Attorney General Tong Releases Report on Connecticut Data Privacy Act(Hartford, CT) – Attorney General William Tong today released a report detailing the actions of the Office of the Attorney General to educate consumers and businesses and enforce compliance with the Connecticut Data Privacy Act (CTDPA) since the new law took effect on July 1, 2023.
The Act requires the Office to issue such a report no later than February 1, which must include (1) the number of notices of violation the Attorney General has issued; (2) the nature of each violation; (3) the number of violations cured; and (4) any other matter the Attorney General deems relevant. The report also identifies several suggestions to both strengthen and clarify the law.
“The Connecticut Data Privacy Act is among the nation’s first and strongest consumer privacy laws—granting consumers powerful new rights to access, correct and delete data, as well as rights to opt-out of the sale of personal data and targeted advertising. Since the law took effect, we have worked to educate both consumers and businesses about these important rights and obligations,” said Attorney General Tong. “There is much yet to be done in the balancing act of privacy of consumer information and the need to use and maintain that same information in our global economy. We remain ready to do our part, encouraging and guiding compliance, but prepared to undertake enforcement when necessary. In that vein, we provide this Report not just to meet the specific requirements in the CTDPA but to continue the conversation in this expanding area of the law.”
Since the CTDPA took effect, the Office of the Attorney General has issued over a dozen notices of violation (cure notices), as well as other broader information requests focused on privacy policies, sensitive data, teens’ data, as well as other areas. While many companies took prompt steps to address concerns and have cooperated with information requests, many of these inquiries remain active and ongoing.
Notice recipients span various industries, including retail, fitness, event services, career services, parenting technologies, and home improvement. Deficiencies identified in the notices included:
• Lacking disclosures (e.g., failure to incorporate notice of consumer rights under the CTDPA at all);
• Inadequate disclosures (e.g., failure to sufficiently inform Connecticut residents about their rights under the law and/ or how Connecticut residents may appeal denials);
• Confusing disclosures (e.g., statements creating an impression that consumers may be charged for rights requests as a default, as opposed to only for manifestly unfounded, excessive or repetitive requests);
• Lacking rights mechanisms (e.g., failure to include a clear and conspicuous link to a webpage enabling consumers to opt out of the targeted advertising or sale of their data);
• Burdensome rights mechanisms (e.g., rights mechanisms that did not take into account the ways consumers normally interact with the company); and
• Broken/ inactive rights mechanisms (e.g., non-working links or dead-end mechanisms).
One of the first comprehensive consumer privacy laws in the country, the CTDPA requires covered businesses to appropriately limit their collection of personal data, be transparent about how they use and secure that data and obtain consumer consent before collecting sensitive information—such as precise location data, biometric data, and certain health information. The CTDPA also provides Connecticut consumers with new baseline privacy rights, including:
• The right to access personal data that a business has collected about them;
• The right to correct inaccuracies in their personal data;
• The right to delete their personal data, including data that a business collected through third parties; and
• The right to opt-out of the sale of their personal data and targeted advertising.
The CTDPA requires covered businesses to maintain a privacy notice that clearly describes how consumers may exercise their rights under the law. Importantly, the law prohibits businesses from discriminating against consumers for exercising those rights.
The CTDPA also requires covered businesses to protect the personal data of children and teens. In addition to permitting a child’s parent or legal guardian to exercise privacy rights on the child’s behalf, businesses must obtain opt-in consent before selling the personal data of a consumer under 16 years old or sending the consumer targeted ads.
Consumers should note that not all Connecticut businesses are covered by the CTDPA. The law includes specific revenue thresholds and exempts certain industries regulated by other privacy frameworks—such as health care companies subject to the Health Insurance Accountability and Portability Act of 1996 (HIPAA).
For more information about the CTDPA, visit the Attorney General’s FAQ page here.
This report was prepared and reviewed by the entire Privacy Section, including Section Chief Deputy Associate Attorney General Michele Lucan, assistant attorneys general John Neumon, Laura Martella, Kileigh Nassau, Jordan Levin, and Patrick Kania, and paralegal specialists Megan Kane and Casey Rybak.