Connecticut AI Laws for Mid-Market (51-250) in Marketing & Advertising
You likely need a dedicated compliance officer. Formal impact assessments and bias audits may be required.
AI Compliance Context for Connecticut
As of 2026-07-04, Connecticut has not enacted an AI-specific statute; the Connecticut Attorney General office defers to Connecticut Data Privacy Act (Conn. Gen. Stat. sec. 42-515 et seq.) with an automated-decision / profiling opt-out. For audience-targeting, generative-creative, and attribution AI in Connecticut, federal signals set the ceiling while regional precedent sets the floor.
Connecticut's immediate neighbors also lack AI-specific statutes, so operators defer primarily to federal frameworks until regional precedent emerges.
The practical effect for Connecticut operators: AI compliance risk is driven by federal agencies first, with Connecticut Attorney General acting on UDAP residual authority only when consumer harm surfaces.
Federal law still governs Marketing & Advertising AI in Connecticut primarily through FTC Section 5 (15 USC 45), CAN-SPAM Act (15 USC 7701), and TCPA (47 USC 227). Adjacent federal authorities include FTC Act Section 5 (15 U.S.C. Section 45(a)); FTC Endorsement Guides (16 CFR Part 255, revised July 2023) (16 CFR Part 255 (revised July 26, 2023)); CAN-SPAM Act (15 U.S.C. Sections 7701-7713). FTC Act Section 5 (enforced by Federal Trade Commission) applies to prohibits unfair or deceptive acts or practices in or affecting commerce. ai-generated marketing content that deceives consumers — synthetic testimonials, undisclosed ai-created imagery, deceptive personalization, dark patterns amplified by ai — is actionable under section 5. Penalty exposure: civil penalties up to $51,744 per violation (2024 cpi-adjusted); consumer redress; disgorgement; algorithmic model-deletion remedies as in the rite aid and everalbum orders. FTC Operation AI Comply (Sep 2024) brought a coordinated sweep against five AI-marketing defendants; the FTC Rule on Consumer Reviews and Testimonials (16 CFR Part 465, effective 2024) adds civil penalties up to $51,744 per review.
The federal and neighboring-state framework that governs your AI operations. Marketing & Advertising operators in Connecticut operate under a federal-dominant framework anchored by FTC Section 5 (15 USC 45), CAN-SPAM Act (15 USC 7701), and TCPA (47 USC 227), with adjacent authorities FTC Act Section 5 (15 U.S.C. Section 45(a)); FTC Endorsement Guides (16 CFR Part 255, revised July 2023) (16 CFR Part 255 (revised July 26, 2023)); CAN-SPAM Act (15 U.S.C. Sections 7701-7713). FTC Operation AI Comply (Sep 2024) brought a coordinated sweep against five AI-marketing defendants; the FTC Rule on Consumer Reviews and Testimonials (16 CFR Part 465, effective 2024) adds civil penalties up to $51,744 per review. The practical risk they have to price in is FTC Section 5 deception liability, state-AG UDAP exposure, and private TCPA litigation for AI voice and text campaigns, and the bellwether signal to monitor is California SB 942 (operative January 1 2026) and the FCC Feb 2024 declaratory ruling treating AI voice calls as artificial voice under TCPA extend exposure well beyond FTC jurisdiction. No regional statute applies yet. Connecticut's comprehensive high-risk AI bill (SB 2) passed the Senate but died in the House in 2024 and failed again in 2025; narrow measures apply, including a state-agency AI inventory and, effective July 2026, LLM training-data disclosure (SB 1295). Use this as a starting point; sector pages on this site go deeper into industry-specific obligations.
At 51-250 employees you need a dedicated compliance officer, a formal AI inventory, and working relationships with specialist outside counsel. Medium-stage Marketing & Advertising operators should deploy a dedicated AI governance committee, mandatory impact assessments for new deployments, and third-party audit on a rolling schedule, with quarterly internal review and annual third-party audit and ownership resting with a Head of AI Governance reporting to the COO or General Counsel. mid-market programs ($250K-$1.5M) typically combine a dedicated compliance officer with enterprise GRC tooling. For Marketing & Advertising specifically, the sharpest exposure to manage is FTC Section 5 deception liability, state-AG UDAP exposure, and private TCPA litigation for AI voice and text campaigns. Given Connecticut's concentration in insurance, financial services, and advanced manufacturing, insurance-underwriting models and automated employment-screening tools deserve priority in your AI inventory.
The enforcement surface for Marketing & Advertising centres on FTC, FCC, State Attorneys General, and the statute operators most often under-document is FTC Endorsement Guides (16 CFR Part 255, revised July 2023) (16 CFR Part 255 (revised July 26, 2023)) — a gap that surfaces in FTC Section 5 deception liability, state-AG UDAP exposure, disputes. Build an evidence binder covering creative-review queue, endorsement-disclosure checklist, synthetic-voice consent form, SB-942 latent-disclosure hook, and TCPA prior-consent ledger. Treat California SB 942 (operative January 1 2026) and the FCC Feb 2024 declaratory ruling treating AI voice calls as artificial voice under TCPA extend exposure well beyond FTC jurisdiction as your leading indicator and escalate when the signal shifts.
Verified 2026-07-04. See https://www.cga.ct.gov/asp/cgabillstatus/cgabillstatus.asp?selBillType=Bill&bill_num=SB00002&which_year=2024 for the Connecticut Attorney General public record on Connecticut AI policy.
Applicable law: No comprehensive AI law — high-risk AI bill (SB 2) died in 2024 and failed again in 2025; narrow provisions only (state-agency AI inventory; LLM training-data disclosure, eff. 2026)
Connecticut has not enacted a comprehensive AI law — its high-risk AI bill (SB 2) passed the Senate but died in the House in 2024 and failed again in 2025. Narrow measures apply: a state-agency AI inventory, an automated-decision opt-out under the Connecticut Data Privacy Act, and (effective July 1, 2026) a duty to disclose when personal data is used to train large language models. Existing consumer-protection and anti-discrimination laws may also apply to AI.
AI-generated content disclosure increasingly required. Deepfake prohibitions affect marketing materials.
What this means for Mid-Market (51-250) in Marketing & Advertising
For a mid-market (51-250) marketing & advertising business operating in Connecticut, AI compliance is a concrete and present-tense concern. At this size, you should have dedicated HR, legal, or compliance capacity and the organizational structure to support formal programs. The central challenge is maintaining consistent compliance across multiple departments that adopt AI tools independently and at different paces — and understanding exactly what No comprehensive AI law requires of an organization at your headcount is the essential foundation.
At the mid-market (51-250) tier, core compliance obligations under Connecticut's framework include a formal AI inventory, a designated compliance officer with AI in their mandate, documented impact assessments for high-risk systems, annual bias audits for employment-affecting AI, and structured vendor compliance reviews. board-level AI governance, external annual audits, and public transparency reports are strongly recommended but not yet mandated at this size in most states — though they are required at the enterprise tier, so building toward them now is prudent. This proportionality is deliberate — regulators recognize that smaller organizations cannot sustain the same compliance infrastructure as large enterprises, but the law's fundamental requirements apply regardless of size.
The marketing & advertising sector's medium risk classification takes on particular relevance at this scale. AI-generated content disclosure increasingly required. Deepfake prohibitions affect marketing materials. For a mid-market (51-250) business, the risk materializes because maintaining consistent compliance across multiple departments that adopt AI tools independently and at different paces is more acute at this size — AI tools from vendors may have been adopted without full compliance review, and operational workflows where AI is embedded often develop faster than governance processes.
The highest-priority actions for a mid-market (51-250) marketing & advertising business in Connecticut are: (1) conduct a formal ai impact assessment for every system that affects employees or customer outcomes; (2) establish a cross-functional ai governance committee with a documented charter and quarterly meetings; and (3) build vendor management procedures that include ai compliance questionnaires and contractual representations. These steps do not require outside counsel or enterprise compliance software — they can be executed with existing staff and documented in straightforward internal policies. The goal is to move from informal AI usage to documented AI governance, even if that governance is lightweight at first.
Understanding the financial stakes clarifies the urgency. at this size, the reputational damage of a public enforcement action routinely outweighs the direct financial penalty — particularly in states with disclosure-based enforcement frameworks. Under No comprehensive AI law, the maximum penalty is N/A. For a business at this size, that exposure — especially if it accrues on a per-violation basis across multiple AI touchpoints — warrants taking compliance seriously now rather than reactively. enterprise-scale obligations activate at the 250-employee threshold in most frameworks — prepare for that transition by investing in systems designed to mature rather than be replaced.
Beyond the headline compliance obligations, mid-market (51-250) marketing & advertising businesses in Connecticut face specific employer and operator duties tied to how AI interacts with people — employees, customers, applicants, and others affected by automated decisions. When AI assists in decisions that affect people's access to services, job opportunities, credit, or housing, Connecticut law treats the deploying organization as responsible for the outcome regardless of whether the underlying model was built in-house or acquired from a vendor. This means mid-market (51-250) operators cannot outsource accountability to their AI provider — vendor contracts should be reviewed for indemnification provisions, compliance representations, and audit rights. Documenting the due diligence you performed before selecting and deploying an AI system is itself a compliance requirement in several states, and a strong defense in enforcement proceedings.
The compliance timeline for a mid-market (51-250) marketing & advertising business in Connecticut has several distinct phases. The first phase — inventory and assessment — involves documenting every AI system in use and evaluating whether it falls within the scope of No comprehensive AI law. Most compliance experts recommend completing this phase within the first 30 days of any new compliance program. The second phase — policy and disclosure — involves drafting the required notices, internal use policies, and vendor agreements. A 60-day target is realistic for most mid-market (51-250) organizations. The third phase — technical controls and ongoing monitoring — involves implementing audit logs, human review checkpoints for high-stakes decisions, and regular bias testing for any AI that affects protected populations. This phase is ongoing. With Connecticut's deadline of N/A, the first two phases should be completed well before enforcement begins.
The enforcement landscape for AI compliance in Connecticut is evolving, but the direction is consistent: regulators are moving from guidance to action. Once No comprehensive AI law takes effect in Connecticut, enforcement typically begins immediately against the most visible violations — disclosure failures and bias-related incidents. For mid-market (51-250) marketing & advertising businesses, the highest-risk scenarios involve automated decisions affecting individuals in ways the law covers: hiring, lending, insurance pricing, and access to services. Regulators typically prioritize cases where AI-driven harm is documented, where disclosure requirements were clearly violated, or where a company failed to provide a mandated appeal or human review process. Building a compliance program now — even a lightweight one appropriate for a mid-market (51-250) organization — establishes a documented good-faith effort that regulators consistently weigh favorably in enforcement decisions. The cost of getting started is a fraction of the cost of responding to a formal investigation.
Connecticut Marketing & Advertising resources
Other company sizes
Serve EU customers? The EU AI Act may also apply — penalties up to €35M.
AI laws for Marketing & Advertising in other states
Anchored to the primary government source (statute, bill text, or agency rule) and verified directly against it · Last verified Jul 4, 2026. See our methodology.
- ↗cga.ct.govhttps://www.cga.ct.gov/asp/cgabillstatus/cgabillstatus.asp?selBillType=Bill&b…
- ↗cbia.comhttps://www.cbia.com/news/issues-policies/sweeping-artificial-intelligence-bi…
- ↗ai-law-center.orrick.comhttps://ai-law-center.orrick.com/connecticut/