Connecticut Attorney General Issues Report on the First Six Months of the Connecticut Data Privacy Act – Highlighting Enforcement Priorities

5 min read

The Connecticut Office of the Attorney General ("CT AG") has released its first report on enforcement of the Connecticut Data Privacy Act ("CTDPA"), revealing its focus on companies’ privacy policies, protections of "sensitive data" (such as genetic, biometric and geolocation data), and teen data. The CT AG also advocates in its report for a number of legislative changes that would "strengthen or clarify privacy protections under the CTDPA."

The CTDPA required the CT AG to issue a report six months after its July 1, 2023, effective date detailing (1) the number of violation notices issued; (2) the nature of each violation; (3) the number of violations that were cured; and (4) any other relevant information. We provide details of the report below.

Enforcement Actions in the First Six Months of the CTDPA

The key areas that the CT AG has focused its initial enforcement priorities are:

  • Privacy Policy Review - The CT AG initiated a review of privacy policies posted by companies covered by the CTDPA and issued ten cure notices for deficiencies that included 1) inadequate or confusing disclosures; 2) a lack of any privacy disclosures; and 3) consumer rights—such as opt-out mechanisms—that were too burdensome for consumers to use, or broken, or lacking altogether.
  • Sensitive Data - The CT AG has prioritized enforcing the CTDPA's protections of sensitive data and reported that it has issued several related cure notices and inquiry letters. One cure notice was issued to a "popular car brand" based on privacy concerns around connected vehicles, which has also been an area of focus for the California Privacy Protection Agency. An inquiry letter was sent to a "major web service provider and retailer" after that company announced a plan to deploy palm-recognition software for identification, age verification, and payment, information that is likely to constitute biometric data under the CTDPA. Additionally, after a cybersecurity incident of a genetic testing and ancestry company, the CT AG sent an inquiry letter seeking information on the company's data security and compliance with the CTDPA.
  • Teen Data - The CTDPA provides for heightened protections for teens' personal data, and the CT AG reports issuing one cure notice to a company that provides an anonymous messaging app directed at teens after an accountability group filed a complaint with the Federal Trade Commission. The cure notice addresses the company's information collection and sharing practices as well as its use of targeted advertising.
  • Data Brokers - the CT AG noted its focus on data brokers, given the "broad swaths of information [they] collect and collate on behalf of Connecticut residents." The CT AG reports that one consumer complaint prompted the office to send both a cure notice to a company for targeted advertising and also an inquiry letter to the data broker that had identified that individual for their marketing list.

A Call for Legislative Changes

The CT AG notably devotes a substantial portion of its report to recommendations for legislative changes to strengthen and clarify the CTDPA, arguing in several instances that those changes would also better align the law with other states, in particular California, Oregon, and Delaware. The AG's recommendations include:

  • Scaling back the "myriad of exemptions carving out entities from [CTDPA] requirements," including exemptions for non-profits and entities covered by the Graham-Leach-Bliley and Health Insurance Portability and Accountability Acts;
  • Enacting a "one-stop-shop" deletion mechanism, similar to California's Delete Act that will allow consumers to submit one verified request to delete personal data held by data brokers;
  • Strengthening the "right to know" provisions by requiring more specific disclosures to consumers of third parties who receive their personal data from covered businesses;
  • Expanding the definition of biometric data from "automatic measurements of an individual's biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises or other unique biological patters or characteristics that are used to identify a specific individual" to one that covers biometric data that is "capable of doing so" and;
  • Clarifying whether CTDPA protections of teens' data bans targeted advertising to teens altogether or whether the opt-out provision that applies to sale of personal data also applies to targeted advertising.

Consumer Complaints

The CT AG report highlights the inquiries and "more than thirty" complaints it has received from consumers and notes that it reviews all consumer complaints for issues or patterns indicative of CTDPA violations. The report further notes that many complaints have related to consumers' interest in exercising their "right to delete" their personal data.

Key Takeaways

  1. Adequate Privacy Policies: Covered businesses must continue to prioritize its external disclosures, namely online privacy policies. Specifically, businesses that are subject to the CTDPA must ensure that they:
    • publish privacy policies that fully inform Connecticut residents about their rights under the law; and
    • provide "clear and conspicuous" mechanisms allowing consumers to opt out of targeted advertising or sale of their data.
  2. Complying With Consumer Rights Request: Consumers have regularly reported purported CTDPA violations mostly relating to exercising their rights. Business that are the subject of these complaints invite regulatory scrutiny. Businesses must ensure they comply with consumer requests to the extent afforded by the CTDPA and take note of any exceptions in complying with such requests.
  3. Enforcement to Continue: The CT AG has hit the ground running in tackling CTDPA violations and businesses should expect an increase in the CT AG's enforcement efforts. This is particularly so in the areas that are the subject of consumer complaints (including those made to other regulatory agencies), as well as inadequate privacy policies, sensitive data, teen data and data brokers. Notably, the CT AG has six full-time Assistant Attorney Generals assigned to its privacy team.
  4. Changes Ahead: As the CT AG has called for modification to the CTDPA's text, the Connecticut legislature may decide to amend the statute in line with the aforementioned recommendations or in line with other state data privacy laws. Businesses should continue to monitor any legislative developments and ensure timely compliance.


White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2024 White & Case LLP