Connecticut's CART Act: New Comprehensive AI Regulation for Employers, Social Media, Chatbots, and Synthetic Content

Connecticut has enacted the Connecticut Artificial Intelligence Responsibility and Transparency Act (the “CART Act”), a wide-ranging law regulating employment-related automated decision tools, AI companions, generative-AI practices, frontier developers, and youth-facing online platforms. On May 27, 2026, Governor Ned Lamont signed Senate Bill 5 into law as Public Act 26-15. The Act is among the broadest state AI laws enacted to date, creating separate compliance requirements keyed to specific uses of AI and online services. Most provisions of the CART Act take effect on October 1, 2026, with major additional obligations arriving on January 1, 2027, October 1, 2027, and January 1, 2028.

‍

Automated Decision Making Technology in the Workplace

‍

The CART Act builds on existing regulations impacting automated decision-making technology (“ADMT”), as the Connecticut Data Privacy Act already gives consumers the right to opt out of profiling used to make decisions that produce legal (or similarly significant) effects. The CART Act adds a more specific employment focus by regulating “automated employment-related decision technology” when it is a substantial factor in, or materially influences, hiring, promotion, discipline, discharge, training, renewal, tenure, or other material terms and conditions of employment. While this represents a broad range of activities in which ADMT would be used, it is important to note that the law excludes routine tools and certain operational uses from regulation, including workplace health and safety, scheduling and planning, productivity monitoring, and systems used only incidentally to an employment decision. In other words, the use of ADMT to make determinations impacting “process” of work tends to be outside of the scope of the CART Act, as opposed to determinations more directly impacting people.

‍

Beginning October 1, 2027, deployers of ADMT in employment contexts (meaning businesses using ADMT in their workplace or business) must tell applicants and employees in plain language when they are interacting with covered ADMT, unless that fact would be obvious to a reasonable person. Where ADMT is used to make, or serves as a substantial factor in making, an employment-related decision, the deployer must provide a written pre-decision notice stating that ADMT is being used, the purpose for which ADMT is being used, the nature of the decision being made with assistance from ADMT, the trade name of the ADMT being used, the categories and sources of personal data analyzed in the decision-making process, and how that data will be assessed.

‍

Developers of ADMT must provide deployers with the information needed for compliance with the CART Act. Importantly, trade secrets do not have to be disclosed as part of the ADMT disclosure requirements of the CART Act, but notice is still required that information is being withheld, along with the legal basis for that withholding.

‍

The Connecticut attorney general has exclusive enforcement authority over the employment disclosure regime, and violations through December 31, 2027 may receive a discretionary 60-day cure opportunity before suit.

‍

In addition to the requirements described above regarding ADMT, the CART Act amends Connecticut employment-discrimination law to make clear that the use of covered ADMT in an employment context is not a defense to a discrimination complaint regarding related decisions, although courts and regulators may consider the quality, scope, recency, and results of anti-bias testing and similar proactive measures when reviewing allegations of illegal discrimination.

‍

The CART Act also reaches workforce reductions by requiring employers that submit Worker Adjustment and Retraining Notification (“WARN”) notices in Connecticut to disclose whether a plant closing or mass layoff is related to AI or another technological change beginning October 1, 2026. That requirement is broader than a notice about AI-driven selection tools alone and can force difficult judgment calls about whether automation, AI adoption, or technology modernization contributed to a reduction in force.

‍

Social Media and Youth-Facing Services

‍

The CART Act also impacts social media companies and other recommendation-driven platforms reliant on sharing or recommending user-generated media content. Beginning January 1, 2028, covered platforms may not provide personalized or algorithmically curated feeds to minor users without verifiable parental consent, and they must use commercially reasonable and technically feasible methods to determine whether a user is a minor or not.

‍

The youth-platform section goes further by restricting certain contacts and content, limiting overnight activity on minors’ accounts, and requiring prominent Surgeon General warnings about youth mental-health risks from social media.

‍

AI Companions

‍

Companies operating conversational AI products should also evaluate whether any chatbot features make such chatbots an “AI companion,” defined as an artificial intelligence system with a natural language interface that creates a simulated, ongoing relationship with a user. Operators of AI companions must implement suicide and self-harm protocols, make disclosures that an AI companion is non-human, and impose extensive minor-protection safeguards beginning January 1, 2027. The companion definition contains carve-outs for ordinary customer service, technical support, educational, and certain healthcare tools, but products designed to sustain relationships across repeated interactions will attract closer scrutiny. Exemptions exist for certain categories of chatbots, including operational chatbots used solely for business, research, technical support, patient care, education, or financial services; stand-alone voice assistants; certain educational AI tools; narrow task-specific tools; and certain healthcare AI tools used exclusively for healthcare-related education, clinical support, medication-adherence reminders, disease-management guidance, or other treatment-support functions, so long as those tools do not present themselves as human, use anthropomorphic features, or seek to meet a user’s social or emotional needs. Covered operators must also implement protocols to identify and respond to expressions of suicide, self-harm, or imminent violence and direct users to appropriate mental-health resources, while minor-facing companion systems must prevent a range of harmful or manipulative interactions.

‍

Watermarking and Synthetic Content

‍

Beginning October 1, 2026, covered providers with more than one million monthly users must, to the extent commercially and technically reasonable, embed provenance data (akin to a digital “watermark”) into AI-generated or materially altered audio, image, or video and use commercially reasonable methods to make that data difficult to tamper with or remove. The goal is to more easily allow the authentication of AI-generated or human-generated content.

‍

Key Takeaways for Businesses

‍

Businesses that want to be ready for the CART Act should begin with a documented AI governance strategy and a use-case-specific inventory of AI systems across human resources (“HR”), customer-facing products, recommendation systems, generative media, and/or advanced model-development activities. A review of which activities in these covered areas require action, along with systematic coordination of disclosure drafting and management, protocol review, and operational responses, will require collaboration across operational and legal stakeholders. In particular, employers should focus on disclosure workflows, anti-bias testing, and WARN-related decision records because the CART Act preserves discrimination exposure even where AI was supplied by a vendor and requires labor disclosures around AI-related layoffs. Human resources administrators should be involved throughout these efforts to help ensure compliance.

‍

Considering that certain CART Act violations may be considered unfair or deceptive trade practices subject to the Connecticut Unfair Trade Practices Act, violations may give rise to private rights of action (although enforcement mechanisms and private-right-of-action exposure vary by provision), potentially expanding liability beyond typical regulatory penalties.

‍

The team at PAG Law works regularly with businesses in the U.S. and around the world to establish compliant AI and data privacy practices, and remains ready and available to discuss how we can do the same for your business.

‍

‍
^{Zachary Soto is a Partner at PAG Law PLLC, where he chairs the Privacy Law, Cybersecurity, and AI Governance practice. He has practiced privacy, cybersecurity, and corporate transactional law for over 16 years and is certified by the International Association of Privacy Professionals as a Certified Information Privacy Professional (CIPP/US) and AI Governance Professional (AIGP).}

‍

^{Disclaimer: This publication is provided by PAG Law PLLC for general informational purposes only and does not constitute legal advice or create an attorney-client relationship between PAG Law and the reader. The content reflects the views of the author as of the date of publication and may not reflect subsequent developments in law, regulation, or policy. Readers should not act or refrain from acting on the basis of any information contained herein without seeking professional legal counsel tailored to their specific circumstances and jurisdiction. PAG Law expressly disclaims all liability with respect to actions taken or not taken based on any or all of the contents of this publication. This material may be considered attorney advertising in some jurisdictions.}

‍