For most Americans, the phrase "data broker" triggers a vague, unsettling awareness — the feeling that somewhere, someone is selling your address, income estimate, browsing habits, and political preferences to anyone willing to pay. That awareness has largely existed without remedy. Two developments in the first week of May 2026 suggest that's changing, and changing fast.
On May 5, 2026, Connecticut's House of Representatives passed Senate Bill 4 by a staggering 141-6 margin, sending landmark data broker legislation to the governor's desk. Meanwhile, California — which launched its DELETE Request and Opt-Out Platform (DROP) on January 1, 2026 — is weeks away from requiring every registered data broker in the state to process those deletion requests by law. Together, these moves represent the most concrete consumer data privacy action the United States has seen in years, and they're happening entirely at the state level.
What Connecticut's Senate Bill 4 Actually Does
Connecticut has been a quiet leader in data privacy. It became the fifth state in the country to pass a comprehensive privacy law back in 2023 with the Connecticut Data Privacy Act. Senate Bill 4 goes considerably further by specifically targeting the data broker industry — an ecosystem that has, until recently, largely operated without direct regulation.
The bill creates a mandatory registry for data brokers operating in the state, establishes a deletion mechanism through which Connecticut residents can request removal of their personal data, and imposes specific restrictions on several of the most invasive data categories. Under SB 4, brokers face new constraints on the use of geolocation data, facial recognition technology, and what the bill terms "surveillance pricing tools" — algorithmic systems that adjust prices based on what a consumer's behavioral profile suggests they're willing to pay.
The vote itself tells a story. The Connecticut Senate had already passed SB 4 31-4 before it reached the House, where it cleared 141-6. That degree of bipartisan agreement on any legislation is notable; on tech regulation, it's extraordinary. The near-unanimity suggests that data broker regulation has crossed a threshold — it's no longer politically risky to support it.
California's DROP Platform: One Request to Rule Them All
While Connecticut's bill awaits a governor's signature, California is already executing a parallel strategy — and the mechanics of it are worth understanding in detail.
California's DROP platform, launched January 1, 2026, allows any California resident to submit a single deletion request that automatically reaches every data broker registered with the California Privacy Protection Agency. There's no fee. There's no need to identify every broker individually, find each company's opt-out mechanism, navigate dark patterns designed to frustrate the process, or repeat the exercise every few months. One request covers all of them simultaneously.
Over 500 data brokers are currently registered with the California Privacy Protection Agency. Before DROP, opting out of each one individually — if you could find them all — would take hours of effort and would require constant maintenance as new brokers entered the market. The platform collapses that burden to a single action.
The enforcement mechanism is what makes DROP meaningful rather than symbolic. Starting August 1, 2026, California data brokers will be legally required to check the DROP platform every 45 days and process any deletion requests within 90 days of receipt. Non-compliance carries fines of $200 per deletion request per day. For brokers holding data on thousands of California residents, ignoring DROP becomes existentially expensive almost immediately.
California has also passed SB 361, which requires data brokers to disclose whether sensitive data is sold to foreign actors, government agencies, or generative AI developers — adding a transparency layer that addresses some of the most politically charged concerns about where American personal data ultimately travels.
The Federal Vacuum That's Driving State Action
To understand why state legislatures are moving so aggressively, you have to understand how thoroughly federal data privacy legislation has stalled. The United States has no comprehensive federal consumer data privacy law. The closest attempt — the American Data Privacy and Protection Act — passed the House Energy and Commerce Committee in 2022 with rare bipartisan support but never reached the floor. Subsequent sessions produced similar momentum and similar results.
In the absence of federal action, states have filled the gap. About 20 U.S. states have now enacted some form of comprehensive consumer privacy law, though only four also require data broker registration — a specific and critical category of regulation. Connecticut's SB 4, if signed, would move that needle.
The scale of the underlying problem makes the legislative urgency understandable. The Identity Theft Resource Center reported that 80% of U.S. consumers received at least one data breach notice in 2025. That's not a niche concern or an edge case — it's a mass-exposure event affecting the majority of the American population. Globally, 68% of consumers say they are concerned about their privacy online, according to the IAPP's Privacy and Consumer Trust Report. Public demand for action is real and measurable.
The political dynamics here are also shifting. Data privacy used to be framed primarily as a tech-industry issue, argued in the language of innovation policy. Increasingly, it's being argued in the language of surveillance, consumer protection, and national security — a framing that resonates across party lines in a way that earlier privacy debates did not.
What Makes Connecticut's Approach Notable Beyond the Vote Count
The specific provisions of SB 4 are worth examining because they address categories of data that previous privacy legislation often sidestepped.
Geolocation restrictions matter because geolocation data is among the most sensitive categories of personal information — and among the most commercially valuable. A person's physical movements over time reveal where they worship, who they see a doctor with, whether they attend political events, and where they sleep. Data brokers have sold this data to insurance companies, law enforcement agencies, and political campaigns, often without consumers' knowledge. SB 4's restrictions target this pipeline directly.
Facial recognition limitations address a technology that has expanded rapidly and largely without legal guardrails in most states. The combination of facial recognition databases and broker-held identity files creates identification capabilities that were, a decade ago, the exclusive province of state intelligence agencies.
Surveillance pricing is the newest of the three, and arguably the most novel policy frontier. Also known as dynamic pricing or algorithmic pricing, surveillance pricing refers to the practice of using behavioral and demographic data to charge different customers different prices for the same product or service. Restricting brokers' ability to sell data for this purpose would curtail one of the less-visible but economically significant uses of consumer profiling.
Connecticut's coordinated timing also deserves attention. SB 4 passed just days after the state legislature passed a companion AI regulation bill. That pairing is deliberate — policymakers are beginning to legislate the data infrastructure and the AI systems that run on it as a connected system rather than treating them as separate problems.
Analysis: What This Wave Actually Means for the Data Economy
State-level privacy laws have a well-documented limitation: companies operating nationally can sometimes play jurisdiction against jurisdiction, comply with the most permissive state's rules, or restructure data flows to route around stricter requirements. That's a real constraint on what any single state can accomplish.
But the current wave is different in two ways. First, the scale and speed of adoption mean the patchwork is becoming comprehensive enough that national compliance with the strictest state standards becomes economically rational for large companies. California's market size already functions as a de facto national regulator in multiple industries. When you add Connecticut, Colorado, Virginia, and a growing list of states with similar frameworks, the cost of maintaining separate compliance architectures rises sharply.
Second, the DROP model represents a qualitative shift in regulatory design. Previous privacy frameworks gave consumers rights on paper — the right to request deletion, the right to opt out — but buried the exercise of those rights in processes designed to minimize uptake. A centralized deletion infrastructure that defaults to covering all registered brokers simultaneously inverts that design logic. It makes exercise of the right the path of least resistance rather than the path of maximum friction.
If other states replicate the DROP model — and several are watching California's implementation closely — the data broker industry's business model faces structural disruption. The value of consumer data profiles depends on their completeness and currency. Mass deletion requests, automatically renewed and legally enforced, degrade both.
The deeper political significance is what this moment represents for the relationship between state legislatures and an industry that has, for roughly two decades, expanded largely without democratic accountability. The 141-6 vote in Connecticut isn't just a data point about one bill — it's evidence that elected officials no longer see data broker regulation as politically costly. That shift in political calculus, replicated across enough states, changes the trajectory of federal legislation too. Congress tends to act on technology issues when inaction starts to look like an outlier position rather than a status quo one. The Apple Siri AI lawsuit settlement in 2026 — which resulted in a $250 million payout — further signals that judicial and legislative pressure on data practices is intensifying across multiple fronts.
What Consumers Can Do Right Now
While legislative timelines play out, consumers in California already have access to DROP and can submit a deletion request at no cost. Residents of other states have more limited but still meaningful options.
- California residents should submit a DROP request through the California Privacy Protection Agency's platform now — the August 2026 enforcement deadline means brokers will be legally obligated to process it.
- Connecticut residents should watch for the governor's signature on SB 4, which will trigger the registry and deletion mechanism the bill establishes.
- Residents of other states can individually opt out of major data brokers through services like DeleteMe or by navigating broker opt-out pages directly — a tedious process, but effective for the largest brokers.
- Regardless of state, residents should monitor the Identity Theft Resource Center's breach tracker given that 80% of Americans received a breach notice in 2025 alone.
The IRS's own data-sharing challenges — as explored in reporting on how states miss billions in revenue — underscore that even government systems struggle with data integrity and accountability. The push for private-sector accountability is happening in a context where institutional data hygiene across the board is under scrutiny.
Frequently Asked Questions
What is a data broker and why do they have my information?
A data broker is a company that collects personal information from public records, loyalty programs, social media, website tracking, purchase histories, and other sources, then aggregates and sells that data to third parties. You've never agreed to this directly — the data is assembled from dozens of touchpoints, most of which involve consent buried in terms of service. Data brokers operate largely in the background of the consumer economy, supplying information to insurance companies, marketers, employers, law enforcement, and others.
How does California's DROP platform work, and who can use it?
DROP is available to any California resident. You submit a single deletion request through the California Privacy Protection Agency's platform, and that request is distributed to all data brokers registered with the agency — currently over 500. There's no fee. Starting August 1, 2026, brokers are legally required to check the platform every 45 days and process requests within 90 days, with daily fines for non-compliance. Residents outside California cannot currently use DROP but may be able to use similar state platforms as they develop.
Does Connecticut's SB 4 actually become law now?
Following the 141-6 House vote on May 5, 2026, and the prior 31-4 Senate vote, SB 4 goes to Governor Ned Lamont for signature. Given the overwhelming legislative support and Connecticut's established track record as an early mover on privacy legislation, signature is widely expected. The bill would then take effect on a schedule specified in the legislation, establishing the broker registry and deletion mechanism.
Why hasn't Congress passed a federal data privacy law?
Federal data privacy legislation has stalled repeatedly due to conflicts over preemption (whether a federal law would override stronger state laws), disagreements over private rights of action (whether consumers could sue companies directly), and lobbying from the tech and data industries. The political will for a federal framework exists in the abstract — the American Data Privacy and Protection Act passed committee with bipartisan support in 2022 — but floor action hasn't followed. The growing state-level momentum may eventually force Congress's hand.
What are surveillance pricing tools, and why does Connecticut's bill address them?
Surveillance pricing tools are algorithmic systems that use consumer data profiles to adjust prices based on what a buyer appears willing to pay. If your browsing history, location data, and purchase history suggest you have high income and low price sensitivity, you may be shown higher prices than someone whose profile suggests the opposite — for the same product. Connecticut's SB 4 restricts data brokers from selling data for this purpose, targeting the supply chain that makes personalized price discrimination possible.
Conclusion: The State Laboratories Are Working
The United States is running a distributed experiment in data privacy governance, and the results are becoming visible. California's DROP platform and Connecticut's Senate Bill 4 represent two different regulatory strategies — California building the infrastructure for mass consumer action, Connecticut targeting the broker industry's operational architecture directly — and both are moving faster than any federal framework has in years.
The 80% breach exposure rate, the global consumer anxiety about online privacy, and the near-unanimous legislative votes suggest this issue has reached a tipping point. The question is no longer whether the data broker industry will face meaningful regulation, but when and how comprehensively. Given the pace of state action in 2025 and 2026, "when" is starting to look like now.
What happens in Connecticut's governor's office in the coming days, and what California learns from DROP's enforcement rollout in August, will shape the template that other states — and eventually Congress — follow. This is worth watching closely, because the rules being written right now will govern what companies can do with the most detailed portrait of everyday American life ever assembled.
