While federal comprehensive privacy legislation remains stuck β the SECURE Data Act notwithstanding β the real action in American privacy law continues to happen in state capitols. Connecticut just provided the latest example. Governor Lamont signed SB 4 and SB 5 into law, with SB 4 significantly amending the stateβs existing consumer data privacy act and establishing a new data broker law. It happened without the national attention a federal bill would draw, and that is precisely how the U.S. privacy regime is actually being built: incrementally, state by state, below the fold.
What changed
Connecticut already had one of the earlier and more substantive state privacy laws, the Connecticut Data Privacy Act. SB 4 amends it significantly β the kind of mid-life strengthening that distinguishes states genuinely committed to privacy enforcement from those that passed a law and moved on. Amendments of this kind typically tighten the definitions that determine who is covered, narrow the exemptions that let companies slip out of obligations, sharpen rules around sensitive data, and reinforce consumer rights to access, correct, and delete.
The accompanying creation of a data broker law is the more consequential structural move. Data brokers β the companies that buy, aggregate, and resell personal information without ever interacting with the people the data describes β are the connective tissue of the surveillance economy. They are also the hardest part of it to regulate, precisely because consumers have no relationship with them and usually do not know they exist. A dedicated data broker law generally requires brokers to register, makes them visible to regulators and the public, and creates obligations and accountability for an industry that has historically operated in the dark.
Why the data broker piece matters most
Of the two, the data broker provisions deserve the most attention, because they target the structural blind spot in nearly every consumer privacy framework.
Most privacy laws are built around the relationship between a consumer and a company they interact with β the app they use, the store they shop at, the service they sign up for. You can read that companyβs privacy policy, exercise rights against it, opt out of its sharing. But the data broker sits downstream of all of that. By the time your information reaches a broker, it has been detached from your relationship with the original collector. You never agreed to anything with the broker. You often cannot name a single one. And yet they hold and sell detailed profiles assembled from hundreds of sources.
A data broker registry begins to fix this by making the invisible visible. You cannot exercise rights against an industry you cannot see. Requiring brokers to register and identify themselves is the precondition for everything else β deletion rights, opt-outs, enforcement. It is the same logic California pursued with its broker registry and deletion mechanism, now extended into another state.
The patchwork is becoming the policy
Connecticut joins a rapidly expanding map. Recent months have seen comprehensive laws take effect in New Jersey, Tennessee, and Minnesota; California pursuing aggressive enforcement on data minimization; New York signing its Safe by Design Act; and Illinois advancing AI and chatbot legislation. The SECURE Data Act represents the first serious federal attempt of this Congress, but it remains a proposal, and the history of federal privacy legislation is a history of proposals.
In the absence of a federal standard, the states are not waiting. The result is a patchwork β and critics, mostly from industry, complain endlessly about the compliance burden of fifty different regimes. But the patchwork has an underappreciated property: it ratchets in one direction. Each new state law tends to match or exceed the protections of the ones before it, and because national companies generally cannot economically maintain fifty different data-handling systems, they tend to build to the strictest applicable standard. The strongest state law becomes, in practice, the operating floor for the whole country.
That dynamic means a Connecticut update is not only a Connecticut story. A data broker registration requirement in Connecticut nudges brokers toward visibility everywhere they operate. A data-minimization tightening in one stateβs amendment becomes part of the rising baseline that companies design around nationally.
The takeaway
The headline-grabbing privacy stories tend to be the breaches and the lawsuits β the failures. The quieter story is the steady legislative accretion happening underneath them. Connecticutβs SB 4 and SB 5 will not trend. But the strengthening of an existing privacy act and the creation of a data broker law are exactly the kind of unglamorous structural work that determines what protections actually exist when the next breach or scandal hits.
Federal privacy law may eventually arrive. Until it does, the states are writing the real rules β and they are writing them upward.
