On February 1, 2024, the Connecticut Attorney General (“AG”) published a report describing its enforcement activities to date under the Connecticut Data Privacy Act (“CTDPA”) and its recommendations for significant changes to the law. The report shows the AG to be a proactive enforcer with a somewhat aggressive vision for the CTDPA’s future.
1. AG’s Process for Inquiries and Investigations
The report indicates that the AG has several ways of identifying enforcement targets, including proactively reviewing companies’ privacy policies, media reports and press releases about companies’ use of sensitive data, and reports of data breaches, as well as a Mozilla Foundation report and a complaint to the FTC by an advocacy group. The AG also identifies targets based on consumer complaints, noting that its team “reviews all consumer complaints for issues or patterns indicative of CTDPA violations – even a single consumer complaint could ultimately lead us down a path to enforcement.” This highlights the importance of engaging in clear, timely communications with consumers about their rights, including any limitations to those rights, and maintaining a record of such communications.
The AG indicated it received 30 consumer complaints in the six months since the CTDPA went into effect. These complaints mainly concerned consumers rights—in particular, the right to delete. The AG sent inquiries to the companies named in most of these complaints, though some complaints were lodged against companies exempt from the CTDPA.
2. Cure Notices
Until January 1, 2025, the AG must notify companies of alleged CTDPA violations and allow them 60 days to cure the violation before bringing an enforcement action. The AG sent notices regarding four key enforcement areas.
Privacy Policy Deficiencies. The AG sent 10 cure notices to companies across a wide range of industries alleging privacy policy deficiencies, including:
- failing to disclose consumer rights or sufficiently explain how to exercise them;
- implying that companies may charge fees for exercising rights even when not authorized; and
- missing, burdensome, or nonfunctional mechanisms for exercising rights such as missing or nonfunctional links to “sale” and “targeted advertising” opt out mechanisms.
Sensitive Data. The AG sent inquiries or cure notices to companies processing sensitive data, including:
- a grocery store using biometric software to detect shoplifting;
- a retailer that announced its plans to use palm recognition for functions, including age verification and loyalty membership;
- a car brand that collects and shares “highly personal data about consumers”; and
- a genetic testing company that experienced a significant data breach.
Minors & Data Brokers. The AG also inquired into the collecting, sharing, and targeted advertising practices of a messaging app directed at teens, and into the practices of a data broker that identified an individual for a marketing list regarding cremation services.
3. Legislative Recommendations
In its report, the AG also called for significant changes to the CTDPA, which would expand the law’s scope and create burdensome new requirements. Specifically, the AG recommended:
- Eliminating certain exemptions, including those for nonprofits and entities subject to the GLBA and HIPAA, despite the fact that these exemptions are present in almost all other state consumer privacy laws passed to date (though Colorado, Delaware, and New Jersey apply to nonprofits).
- Adding a one-stop-shop mechanism to opt out of personal data held by data brokers, analogous to that in California’s Delete Act.
- Adding a right to know the specific third parties that receive a consumer’s personal data, rather than the categories of such third parties, akin to Oregon.
- Broadening the definition of biometric data to include data that is capable of being linked to a consumer, rather than data that is used to identify a consumer. This language would depart from the language in most other state consumer privacy laws.
If implemented, these recommendations would make the CTDPA more onerous than most other state consumer privacy laws in these areas. The Connecticut legislature has already shown willingness to depart from most other state consumer privacy laws by enacting SB 3, which added to CTDPA obligations regarding consumer health data, online dating platforms, and certain processing of children’s and teens’ data by social media platforms and online services. If it also adopts the AG’s recommendations, companies will have even more outlier obligations in Connecticut—and even more reasons for the AG to come knocking.
