chevron-down Created with Sketch Beta.


Connecticut Attorney General Releases First Report on the CTDPA

Katherine Wang

Connecticut Attorney General Releases First Report on the CTDPA
serts via Getty Images

On February 1, 2024, Attorney General William Tong released a report detailing the work of the Office's Privacy Section since the Connecticut Data Privacy Act (CTDPA) took effect on July 1, 2023. The report provides background on the Privacy Section and its preparation for the CTDPA, summarizes CTDPA inquiries and enforcement efforts, and makes legislative recommendations.

Background and Preparation

The CTDPA grants the Office of the Attorney General sole enforcement authority. With the law taking effect nearly eight months ago, the Office expanded its Privacy Section from four to six full-time Assistant Attorneys General. Additionally, the Office received $250,000 to prepare for the CTDPA’s implementation, which has been used to train the Privacy Section and work with a privacy consultant. To engage with the community, the Privacy Section has also published FAQ guidance on the Office of the Attorney General’s website and discussed the CTDPA at various consumer protection and bar association events.

Inquiries and Enforcement Efforts

From July 1, 2023 to mid-January of this year, the Privacy Section received over 30 complaints related to the CTDPA. A significant number of complaints dealt with consumers’ right to delete. Notably, the report highlights that many of these complaints involved consumers attempting to delete data exempt under the CTDPA, such as those under the category of “publicly available information.” For example, the Privacy Section could not bring enforcement actions against websites that aggregated public records (e.g., phone numbers, addresses, and property records) and then posted individual profiles based on the publicly available information.

However, the Privacy Section was able to investigate other targets. Since July 1, 2023, the Attorney General has issued ten cure notices to address deficiencies in companies’ privacy policies. These deficiencies ranged from inadequate disclosures (e.g., failure to inform Connecticut users of their rights under the CTDPA) to inactive rights mechanisms (e.g., failure to provide active and working links for Connecticut users to exercise their rights under the CTDPA). The report notes that companies receiving cure notices were eager to cooperate with the Privacy Section.

Other than reviewing privacy policies to ensure CTDPA compliance, the Section’s actions included investigating practices relating to sensitive data, teen data, and data brokers. The report provides examples of several companies that received cure notices, including “a local grocery store after becoming aware of media reports and receiving consumer complaints regarding the store’s use of biometric software for purposes of preventing and/or detecting shoplifting” and “an app company in connection with its… anonymous peer messaging app directed at teens.”

Legislative Recommendations

The report makes several recommendations to revise and clarify the CTDPA:

  1. Scale Back Entity-Level Exemptions: Compared to other state privacy laws, the CTDPA “flatly exempts” entire entities, such as non-profit organizations. The report recommends scaling back these exemptions, which (1) put Connecticut residents at a disadvantage and (2) make it challenging for the Privacy Section to bring enforcement actions alongside other states.
  2. Enact One-Stop-Shop Deletion Mechanism: Inspired by California’s Delete Act, the report recommends that Connecticut take a similar approach so consumers can delete their personal information through a single, verified request.
  3. Add “Right to Know” Specific Third Parties: Unlike newer state privacy laws, the CTDPA requires fewer disclosures when information is shared with third parties. The report recommends enhanced disclosures so that consumers know which additional companies gain access to their data.
  4. Expand Biometric Data Definition: The CTDPA only regulates biometric data “used to identify a specific individual” (emphasis added). The report recommends revising the definition to include biometric data that is also capable of identifying a specific individual.
  5. Clarify Protections for Teens’ Data: One provision protecting teen data in the CTDPA has been a source of confusion due to its comma placement. The report recommends clarifying the provision so that covered businesses understand whether or not teens can be the subject of targeted advertising.
  6. Address “Publicly Available Information” Language: The CTDPA may contain “a scrivener’s error” with respect to the definition of “publicly available information” (“and” is used instead of “or” in the definition). The report recommends clarifying the language so that the CTDPA’s language aligns with other state privacy laws.

Looking ahead, the Attorney General can continue to send cure notices to covered businesses until December 31, 2024. On January 1, 2025, the right to cure sunsets and the Privacy Section will be able to bring enforcement actions without notice. Also, beginning on January 1, 2025, the CTDPA requires covered businesses to recognize universal opt-out preference signals (e.g., Global Privacy Control), which indicates a user’s intent to opt out of targeted advertising and the sale of personal information.