On April 17, 2025, the Connecticut Office of the Attorney General (“OAG”) issued a report highlighting key enforcement initiatives, complaint trends and legislative recommendations aimed at strengthening the Connecticut Data Privacy Act (“CTDPA”). Highlights from the report are summarized below.
Breach Notice Review
In 2024, the OAG received 1,900 breach notifications. Each report was reviewed for compliance with state law. The OAG issued numerous warning letters to covered businesses that failed to provide timely notice, emphasizing that the 60-day statutory clock starts at the detection of suspicious activity—not when the full scope is confirmed. In serious cases, the OAG pursued Assurances of Voluntary Compliance requiring businesses to improve incident response practices and pay penalties.
Consumer Complaints
The OAG continues to receive significant complaint volumes regarding CTDPA compliance. Issues include unfulfilled data rights requests, misleading privacy notices, vague breach notifications, and misuse of public records for online profiles.
Enforcement Actions
The report highlighted enforcement actions on several violations, including the following:
- Privacy Notices: The OAG conducted “sweeps” of insufficient or inadequate privacy notices and issued over two dozen cure notices. Common issues included missing CTDPA language, unclear opt-out mechanisms, and misleading limitations on consumer rights. Most businesses took corrective steps following notice.
- Facial Recognition Technology: The OAG sent a cure notice to a regional supermarket due to their use of facial recognition technology (for purposes of preventing and/or detecting shoplifting). The OAG noted that businesses using facial recognition must comply with CTDPA’s protections for biometric data. The OAG clarified that crime prevention purposes do not exempt compliance.
- Marketing and Advertising Practices: The OAG investigated a complaint involving a national cremation services company that mailed a targeted advertisement to a Connecticut resident shortly after receiving medical treatment. While the data used—name, age and zip code—was not classified as sensitive, the OAG expressed concern over the context and issued a cure notice. As a result, the company updated its privacy notice to disclose its use of third-party data and specify the categories of data collected. The case underscores that for the OAG, even non-sensitive data, when used in sensitive contexts, can lead to privacy harms and warrants heightened oversight.
- Dark Patterns and Opt-Out Mechanisms: The OAG has significantly expanded its enforcement efforts to address manipulative design choices—commonly known as “dark patterns”—that interfere with consumer privacy rights. In a 2024 enforcement sweep, the OAG issued cure notices to businesses employing cookie banners that made it easier to consent to data tracking than to opt out.
- Minors’ Online Services: The report notes that as of October 1, 2024, the CTDPA imposes new obligations on businesses that offer an “online service, product or feature” to minors under 18 years of age. Generally, these provisions require that businesses use reasonable care to avoid causing a heightened risk of harm to minors. Further, these provisions prohibit: (1) the processing of a minor’s personal data without consent for purposes of targeted advertising, profiling, or sale; (2) using a system design feature to significantly increase, sustain, or extend a minor’s time online; and (3) collecting a minor’s precise geolocation data without consent.
- Consumer Health Data: The report notes that controllers must obtain opt-in consent for processing consumer health data and ensure proper contractual safeguards when sharing such data with processors. Two telehealth companies received letters related to potential unauthorized sharing with technology platforms.
- Universal Opt-Out Preference Signals: The report also notes that as of January 1, 2025, businesses must recognize browser-based opt-out signals such as GPC. The OAG has emphasized that this requirement is key to easing consumer privacy management. The OAG also notes that going forward, it will be focused on examining whether businesses are complying with the universal opt-out preference signal provisions and that the OAG expects to engage in efforts to ensure this consumer right is upheld.
CTDPA Legislative Recommendations
The OAG reiterated eight proposed legislative changes to improve the CTDPA:
- Scale Back Exemptions: Limit current entity-level exemptions for GLBA and HIPAA, narrow the FCRA data-level exemption and remove the entity-level exemption for non-profit organizations.
- Lower Thresholds: Remove thresholds for businesses processing sensitive or minors’ data and scale back all other thresholds for businesses processing other types of data.
- Strengthen Data Minimization: Require data processed to be strictly necessary for stated purposes.
- Expand Definition of “Sensitive Data”: Add a comprehensive list of “sensitive data” elements found in other state privacy laws, such as government ID numbers, union membership and neural data.
- Clarify Protections for Minors: Prohibit targeted advertising and sale of minors’ data for consumers that business “knew or should have known” are minors.
- Narrow Definition of “Publicly Available” Data: Refine and limit the scope of “publicly available” data.
- Right to Know Specific Third Parties: Require businesses to name the specific entities receiving consumer data.
- Enhance Opt-Out Preference Signal and Deletion Rights: Require all web browsers and mobile operating systems to include a setting that allows users to affirmatively send opt out preference signals and create a centralized deletion mechanism.