The Connecticut Attorney General, William Tong, released a report highlighting common consumer complaints and corresponding enforcement actions under the Connecticut Data Privacy Act, or the CTDPA. While the CTDPA took effect July 1, 2023, the law requires the Attorney General's office to issue a report no later than February 1 of each year summarizing the number of violations the Attorney General has issued, the nature of each violation, and the number of violations cured.
Connecticut became the 5th state to pass a consumer data privacy law when the CTDPA was signed on May 10, 2022. The CTDPA applies to organizations having controlled or processed the personal data of at least 100,000 consumers or 25,000 consumers and when over 25% of gross revenue is derived of the sale of personal data. Under the law, such organizations are required to provide Connecticut residents with a privacy notice that details the categories of personal data processed, the purposes for processing personal data, an explanation as to how consumers may exercise their rights, categories of personal data that is shared with third parties, and a mechanism the consumer may use to contact the controller.
Notably, the CTDPA does not provide consumers with a private right of action. Instead, the law vests all enforcement authority to the Office of the Attorney General, or OAG, which can issue notices of violations, or "cure notices," to noncompliant organizations. The Attorney General's report emphasized their office is focused on reviewing privacy policies for deficiencies under the statute. The report stated that the OAG issued ten cure notices aimed towards deficient privacy policies. Common deficiencies include a failure to incorporate notice of consumer rights under the CTDPA and a lack of clear and conspicuous link on a webpage allowing consumers to opt-out of targeted advertising and the sale of their personal data. While the Attorney General's report makes clear that privacy policies must comply with CTDPA requirements, the spirit of enforcement is grounded in a commitment to transparency as the goal of the law is to "ensure that Connecticut residents have insight into the collection, use and sharing of their personal data, understand their new data rights, and are able to exercise those rights."
In addition to privacy policies, the report described the heightened protections for "sensitive data," which includes genetic/biometric data and precise geolocation information. Under the act, individuals must provide their freely given, specific, informed, and unambiguous consent before organizations can process such data. The report noted that "the OAG has focused on matters raising concerns regarding the collection of sensitive data," such as a grocery store's use of biometric software for the purpose of preventing shoplifting and a retailer's press release concerning plans to use a palm recognition service for identification, entry, and payment. The report's early enforcement effort's section concludes with an example of cure notice with respect to teen data. The CTDPA requires business to not process personal data when that business has actual knowledge that the consumer is at least thirteen but younger than sixteen. The OAG described a cure notice to an app company directed at teens with inquiries aimed towards the company's information collection practices and extent of its targeted adverting campaign towards teens.
The Attorney General's report outlines themes of early enforcement efforts with respect to privacy policies, matters concerning the collection of sensitive data, and heightened protection for teens' data. The report offers valuable insight into how the Connecticut OAG is prioritizing enforcement of the CTDPA and highlights areas of key concerns organizations governed under the law should be aware of.
For more legislative updates on data privacy law from McDonald Hopkins, please subscribe to receive our publications or view the links below for recent updates on other state data privacy legislative updates. If you have questions about your company's compliance with cyber regulations, concerns about vulnerability to a ransomware attack or other breach, or if you want to learn more about proactive cybersecurity defense, then please contact a member ofMcDonald Hopkins' national data privacy and cybersecurity team.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.