The Connecticut Unfair Trade Practices Act Takes Center Stage in Tech Regulation

The 2026 Connecticut legislative session produced a wave of new consumer protection legislation, with the Connecticut Unfair Trade Practices Act (“CUTPA”), Conn. Gen. Stat. § 42-110a et seq., serving as the enforcement backbone for fifteen new per se violations across six Public Acts.[1] Two trends stand out as particularly significant for practitioners and regulated entities: (1) the legislature’s systematic exclusion of private enforcement rights in technology-related provisions, and (2) the sheer volume of technology-focused obligations now channeled through a consumer protection statute originally enacted in 1973. Furthermore, the Act already cross-referenced over 109 Connecticut statutes—a figure that grows meaningfully with 15 additions this session.[2] This advisory examines the 2026 developments and their practical implications.

A New Enforcement Paradigm: AG-Only Enforcement in the Technology Space

The most significant development in CUTPA this session is the legislature’s decision to designate new per se CUTPA violations while simultaneously stripping the private right of action that has historically been a hallmark of Connecticut’s consumer protection framework.[3] The AG-only enforcement model first appeared in 2022 with the Connecticut Data Privacy Act (“CTDPA”) and related provisions.[4] The pre-2026 AG-only provisions were all clustered in the data privacy and technology space:

• Conn. Gen. Stat. § 42-525(e) – the Connecticut Data Privacy Act’s core enforcement provision, governing consumer data privacy and online monitoring, including the collection, processing, and sale of personal data and biometric information.
• Conn. Gen. Stat. § 42-528(d) – the CTDPA’s social media platform provisions applicable to minors, imposing obligations on platforms regarding data collection and processing practices affecting children and requiring age-appropriate safeguards.
• Conn. Gen. Stat. § 42-529e(a) – the CTDPA’s broader online privacy, data, and safety protections, governing practices related to consumer data rights including the right to access, correct, delete, and opt-out of the sale of personal data.
• Conn. Gen. Stat. § 42-110x(f) – Connecticut’s Right to Repair law, requiring manufacturers of electronic and appliance products to make documentation, parts, and tools available to owners and service dealers on fair and reasonable terms.

The 2026 session then saw this model explode. The legislature went from four AG-only CUTPA provisions to twelve in a single session, transforming what had been an emerging pattern confined to data privacy and right-to-repair into a dominant enforcement model for technology regulation writ large.

Under traditional CUTPA enforcement, Section 42-110g(a) of the General Statutes provides a private right of action for “[a]ny person who suffers any ascertainable loss of money or property” as a result of an unfair or deceptive trade practice. The private enforcement mechanism under Section 42-110g is robust: a court may award punitive damages, costs, and reasonable attorneys’ fees, and class actions are expressly authorized. Historically, the legislature has moved to strengthen, not curtail, private enforcement rights: a 1979 amendment eliminated the privity requirement, broadening access to private suits, and a 1995 amendment added a statutory right to jury trial.[5] Section 42-110g has long been one of the most powerful tools available to Connecticut consumers and one of the most significant litigation risks facing businesses operating in the state.[6]

This session, however, the legislature carved out a substantial and growing category of CUTPA violations from which private enforcement is expressly excluded. Across three Public Acts, eight sections follow a consistent pattern: the underlying conduct is declared a per se unfair or deceptive trade practice under Section 42-110b, but enforcement is reserved solely to the Attorney General.

The provisions subject to this AG-only enforcement model are as follows:

• PA 26-6, Section 1(f) – Prohibitions on healthcare and veterinary providers advertising, soliciting, or offering third-party financing to consumers.
• PA 26-15, Section 1(c) – Disclosure requirements for subscription-based artificial intelligence technology providers.
• PA 26-15, Section 5(c) – Safety protocol requirements for artificial intelligence companion operators, including suicide and self-harm detection and prevention of AI systems claiming to be human.
• PA 26-15, Section 6(c) – Protections for minors interacting with artificial intelligence companions, including prohibitions on encouraging self-harm, romantic or sexual interactions, and manipulative engagement techniques.
• PA 26-15, Section 12 – Disclosure obligations for developers and deployers of automated employment-related decision technology.
• PA 26-15, Section 15(c) – Requirements for covered providers of generative AI systems to embed provenance data in AI-generated audio, image, and video content.
• PA 26-100, Section 44(e) – Prohibitions on surveillance pricing by retail sellers and third-party delivery services.
• PA 26-100, Section 46(c) – Disclosure requirements for subscription-based providers of generative AI systems.

Two observations about these provisions stand out. First, many of these provisions employ a belt-and-suspenders approach, layering three distinct limitations: the statute declares that violations “shall be enforced solely by the Attorney General,” then provides that Section 42-110g “shall not apply,” and then adds that nothing in the section “shall be construed as providing the basis for a private right of action.” This level of redundancy suggests the legislature is aware of the significance of excluding private enforcement and wants to foreclose any ambiguity.

Second, this pattern appears almost exclusively in technology and AI-related provisions. Of the eight AG-only sections, seven regulate technology companies or AI-related conduct. The sole exception is PA 26-6’s healthcare financing provision.

CUTPA as the Legislature’s Preferred Vehicle for Tech Regulation

Beyond the enforcement question, the 2026 session is notable for the sheer volume of technology-focused regulation now flowing through CUTPA. Between PA 26-15 and PA 26-100, the legislature enacted new CUTPA obligations governing six areas of technology regulation:

• AI subscription services – requiring disclosure of key terms, quantitative and qualitative limitations, and provider discretion to reduce functionality, for both general AI technologies (PA 26-15, Sec. 1) and generative AI systems specifically (PA 26-100, Sec. 46).
• AI companion safety – mandating suicide and self-harm detection protocols, mental health referral mechanisms, and prohibitions on AI systems claiming to be human (PA 26-15, Section 5), with heightened protections for minors, including bans on romantic or sexual interactions, manipulative engagement techniques, and optimization of user engagement that disregards child safety provisions (PA 26-15, Sec. 6).
• Automated employment decisions – imposing disclosure obligations on developers and deployers of AI technologies used to materially influence employment-related decisions (PA 26-15, Secs. 8-12).
• Generative AI provenance – requiring covered providers to embed provenance data in AI generated audio, image, and video content using commercially and technically reasonable methods, including compliance with standards established by the Coalition for Content Provenance and Authenticity (PA 26-15, Sec. 15).
• Social media platform regulation – imposing algorithmic feed restrictions, mandatory Surgeon General health warning, notification curfews for minors, default screen-time limits, and parental control mechanisms on covered platforms (PA 26-15, Sec. 39).
• Surveillance pricing – prohibiting the use of personal data collected through biometric monitoring, cameras, device tracking, and similar technologies to establish customized pricing, with mandatory disclosure requirements for online sellers and a flat ban for brick-and-mortar retail sellers and third-party delivery services (PA 26-100, Sec. 44).

The breadth of this regulatory activity signals that CUTPA has become one of the preferred vehicles for technology regulation in Connecticut. Prior to the 2026 legislative session, over 109 statutes expressly incorporated CUTPA by reference, spanning subjects from odometer tampering to health club guaranty funds to anthracite coal sales.[7] But the 2026 additions are qualitatively different from the statute’s historical cross-references: rather than simply declaring that existing regulatory violations also constitute CUTPA violations, the legislature is now using CUTPA as an enforcement framework for entirely new areas of technology regulation that did not previously exist in Connecticut law. For technology companies operating in or serving Connecticut consumers, compliance with CUTPA now requires attention not only to the statute’s traditional prohibitions on unfair and deceptive conduct, but also to a rapidly expanding body of sector-specific obligations embedded in a growing number of Public Acts.

The Continuing Proliferation of Per Se CUTPA Violations

The AG-only enforcement trend exists within a broader context of continued legislative expansion of per se CUTPA violations across all sectors. This session, the legislature designated fifteen new categories of conduct as per se unfair or deceptive trade practices.[8] While the technology provisions discussed above account for much of this growth, the legislature also created new per se violations in several traditional commerce areas:

• Beverage container redemption (PA 26-2) – dealers and redemption centers that tender out-of-state or previously redeemed containers for refund commit a per se CUTPA violation.
• Residential solar and energy storage sales (PA 26-16) – violations of home solicitation sale requirements, cancellation rights, and new solicitation rules for residential solar and energy storage systems constitute per se unfair or deceptive acts.
• Event ticket sales (PA 26-100, Secs. 30-32) – speculative ticket resale without possession, deceptive use of venue or performer names in internet domains, and failures to comply with all-in pricing, dynamic pricing, and refund requirements all constitute per se CUTPA violations.
• Electronic nicotine delivery systems (PA 26-100, Sec. 33) – violations of the dealer registration requirements, including new floor-area caps, population-based licensing limits, and advertising restrictions, constitute per se unfair trade practices.

Practical Implications

For regulated entities, the key takeaways from the 2026 session are as follows: Technology companies subject to AG-only provisions should recognize that their primary enforcement risk is the Office of the Attorney General. Compliance strategy, government relations, and a cooperative posture with the AG’s office are accordingly more significant considerations than private litigation reserves. The cure provision in PA 26-15, Section 12, which allows the AG to issue a notice of violation and provide sixty days to cure violations occurring before December 31, 2027, suggests that at least in the employment AI context, the legislature contemplates a collaborative initial enforcement approach.

For businesses in traditional consumer commerce sectors: ticket resale, vape retail, solar energy sales, and beverage container redemption, the calculus is different. The full CUTPA private enforcement apparatus remains available, including the potential for class actions, punitive damages, and attorneys’ fees under Section 42-110g. These businesses should be aware that the new per se designations eliminate the need for plaintiffs to prove that the challenged conduct is independently “unfair” or “deceptive.” The statutory violation itself establishes the CUTPA claim.

Finally, practitioners should be attentive to the effective dates, which vary significantly across the new provisions. Some took effect immediately upon approval, while others phase in over the next two years, with the social media platform provisions in PA 26-15 Section 39 not taking effect until January 1, 2028. Businesses subject to these new obligations should begin compliance planning well in advance of the applicable effective dates.

Appendix A: New CUTPA Violations Added in 2026 Legislative Session

PA	Section	Subject	Effective Date	Per Se CUTPA?	Enforced Only by the Attorney General?	Key Details
26-2	Sec. 1 (§22a-245(g))	Beverage container redemption	From passage (Mar. 3, 2026)	Yes	No	Dealers/redemption centers tendering out-of-state or previously redeemed containers for refund. AG has separate civil action authority; municipal police may also enforce.
26-6	Sec. 1(f)	Healthcare/vet third-party financing	Jan. 1, 2027	Yes	Yes	Prohibitions on providers advertising, soliciting, or offering third-party financing; restrictions on charging accounts prematurely; ancillary product return/refund rights.
26-15	Sec. 1(c)	AI subscription disclosures	Oct. 1, 2026	Yes	Yes	Subscription-based AI providers must give written notice of key terms (limitations, discretion to reduce functionality) and receive written consumer acceptance before entering/renewing subscriptions.
26-15	Sec. 5(c)	AI companion safety protocols	Jan. 1, 2027	Yes	Yes	Operators must implement suicide/self-harm detection, refer users to mental health resources, and must prevent AI from claiming to be human.
26-15	Sec. 6(c)	AI companion protections for minors	Jan. 1, 2027	Yes	Yes	Bans on encouraging self-harm, romantic/sexual interactions with minors, manipulative engagement techniques. Parental tools are required for AI companions available to minor users.
26-15	Sec. 12	Automated employment decision technology	Oct. 1, 2026 (applies Oct. 1, 2027)	Yes	Yes	Developer/deployer disclosure obligations for AI in employment decisions. Includes 60-day cure provision for violations before Dec. 31, 2027.
26-15	Sec. 15(c)	Generative AI provenance data	Oct. 1, 2026	Yes	Yes	Covered providers (1M+ monthly users) must embed provenance data in AI-generated audio/image/video using commercially reasonable methods.
26-15	Sec. 39(g)	Social media platform protections	Jan. 1, 2028	Yes	No	Algorithmic feed restrictions, Surgeon General mental health warning, notification curfews for minors (9pm-8am), 1-hour daily default screen-time limits, parental controls, annual disclosures.
26-16	Sec. 9(b)	Residential solar/energy storage home solicitation sales	Oct. 1, 2026	Yes	No	Violations of cancellation rights, notice requirements, and new residential solar/energy storage solicitation rules constitute per se CUTPA. Also imposes civil penalty up to $500/violation (replacing prior criminal misdemeanor).
26-55	Sec. 2	Synthetic intimate image platform removal	Oct. 1, 2026	No (but AG may bring action under Ch. 735a)	AG enforcement against platforms; separate private right of action for victims under Sec. 1	Platforms must remove synthetic intimate images within 48 hours of valid request. AG civil penalties up to $25K/day. Victims have independent private right of action (2-year SOL from discovery).
26-100	Sec. 30(c)	Ticket resale: possession requirement	Jan. 1, 2027	Yes	No	Resellers must have actual/constructive possession of ticket or written contract with venue operator. Exceptions for season-ticket holders and subscription-series sales.
26-100	Sec. 31(c)	Ticket resale: deceptive domain names	Jan. 1, 2027	Yes	No	Prohibits using internet domains containing venue, event, or performer names to advertise/facilitate ticket sales without written consent.
26-100	Sec. 32(g)	Ticket pricing transparency and refunds	Jan. 1, 2027	Yes	No	All-in pricing disclosure; dynamic pricing protections;  resale-ticket disclosure; 30-day refund for cancellations.
26-100	Sec. 33(k)	E-nicotine / vape dealer registration	Jan. 1, 2027	Yes	No	Comprehensive overhaul: new floor-area caps (25%), population-based caps (1 per 2,500), entry-age verification, advertising restrictions, record-keeping.
26-100	Sec. 44(e)	Surveillance pricing	Feb. 1, 2027	Yes	Yes	Bans retail sellers/delivery services from using personal data (biometric, cameras, device tracking) to raise prices. Online disclosure required: “THIS PRICE WAS INCREASED USING YOUR PERSONAL DATA.” No disclosure required if price equals bona fide market price.
26-100	Sec. 46(c)	Generative AI subscription disclosures	Oct. 1, 2026	Yes	Yes	Subscription-based generative AI providers  (1M+ users) must give written notice of key terms and receive written consumer acceptance before entering/renewing subscriptions. Requires full disclosure of terms on tokens, images generated, and transcription services.

---

[1] CT PA 26-2 § 1; CT PA 26-6 § 1(f); CT PA 26-15 §§ 1(c), 5(c), 6(c), 12, 15(c), 39(g); CT PA 26-16 § 9(b); CT PA 26-100 §§ 30(c), 31(c), 32(g), 33(k), 44(e), 46(c).

[2] Robert M. Langer et al., Connecticut Practice Series Volume 12 – Connecticut Unfair Trade Practices, Business Torts and Antitrust, Appendix E (2025-2026 Ed.).

[3] State of Connecticut Department of Consumer Protection, The Connecticut Unfair Trade Practices Act (CUTPA), https://portal.ct.gov/dcp/trade-practices-division/about-the-connecticut-unfair-trade-practices-act-cutpa?language=en_US (last visited June 5, 2026).

[4] CT PA 22-15.

[5] Langer et al., supra note 2, at Appendix D.

[6] Legal Clarity, Connecticut Unfair Trade Practices Act: What You Need to Know, https://legalclarity.org/connecticut-unfair-trade-practices-act-what-you-need-to-know/ (last visited June 5, 2026).

[7] Langer et al., supra note 2, at Appendix E.

[8] For a summary of all fifteen new per se violations enacted this session, including effective dates an enforcement details, see Appendix A.