In May of 2022, Connecticut joined a growing list of U.S. states passing privacy regulations when it signed the Connecticut Data Privacy Act (CTDPA) into law. The CTDPA officially went into effect in July 2023.
On February 1, 2024, Connecticut’s Office of the Attorney General (OAG) shared its report1 to the General Assembly’s Law Committee covering preliminary enforcement actions taken under the CTDPA. In the six months since the CTDPA went into effect, the OAG issued over a dozen “cure notices” to companies regarding alleged violations of the CTDPA and several broader information requests.
As reflected in the report and by its enforcement activity, the OAG appears to share similar concerns as the California AG concerning the collection and use of sensitive data (such as biometrics and children’s/teens’ data) and digital advertising practices.
Observations
- Consumer Complaints
The OAG has received over 30 consumer complaints since the law became active. They stated that “even a single consumer complaint could ultimately lead us down a path to enforcement.” Although the CTDPA does not have a private right of action, consumer complaints to the CT OAG are causing regulatory scrutiny for companies. - Privacy Policies
The OAG reviewed companies’ privacy policies across numerous industries and tested the functionality of consumer rights request mechanisms.
a. Lacking disclosures (e.g., failure to incorporate notice of consumer rights under the CTDPA);
b. Inadequate disclosures (e.g., failure to sufficiently inform Connecticut residents about their rights under the law or how Connecticut residents may appeal denials);
c. Confusing disclosures (e.g., statements creating an impression that consumers may be charged for rights requests as a default, as opposed to only for manifestly unfounded, excessive, or repetitive requests);
d. Lacking rights mechanisms (e.g., failure to include a clear and conspicuous link to a webpage enabling consumers to opt out of the targeted advertising or sale of their data);
e. Burdensome rights mechanisms (e.g., rights mechanisms that did not consider the ways consumers normally interact with the company); and
f. Broken/inactive rights mechanisms (e.g., non-working links or dead-end mechanisms). - Inquiries
The OAG provided several examples of inquiries into sensitive data practices including data collection and sharing, and overall compliance with CTDPA. For example, the OAG investigated concerns over a grocery store using biometric software to prevent and detect shoplifting. - Teens’ Data
Teens’ data and digital advertising practices are garnering attention. In particular, the CTDPA has investigated the privacy policy of a peer-to-peer messaging app designed for teens. The investigation focused on targeted advertising directed toward teens. - Digital Marketing
The OAG has expressed concern over the practices of the digital marketing landscape. In a specific example, a consumer submitted a complaint after they received an advertisement for cremation services after they completed chemotherapy. After a brief investigation, the OAG sent a cure notice to the cremation company and has begun investigating a data broker in connection with the complaint.
Much like California’s privacy regulations have forced many companies to re-evaluate their information-gathering and sharing practices, the CTDPA is doing the same. With additional CTDPA requirements going into effect in 2025, such as recognizing universal opt-out preferences for opting out of targeted advertising and the sale of personal data, it seems many companies will need to review and potentially modify their practices to avoid scrutiny from the CT OAG.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
