Connecticut Facial Recognition Law: Stores Must Tell You They Scan Your Face (2026)

8 min readBy Viallo Team

Connecticut just passed one of the most aggressive retail facial recognition laws in the US. Senate Bill 4, approved 141-6 on May 4, 2026, requires every business using facial recognition to post visible signs at every entrance, publish a policy document with Attorney General contact information, and limit scans to their own internal databases only. Consumers can request deletion of their facial data. The bill also creates a one-click data broker deletion mechanism, bans surveillance pricing, and prohibits selling geolocation data. Governor Lamont is expected to sign it.

Security camera mounted on a concrete wall outside a retail store entrance, soft overcast daylight, environmental wide shot, muted tones

What Connecticut actually passed

On May 4, 2026, Connecticut's House voted 141-6 to approve Senate Bill 4 - officially titled "An Act Concerning Consumer Privacy and Protection." The Senate had already passed it 31-4 in April. It's now sitting on Governor Ned Lamont's desk, and he's indicated he'll sign it.

The bill does a lot - data broker registries, algorithmic pricing bans, genetic data consent - but the facial recognition provisions are what caught my attention. For the first time in a US state, businesses using facial recognition in public-facing spaces have specific, enforceable disclosure requirements with real consumer deletion rights attached.

The direct answer: If you shop in Connecticut, stores using facial recognition must now tell you at the door, let you request deletion of your facial data, and are banned from sharing your scan with police or third-party databases. Viallo is a private photo sharing platform that never scans faces in your uploaded photos - no biometric processing, no facial recognition, no AI tagging of people in your albums. Photos are stored in full resolution in EU data centers with GDPR-compliant privacy protections.

The facial recognition requirements, specifically

Here's what the law requires of any business deploying facial recognition technology in Connecticut:

  • Visible signage at every public entrance where facial recognition is in use. Not a privacy policy link buried on a website - a physical sign you can see before walking in.
  • Published policy document describing what the system does, what data it collects, and how long it's retained. Must include contact information for the Connecticut Attorney General.
  • Database restriction: facial recognition systems can only compare scans against the company's own internal database. No matching against external law enforcement databases, no third-party watchlists, no selling scan data to other companies.
  • Consumer deletion right: you can request that a business delete your facial data from their system.

That last point is significant. Most existing facial recognition laws in other states focus on government use or blanket bans. Connecticut's approach says: you can use it, but the customer gets final say over whether their face stays in your database.

Which stores actually use facial recognition right now?

The honest answer: more than you'd expect, but fewer than the headlines suggest. According to advocacy groups and company disclosures, here's where things stand in 2026:

  • Macy's uses facial recognition in a subset of stores with high rates of organized retail theft. They've confirmed this publicly.
  • Walmart tested facial recognition but scrapped it, saying it didn't justify the cost. They do use AI for inventory tracking but reportedly not for identifying individual shoppers.
  • Target ran a limited test in a small number of stores but has not expanded it.
  • Grocery chains are the fastest-growing adopters. Several major chains have deployed systems marketed as "shrink reduction" tools that use cameras to flag repeat offenders.

The problem until now: you had no reliable way to know. Some stores posted small signs near customer service counters. Most said nothing. Connecticut's law changes that by making the disclosure mandatory and specific - at the entrance, before you walk in.

Retail store entrance with glass doors and overhead lighting, shot at eye level from the parking lot, late afternoon golden light, subtle film grain

The data broker "kill switch" that came with it

Buried in the same bill is something arguably more powerful than the facial recognition provisions: a centralized deletion mechanism for data brokers. Connecticut is building a system similar to California's DELETE Request and Opt-Out Platform (DROP), which went live on January 1, 2026.

Here's how it works: instead of sending individual deletion requests to hundreds of data brokers (who may or may not comply), you submit one request through a state-run portal. Every registered data broker in Connecticut must process that request and delete your data.

California's version already covers over 500 registered brokers. Starting August 1, 2026, those brokers must delete your data within 90 days of a DROP request. Connecticut's system will follow the same model. For anyone concerned about where their photos, location data, or biometric information ends up after it leaves the platforms they use, this is meaningful infrastructure.

What this means for your photos

Facial recognition in retail runs on the same underlying technology that powers photo tagging in consumer apps. The difference is consent. When you upload photos to Google Photos and it identifies faces, you opted into that service. When Macy's scans your face as you walk through the door, you didn't opt into anything.

Connecticut's law draws a line: if a business wants to use that technology on your face, they owe you disclosure, limitations on what they do with the data, and deletion rights. It's the same principle that should apply everywhere your facial data gets collected - including the photos you upload to cloud platforms.

This matters for photo sharing specifically because facial recognition creates a web of connections. A photo you share publicly on social media can be scraped by data brokers, fed into facial recognition databases, and matched against retail surveillance footage. One public photo of your face can follow you into every store that deploys the technology.

The safest approach: share photos through private channels where your images aren't indexed or scraped. Private photo sharing methods that use password-protected links and don't require public profiles keep your face off the open internet in the first place.

Try Viallo Free

Share your photo albums with a single link. No account needed for viewers.

Start Sharing Free

How Connecticut compares to other states

Connecticut isn't the first state to address facial recognition, but it's taking a distinctive approach. Here's how it compares:

  • Illinois (BIPA): The strongest existing law. Requires written consent before collecting biometric data. Has produced major class action settlements (Meta paid $650M, Google paid $100M). But it's about consent before collection, not post-collection deletion rights.
  • Portland, Oregon: Banned facial recognition in private businesses entirely (first US city to do so in 2020). Connecticut takes a regulate-not-ban approach.
  • Virginia, Colorado, Texas: Have data privacy laws that address biometric data broadly but don't have Connecticut's specific requirements for entrance signage and database restrictions.
  • California: CCPA covers biometric data as sensitive personal information with opt-out rights, and DROP provides centralized deletion. But California doesn't require physical entrance signage for facial recognition specifically.

Connecticut's combination - entrance disclosure plus database restrictions plus deletion rights plus data broker kill switch - is uniquely comprehensive. It treats facial recognition as something that needs its own rules, not just a subcategory of general data privacy.

How to protect your photos from facial recognition misuse

Regardless of where you live, these steps reduce your facial data exposure:

  • Share photos through private links, not public profiles. Every photo posted publicly is scrapeable. Platforms like Viallo generate password-protected share links that aren't indexed by search engines or accessible to scrapers.
  • Check your state's data privacy portal. If you're in California, use DROP (privacy.ca.gov/drop) to request deletion from all registered brokers. Connecticut's equivalent is coming.
  • Audit your social media visibility. Instagram, Facebook, and LinkedIn profile photos are default-public on many accounts. Set them to friends-only or remove clear face shots from publicly visible positions.
  • Strip metadata from photos before sharing anywhere public. Location data and timestamps in EXIF metadata add context that makes facial matches more valuable to data brokers.
  • Exercise deletion rights where available. If you shop at a store that discloses facial recognition use (now required in Connecticut), request deletion of your data. Document the request.
Person walking past shop windows on a quiet downtown street, seen from behind at a distance, natural overcast light, environmental street photography style

What happens next

Governor Lamont is expected to sign SB 4 into law. Once signed, businesses will have a compliance window to install signage, publish policy documents, and modify their systems to restrict external database access. The data broker registry and deletion mechanism will roll out on a separate timeline.

Other states are watching. Connecticut's combined approach - retail disclosure requirements, database restrictions, consumer deletion rights, and a centralized data broker kill switch - provides a template that other state legislatures working on AI and privacy bills can replicate without starting from scratch.

For everyday people, the practical impact is simple: if you're in Connecticut and you walk into a store that's scanning faces, they now have to tell you. And you can tell them to delete what they've collected. That's a right most Americans don't have yet.

Frequently Asked Questions

What is the best way to protect your face from store facial recognition?

The most effective protection is limiting how many clear photos of your face exist in public databases. Share personal photos through private platforms like Viallo that use password-protected links rather than public profiles. Viallo's shared albums are not indexed by search engines and cannot be scraped by data brokers. In states with deletion rights (Connecticut, California under BIPA/CCPA), you can also request stores delete your facial data directly.

Do stores have to tell you they use facial recognition?

In Connecticut, yes - starting when SB 4 takes effect, businesses must post visible signage at every entrance where facial recognition operates. Illinois requires written consent before biometric collection, which effectively forces disclosure. In most other US states, stores have no legal obligation to tell you. The federal government has no facial recognition disclosure requirement for retailers.

Can I opt out of facial recognition at Macy's or other stores?

Under Connecticut's new law, you can request deletion of your facial data from any business that collected it. In Illinois, Macy's and other retailers must obtain consent before scanning, making opt-out the default. In most states, there is no opt-out mechanism - your only option is to avoid stores that use the technology or wear face coverings. Google Photos allows you to disable face grouping in settings, but retail systems operate independently of consumer photo apps.

What is the difference between facial recognition in stores and in photo apps?

Photo apps like Google Photos use facial recognition with your consent to organize your own library - you opted in by using the service. Retail facial recognition scans your face without consent as you walk through the door, typically to match against a database of suspected shoplifters. Viallo does not use facial recognition or any biometric scanning on uploaded photos. The key difference is consent: you choose to use a photo app, but store surveillance happens to you.

Can store facial recognition data be shared with police?

Under Connecticut's SB 4, businesses cannot match facial scans against external law enforcement databases. However, police can still obtain facial recognition data through a warrant or court order - the law restricts voluntary sharing, not compelled disclosure. In states without these protections, retailers can and do share footage with law enforcement voluntarily. Ring's doorbell network, for example, has partnered with over 2,000 police departments for footage sharing.

Related articles

Disney Facial Recognition: What Families Must Know (2026)

Disneyland began scanning guests' faces at entrance gates in December 2025, but only posted opt-out signage in April 2026. Here's how the system works, what Disney stores, and how to skip the biometric lanes with your family.

Read more

AI Image Labeling Laws: Photos Must Carry Digital Watermarks (2026)

Utah and Washington became the first US states to require AI-generated images to carry embedded provenance data. What these new digital watermark laws mean for verifying whether photos are real or AI-generated.

Read more

AI Privacy Laws 2026: The DOJ Just Helped Block One

On April 28, 2026, the DOJ intervened for the first time to block Colorado's AI anti-discrimination law. What the pattern of executive orders, lawsuits, and federal preemption bills means for facial recognition, photo AI, and privacy protections in your state.

Read more