Connecticut Takes Aim at AI in Employment Decisions With SB 5

The Act regulates artificial intelligence (AI) and online safety across several major areas, including regulating automated tools used in employment decisions. In particular, the Act imposes transparency and notice requirements on the use of automated tools in employment decisions, extends whistleblower protections to workers at large-scale AI model developers, launches a state-supervised pilot for third-party AI verification bodies, and mandates new AI-related reporting in connection with mass layoff notices. The law prioritizes disclosure over prescriptive design or audit obligations. The Act does not create a private right of action, giving the Connecticut Attorney General (AG) sole authority to enforce the law, acting through the Connecticut Unfair Trade Practices Act (CUTPA). If signed into law, implementation would begin October 1.

What the Act Covers

At its core, the Act governs what it terms “automated employment-related decision technology.” This encompasses any system processing personal data through computational methods to generate outputs (such as scores, rankings, classifications, or recommendations) that serve as a “substantial factor” in employment-related decisions or that materially influence them. Covered decisions are broadly defined, spanning hiring, promotion, discipline, termination, employment renewal, and selection for training or apprenticeship programs. As a practical matter, the definition is broad enough to capture a wide array of commonly deployed HR technologies, from third-party applicant tracking and resume-screening platforms to automated performance evaluation and workforce scheduling systems. Ordinary productivity software (spreadsheets, word processors, email clients, and similar general-purpose tools) falls outside the statute’s reach, as do tools employed only incidentally or for purely descriptive or statistical functions.

Compliance responsibilities under the Act are divided between two categories of regulated parties: “developers” who design, build, sell, license, or configure the covered technology and “deployers” who put it to use.

Key Obligations

Developers: As of October 1, a developer whose product is marketed or designed to materially influence employment decisions must furnish deployers with information sufficient for the deployer to satisfy its own statutory obligations. A notable gap in the statute is that it does not prescribe the specific categories of information developers must generate or maintain, raising the practical question of whether the documentation deployers need will actually exist when requested. The Act does permit developers and deployers to contractually reallocate certain notice and disclosure duties, though any such arrangement must be set out expressly.

Deployers: Deployer obligations are more extensive, and compliance obligations are effective on a staggered timeline.

Point-of-Interaction Disclosure 

Starting October 1, 2027, any employer that uses a covered system designed to interact directly with job candidates or workers must affirmatively notify the individual, using clear and accessible language, that an automated tool is part of the interaction. This obligation does not apply where the automated nature of the exchange would be self-evident to a reasonable person.

Pre-Decision Notice 

Separately, before any employment-related decision is rendered with the assistance of a covered tool, the employer must deliver a written notice to the affected individual. That notice must identify: (1) the fact that an automated system is being used, (2) its intended purpose and the specific type of employment action at issue, (3) the commercial name of the product, (4) the categories of personal data being processed and the sources from which such data is obtained, (5) the methodology by which the data is evaluated, and (6) contact information for the deploying employer.

Trade Secret Safe Harbor 

The Act includes a carve-out for proprietary information: neither developers nor deployers may be compelled to reveal trade secrets or other information shielded by law. However, if an employer elects to withhold information on these grounds, it must affirmatively notify the recipient and identify the legal privilege or protection being invoked.

AI Is Not a Defense to Discrimination

SB 5 amends the Connecticut Fair Employment Practices Act to make clear that an employer cannot avoid discrimination liability simply by pointing to an automated system as the decision maker. At the same time, the statute permits courts and agencies to weigh an employer’s proactive anti-bias testing efforts when assessing liability, though these efforts do not constitute a formal safe harbor.

Frontier AI Developer Obligations

In a provision without parallel in most other state AI laws, SB 5 imposes obligations on “frontier developers.” Covered developers may not adopt policies or contractual terms that punish employees for engaging in protected whistleblowing activity or for flagging, on a good-faith basis, conduct that creates a concrete and significant public health or safety risk arising from a “catastrophic risk” such as facilitation of chemical, biological, radiological, or nuclear threats, or large-scale cyberattacks causing material harm.

“Large frontier developers” face additional governance requirements. By January 1, 2027, they must establish an anonymous internal channel for covered employees to report safety concerns, furnish periodic updates on any resulting investigations, and present those reports to senior officers and the board no less than quarterly. All frontier developers are also required to publicize these employee rights through workplace postings, onboarding materials, and regular notices to remote staff.

Independent Verification Organizations

SB 5 directs the Connecticut Department of Consumer Protection to launch a pilot program, effective July 1, 2027, under which up to five “independent verification organizations” may be approved to evaluate whether AI systems satisfy specified risk-mitigation and safety benchmarks (including protections against personal injury, property damage, and privacy violations). Each approved organization must operate under a memorandum of understanding with the state that sets out its permitted scope, assessment methodologies, reporting requirements, and internal governance standards. 

Critically, verification through this program does not amount to regulatory certification or endorsement. While a verification assessment may be admitted as evidence in certain civil proceedings, it does not create any presumption of compliance, safe harbor, or defense in an enforcement action brought by the AG. The pilot is time-limited, with a 2030 sunset, and is best understood as a testing ground for what could become a more permanent AI assurance framework.

WARN Act AI Disclosure

Effective October 1, employers that file federal WARN Act notices in Connecticut must include an additional disclosure to the state Department of Labor indicating whether the workforce reduction bears any connection to the employer’s adoption of AI or other technological changes; the specific form and content of this disclosure will be prescribed by the Labor Commissioner. This requirement positions Connecticut among the first states to draw a formal link between layoff reporting and the use of AI-driven automation.

Enforcement

Any breach of the Act’s requirements is treated as an unfair or deceptive trade practice under CUTPA. Enforcement authority rests solely with the AG, meaning private parties have no independent cause of action under the statute. During a transitional window for violations that occur on or before December 31, 2027, the AG has discretion to issue a cure notice giving the violator 60 days to remediate before the state initiates litigation. Frontier developer violations are subject to separate civil penalties, and the state may recover its investigation costs and attorney’s fees.

Effective Dates

Rather than a single go-live date, SB 5 phases in its requirements over the course of roughly 15 months.

October 1, 2026: The core automated employment decision framework, including the developer-deployer allocation of duties, the anti-discrimination amendments codifying that AI use is not a defense, the frontier developer whistleblower protections, and the WARN Act AI-disclosure obligation, becomes operative.

January 1, 2027: Large frontier developers must have a functioning anonymous reporting channel and related governance procedures in place.

July 1, 2027: The independent verification organization pilot program opens for applications.

October 1, 2027: Deployer obligations to provide point-of-interaction disclosures and pre-decision written notices take full effect.

December 31, 2027: The AG’s discretionary 60-day cure window for automated employment violations lapses.

Comparison With the Colorado AI Act (SB 26-189)

The two laws diverge in several important respects. 

Scope 

Colorado’s SB 26-189 (the replacement for the original Colorado AI Act) reaches AI-assisted “consequential decisions” across a wide range of sectors, including education, housing, financial services, insurance, health care, and essential government services, in addition to employment. Connecticut’s Act targets almost exclusively employment-related decisions. 

Disclosure Requirements 

Colorado requires both pre-decision interaction notices and detailed post-adverse-outcome notifications within 30 days; Connecticut mandates pre-decision written notices and real-time interaction disclosures but has no analogous post-adverse-outcome notification requirement. 

Penalties

Colorado authorizes fines of up to $20,000 per violation through the Colorado Consumer Protection Act, while Connecticut routes enforcement through CUTPA without a specified per-violation ceiling.

Unique Connecticut Provisions 

Connecticut’s Act also includes several components that have no counterpart in the Colorado law: the express codification that AI use does not shield an employer from discrimination claims, the whistleblower protections for frontier model developer employees, the state-supervised independent verification pilot, and the WARN Act AI-disclosure mandate. 

Actions to Take

Conduct an AI Tool Inventory: Catalog every automated system that touches the employment lifecycle, including recruiting, screening, evaluation, promotion, discipline, and separation. Further, assess which produce outputs that could constitute a “substantial factor” in covered decisions. 

Design Disclosure and Notice Processes: Develop standardized notice templates addressing each content requirement and embed them into HR workflows with sufficient lead time for pre-decision delivery. Revise WARN Act procedures to capture whether planned layoffs have any nexus to AI or technology adoption.

Institutionalize Anti-Bias Testing: Obtain from technology vendors documentation of bias-testing methodologies, results, and remediation timelines. Maintain thorough records of these efforts and any corrective steps. Evidence of good-faith testing may carry weight in litigation or enforcement even though the Act does not establish a safe harbor.

Strengthen Vendor Agreements: Confirm that existing AI vendor contracts require delivery of the information deployers need for compliance and, where appropriate, negotiate express allocations of notice and disclosure duties. 

Evaluate Frontier Developer Exposure: Businesses developing or financing large-scale foundation models should determine whether their computational resources reach the FLOPs threshold and, if so, establish the required anonymous reporting infrastructure, non-retaliation policies, and quarterly board reporting cadence before January 1, 2027.

Track Regulatory Developments: The AG and other state agencies are expected to publish interpretive guidance and implement regulations. Designate responsibility for monitoring these developments and be prepared to update compliance programs as the enforcement landscape takes shape.