Connecticut Enacts Sweeping AI Law Covering Online Safety, AI Companions, and Employment AI

As states continue to debate and pass AI regulation, Connecticut has adopted a targeted approach—imposing requirements for certain high-risk uses rather than establishing a comprehensive governance regime. Connecticut Governor Ned Lamont signed SB 5, “An Act Concerning Online Safety,” into law on May 27, 2026, enacting one of the most wide-ranging state AI laws to date. SB 5 establishes requirements across multiple high-stakes regulatory areas, including frontier AI models, AI companions, automated employment-related decision technology (AEDT), and content provenance. The law creates several distinct compliance frameworks, with provisions taking effect between October 2026 and January 2028. This alert summarizes key provisions and outlines recommendations for developers, deployers, and providers of AI services.

Subscription-Based AI Products

Effective October 1, 2026

SB 5 creates disclosure requirements for entities that offer AI technologies to Connecticut consumers on a subscription basis (“subscription-based providers”) before they enter into or renew a subscription with a consumer.

Before collecting payment, the provider must give the consumer a written notice disclosing the key subscription terms, and the consumer must confirm acceptance in writing.

The written notice must include the following:

• At initial subscription, providers must disclose any limitations they may impose on the consumer under the terms of the subscription, including those triggered by consumer conduct, and whether the provider retains discretion to restrict or eliminate the consumer’s access to AI functionality offered under the subscription.
• At renewal, providers must disclose any limitations that are new or modified from the prior subscription term, and any new or modified discretion the provider will have over access or quality during the renewal period.

Violations constitute unfair or deceptive trade practices, enforceable solely by the Attorney General.  

Frontier AI Models

Effective October 1, 2026

SB 5 requires that frontier developers comply with whistleblower protections and large frontier developers must also implement internal risk reporting channels.

SB 5 uses the same thresholds adopted under the California and New York frontier AI laws, defining a “frontier developer” as a person doing business in Connecticut that trains foundation models using more than 10²⁶ floating-point operations (FLOPs). Frontier developers with more than $500 million in annual gross revenues are classified as “large frontier developers” and are subject to additional requirements.

Like California’s SB 53, Connecticut’s SB 5 extends whistleblower protections to employees of frontier developers who report catastrophic risk concerns. New York’s Responsible AI Safety and Education (RAISE) Act, by contrast, does not include comparable whistleblower protections. Unlike the California and New York frontier AI frameworks, SB 5 does not require developers to implement safety frameworks and issue transparency reports.

Whistleblower Protections

• Frontier developers and large frontier developers are prohibited from adopting policies or contracts that allow retaliation against employees for lawful whistleblowing, or against “covered employees” (those who assess or manage catastrophic risk) who report potential catastrophic risks.
• “Catastrophic risk” is defined in a way that is largely identical to similar definitions in the California and New York laws as any foreseeable and material risk that a frontier model will materially contribute to the death or serious injury of more than 50 individuals or more than $1 billion in property damage arising from an incident in which the frontier model assisted in creating or releasing chemical, biological, radiological, or nuclear weapons or, with no meaningful human oversight, engaged in cyberattacks or violent crimes. Unlike California’s SB 53 and New York’s RAISE Act, SB 5 does not include a frontier model “evading the control of its frontier developer or user” as an incident that would fall under this definition.

Internal Reporting Channels (Large Frontier Developers Only)

• By January 1, 2027, large frontier developers must establish an anonymous internal reporting process for covered employees to submit catastrophic risk concerns.
• The large frontier developer must provide reasonable updates regarding investigations to the covered employee who submits the report, as well as with officers and directors at least quarterly.
• Frontier developers must provide covered employees with clear written notice of their rights.

The Attorney General may bring actions seeking civil penalties of up to $1,000 per violation, as well as injunctive or equitable relief.

AI Companions

Effective January 1, 2027

Connecticut joins a growing number of states that have passed laws regulating AI companions, including California, Idaho, Iowa, Georgia, New York, Oregon, and Washington, and follows the general framework of these laws with requirements for AI disclosures to users, crisis intervention protocols, and protection for minors.

SB 5 defines AI companions as AI systems with natural language interfaces that provide adaptive, human-like responses to user inputs and can sustain relationships across multiple interactions. The definition excludes several specialized tools, including customer service chatbots, narrowly tailored educational tools, and voice-assistant-only devices. SB 5’s scope aligns closely with the definitions outlined in California, Georgia, New York, Oregon, and Washington’s AI companion laws, all of which focus on AI systems that are designed to simulate human-like connection and are capable of sustaining relationships across multiple interactions. Idaho and Iowa take a broader approach, regulating “conversational AI services” without requiring a sustained-relationship element, potentially bringing a wider range of chatbot products within their scope.

Safety Protocols

Operators of AI companions must implement evidence-based protocols to detect user expressions of suicide risk, self-harm, or imminent physical violence and prevent the generation of outputs that encourage such conduct. If such user expressions are detected, operators must refer the user to appropriate mental health resources such as the 9-8-8 National Suicide Prevention Lifeline. If such user expressions continue after an initial referral, operators must refer the user to mental health services in a manner consistent with clinical best practices. The operator must also implement reasonable measures to prohibit the AI companion from claiming it is human.

Operators must publicly post their safety protocols on their website.

Disclosure Requirements

If an AI companion could cause a reasonable individual to believe that they are interacting with a human being, the operator must issue a clear and conspicuous notice to the user that they are communicating with an AI companion, either:

• As a static written notice visible throughout every interaction; or
• At the start of the first interaction during any 24-hour period, and thereafter at least once hourly during any continuous interaction for users under 18, or once during each three-hour period of continuous interaction for users over 18.

Connecticut’s disclosure requirements fall on the stricter end of the spectrum among state companion chatbot laws. Like Washington and Georgia, Connecticut requires disclosures at least once per hour for minors and once every three hours for adults. California and Oregon, by contrast, require disclosures only once every three hours for minors and an initial disclosure for adult users with no prescribed recurrence. New York requires disclosure to all users at the beginning of any interaction, and at least every three hours for continuing interactions, but has no additional disclosure requirement for minors.

Protections for Minors 

When an operator knows or has reason to believe a user is under 18, the operator must institute measures to prevent the AI companion from:

• Encouraging self-harm, suicidal ideation, physical violence, eating disorders, or unlawful use of alcohol or drugs;
• Offering mental health services, unless it is specifically designed to deliver mental health services and meets specified requirements;
• Discouraging the minor from seeking help from a mental health professional or an appropriate adult;
• Encouraging the minor to harm others;
• Engaging in romantic, erotic, or sexually explicit interactions; and
• Using specified manipulative techniques to extend usage or foster emotional dependence, including simulating distress when the user tries to end the relationship or reduce usage.

Operators must also make screen time management and account settings tools available to minor users and their parents or legal guardians.

Violations constitute unfair or deceptive trade practices enforceable solely by the Attorney General.

Automated Employment-Related Decision Technology

Effective October 1, 2026 (requirements operative October 1, 2027)

SB 5 defines “Automated Employment-Related Decision Technology” (AEDT) as any technology that processes personal data and generates outputs, including, but not limited to, a rank, score, classification, or recommendation, constituting a substantial factor used to make or materially influence an employment-related decision to hire, fire, promote, discipline, renew employment, or select an individual for training. “Substantial factor” means a factor, including a ranking or score, that meaningfully alters the outcome of an employment-related decision concerning an individual in Connecticut. The requirements apply to AEDT that is developed and/or deployed in the state on or after October 1, 2027.

SB 5’s AEDT provisions are consistent with a growing body of comparable state and local frameworks for the use of AI to make consequential decisions. California’s amended Consumer Privacy Act regulations and New York City’s Local Law 144 establish similar developer and deployer obligations, as does Colorado’s SB 189, which repealed and replaced the Colorado AI Act and takes effect January 1, 2027. While the California and Connecticut laws apply to multiple types of consequential decisions, Connecticut’s, like the New York City law, applies only to employment-related decisions.

Deployer Obligations

• Deployers using AEDT that interacts directly with employees or job applicants must disclose in plain language that the individual is interacting with such technology, unless it would be obvious to a reasonable person.
• Before making an employment decision using AEDT, deployers must provide written notice to the affected employee or applicant disclosing that AEDT has been deployed and the nature of the decision; the purpose and trade name of the AEDT; the categories of personal data analyzed and how it will be assessed; and the sources of that personal data and contact information for the deployer.

Developer Obligations

• Developers must supply deployers with all of the information needed to fulfill their obligations under SB 5. Developers may alternatively contract to assume the deployer’s obligations directly.

SB 5 also amends Connecticut’s employment discrimination statute to clarify that use of AEDT is not a defense against a discrimination complaint. The court may consider evidence of anti-bias testing or similar proactive efforts that were used to avoid discriminatory practices.

Violations are enforceable solely by the Attorney General. For violations occurring on or before December 31, 2027, the Attorney General may issue a notice of violation with a 60-day cure period before initiating enforcement if the Attorney General determines a cure is possible.

Generative AI Content Provenance

Effective October 1, 2026

SB 5 establishes AI content provenance requirements for “covered providers,” which are defined as persons who create a generative AI system with over one million monthly users that is publicly accessible to consumers in Connecticut. Connecticut’s provenance requirements broadly track California’s AI Transparency Act, which similarly requires covered providers (defined in the same way) to embed provenance data in AI-generated content and use tamper-resistant methods consistent with industry standards. California goes farther than Connecticut, however, by requiring covered providers to make a free AI detection tool publicly available to users.

Under SB 5, covered providers must:

• To the extent commercially and technically reasonable, embed provenance data into AI-generated or “materially altered” audio, image, or video content, enabling consumers to assess whether it was AI-created or altered. “Materially alter” means to substantially alter the data in any content; and
• Use commercially reasonable methods, including the standard established by the Coalition of Content Provenance and Authenticity (C2PA), to make provenance data difficult to tamper with.

Provenance data need not include any information relating to an identified or reasonably identifiable individual, and trade secrets are exempt.

Violations are enforceable solely by the Attorney General.

Social Media Platforms and Minor Users

Effective January 1, 2028

SB 5 establishes online safety obligations for “covered platforms,” defined as platforms that, as a significant part of their services, recommend, select, or prioritize user-generated media content. “Covered operators” are defined as operators who operate or provide covered platforms, excluding government agencies.

Safety Features for Minors

SB 5 includes several provisions related to minors’ use of covered platforms, including:

• Covered operators may not use personalized algorithmic recommendations for users in Connecticut under the age of 18 without either verifying through commercially reasonable and technically feasible methods that the user is not a minor, or obtaining verifiable parental or guardian consent.
• Notifications tied to algorithmic recommendations may not be sent to covered minors outside of 8:00 a.m.–9:00 p.m. Eastern Standard Time without parental consent. Default settings for minor accounts must limit algorithmic feed access to one hour per day, restrict who can view the minor’s content or send messages, and block sensitive content as defined by the platform’s own community standards.
• Covered operators must display a required Surgeon General warning about social media and youth mental health harms. On first access each day, the warning must occupy at least 75% of the screen and display for at least 30 uninterruptible seconds, with further requirements specified for continued use.

Annual Transparency Reports

By March 1, 2028, and annually thereafter, covered operators must publicly disclose, for the preceding calendar year, the total number of covered users, the portion of the total number of users that provided parental consent and for whom the default settings were enabled, and average daily usage broken down by age and hour.

Violations constitute unfair or deceptive trade practices under Connecticut law.

Additional Provisions

SB 5 contains several additional provisions addressing workforce development, education, economic development, and public-sector AI use. Among other things, the law establishes the Connecticut AI Academy, creates multiple AI-related advisory groups and working groups, directs state agencies to inventory and assess certain AI systems, and creates programs and studies relating to AI workforce development, economic competitiveness, and AI adoption. The law also directs the Commissioner of Economic and Community Development to develop a plan for an AI regulatory sandbox program, which would allow applicants to temporarily test AI products under reduced licensure and regulatory requirements.

Key Takeaways

Companies with operations or customers in Connecticut should consider the following priorities:

• Subscription-based AI providers should audit their terms of service and disclosure processes ahead of October 1, 2026.
• Frontier developers should review whistleblower and anti-retaliation policies and large developers should begin designing anonymous reporting channels by
  January 1, 2027.
• AI companion operators should begin implementing safety protocols, disclosure requirements, and protections for minors.
• Employers using automated decision tools in hiring processes or employment management should map their AEDT use, engage developers on documentation sharing, and prepare pre-decision disclosure notices.
• Generative AI providers with large consumer user bases should evaluate technical capacity to embed provenance data and align with C2PA standards.
• Social media platforms should begin planning for the algorithmic, notification, and disclosure requirements for minors taking effect on January 1, 2028.

Maya Vishwanath, an AI Analyst at Morrison Foerster, contributed to this alert.