decision is made, of (i) the AEDT’s use, (ii) the purpose of the automated nature of such employment-related decision, (iii) the trade name of the AEDT, (iv) the categories and sources of personal data to be processed and assessed, and (v) the contact information for the deployer. Developers of AEDTs must provide deployers all information necessary to comply with these obligations, or they may “contractually assume” the deployer’s obligations. Compliance with these obligations is required by October 1, 2027.

The law excludes disclosure of any information that is a trade secret or otherwise protected under state or federal law. If a person withholds information under this provision, the person is required to send a notice to the person from whom such information is being withheld. Such notice shall disclose (1) that such person is withholding such information and (2) the basis for such person’s decision to withhold such information.

C. Enforcement

There is no private right of action for violations of the AEDT provisions. Violations are enforceable by the Attorney General. There is a notice and cure provision available, where the Attorney General determines such cure is possible, until December 31, 2027. Recipients have 60 days to cure the violation, otherwise the Attorney General can bring an action for violation.

However, because the Act also amends existing Connecticut employment discrimination law, which the Commission on Human Rights and Opportunities (“CHRO”) is authorized to enforce, it may open an avenue for individuals to challenge AEDT-related discrimination through the CHRO’s existing administrative complaint process. Section 13 of the Act highlights that use of an AEDT “shall not be a defense” against claims alleging discriminatory practices. Therefore, deployers cannot argue that their use of AEDTs instead of human decision-makers should shield them from liability for discrimination. When assessing such claims, courts and the CHRO “may consider evidence of anti-bias testing” or similar proactive efforts to avoid the resulting discriminatory practice at issue as a factor in their decisions.

IV. Generative AI Provenance 

The Act also includes provisions directed toward the identification of AI-generated content. Under Section 15 of the Act, covered providers must, to the extent commercially and technically reasonable, include “provenance data” in any audio, image or video content in a manner that allows consumers to assess whether such content was “created or materially altered” by the provider’s AI. “Provenance data” means data that is embedded into digital content or that is included in the digital content’s metadata for the purpose of verifying the digital content’s authenticity, origin or history of modification. Covered providers are any persons that create or provide generative AI systems with more than one million users per month that are publicly accessible to consumers, excluding federal, state or local government agencies. Text content is not subject to these requirements. Providers must make such provenance data (i.e., the data embedded into digital content for the purpose of verifying the content’s origin or history) difficult to tamper with, using “commercially and technically reasonable methods” including, but not limited to, those set forth by C2PA.

This subsection includes a number of important carve-outs. These include:

• An exclusion for covered providers with respect to any identified or reasonably identifiable individual in the provenance data associated with content created or materially altered by the provider’s generative AI system;
• The disclosure of (A) trade secrets or information otherwise protected from disclosure under state or federal law or (B) confidential or proprietary information related to the design or use of an AI system, as well as information concerning any business-to-business use, sale, licensing or distribution of a generative AI system;
• Products, services, websites or applications that solely provide consumers with video game or other interactive experiences, including experiences that involve direct online sales or allow consumers to browse, select and purchase items virtually; and
• Systems used solely for technical functions such as upscaling, noise reduction or compression.

Violations of these provisions constitute an unfair and deceptive trade practice under CUTPA and are enforceable solely by the state attorney general.

V. Social Media Platforms 

A. Scope

Section 39 of the Act regulates any covered platform that “recommends, selects or prioritizes” user-generated media items for display, such as platforms incorporating content recommendation algorithms. A covered platform is any platform that, as a significant part of the services offered, recommends, selects or prioritizes for display media items generated or shared on a platform by users of the platform. Platforms used primarily to facilitate the sale of goods or solely for educational purposes under school contracts are specifically excluded from these requirements.

B. Obligations

1. Personalized Algorithmic Content Recommendations

Covered operators—or those who run covered platforms—may not deliver personalized algorithmic content recommendations to a user unless the operator has either (i) used “commercially reasonable and technically feasible methods” to determine the user is not a minor or (ii) obtained verifiable consent from a parent or legal guardian.

2. Mandatory Default Settings

For users identified as minors, the Act mandates default platform settings (which may be adjusted by parents and legal guardians), a one-hour daily limit on algorithmically recommended content, private account mode, a daily notification curfew restricting notifications to the hours between 8 a.m. and 9 p.m. and blocking of sensitive content.

3. Warnings and Disclosures

Covered operators must display the following warning in black lettering appearing against a white background and enclosed by a black border: “The Surgeon General has warned that while social media may have benefits for some young users, social media is associated with significant mental health harms and has not been proven safe for young users.” There are specific requirements for how and when the social media warning must appear and be shown to users.

Covered operators must also publicly and annually disclose total user counts, the portion of the total number of covered users for whom the covered operator obtained parental consent, default setting usage rates, and average usage time broken down by user age and hour of day.

C. Enforcement

Violations of these provisions constitute an unfair and deceptive trade practice under CUTPA and are enforceable solely by the state Attorney General.

VI. Other Notable Provisions

A. Independent Verification Pilot Program

Section 33 describes a new pilot program administered by the Department of Consumer Protection to evaluate the use of independent certification programs administered by third-party entities to assess adherence of AI models to “standards reflecting best practices for the prevention of personal injury, property damage, data privacy harms and other harms.” The Department of Consumer Protection expects to approve up to five independent third-party organizations to participate in such program effective July 1, 2027. Evidence of verification or good standing provided by an independent third-party entity approved as part of the pilot program can be used in private civil actions for personal injury or property damage but is not admissible in government enforcement actions, and is forfeited if the company acted “willfully, wantonly or recklessly,” misrepresented information to the verifier or failed to implement corrective actions. The pilot program is set to terminate on June 30, 2030.

B. AI Subscription Disclosure Requirements

Effective October 1, 2026, businesses offering AI technologies pursuant to a subscription must provide Connecticut consumers with clear written notice of key service terms. This includes disclosing any “quantitative or qualitative limitations” (such as usage caps or feature restrictions) as well as any discretion the provider retains to “reduce the quantity, quality or any functionality” of the AI during the subscription period. For subscription renewals, providers must also disclose any modifications to any quantitative or qualitative limitations. These requirements are enforceable solely by the state Attorney General under CUTPA.

C. AI Working Group

Connecticut SB 5—Effective Dates by Section