Client Alerts & Insights
Connecticut Attorney General Issues $85,000 Penalty for Deficient Privacy Policies
July 18, 2025
Authored By:
In its first fine for violations of the Connecticut Data Privacy Act (“CDPA”), the state’s omnibus data privacy law, the Connecticut Attorney General (“CT AG”) chose to make an example of deficient privacy notices.
Nearly two years to the effective date of the CDPA, the CT AG issued the first monetary penalty for violations, an $85,000 settlement with TicketNetwork (“TN”), an online event tickets marketplace, for failure to cure privacy notices deficient under the CDPA’s requirements despite the CT AG’s continued outreach since 2023. This serves as a reminder that state-by-state compliance with privacy and other consumer protection laws is the new normal for businesses operating in the U.S.
Similar to other state omnibus data privacy laws enacted in the last decade, the CDPA empowers Connecticut consumers with certain rights to their data (the right to access, correct, and delete personal data stored and collected by businesses as well as the right to opt-out of the sale of personal data and targeted advertising). Generally speaking, the CDPA requires Connecticut businesses that process certain volumes and types of Connecticut consumer data to provide those consumers (specifically through privacy policies and embedded opt-out mechanisms) with the knowledge of and the means by which data rights may be enforced through the business.
TN’s privacy policies did not meet the CDPA’s requirements. According to the CT AG’s statement, the agency flagged TN’s privacy policy as “largely unreadable, missing key data rights, and contained rights mechanisms that were misconfigured or inoperable” in November 2023. By January 1, 2025, when a right to cure expired for violations under the CDPA, TN remained the only business that had not corrected deficiencies identified by the CT AG during the four “privacy notice sweeps” conducted since 2023.
The CT AG’s settlement is a reminder that while compliance with the patchwork of U.S. privacy laws may be costly and cumbersome, the risks and consequences of non-compliance continue to increase as more states enact omnibus data privacy laws and related consumer protections that step in where the federal government has declined or failed to take action. Maintaining a proactive data compliance program that can effectively and timely respond to changes in the law, agency, and consumer complaints is critical.
Latest News
Brown-Forman Decision Rolls Back NLRB’s Pro-Union Cemex Policy
In a blow to agency rulemaking and pro-union National Labor Relations Board (“NLRB”) policy, on March 6, 2026, the U.S. Court of Appeals for the Sixth Circuit dismantled the Biden-era NLRB decision in Cemex Construction Materials Pacific, LLC.
2026 Proposed Amendments to the Federal Sentencing Guidelines—Key Changes for Economic Crimes
The United States Sentencing Commission (the “Commission”) published its proposed 2026 amendments to the Federal Sentencing Guidelines in two phases—in December 2025 and January 2026—with a period for public comment through February 10, 2026, and March 18, 2026, respectively.
Dance Like No One is Watching, Text Like Your Words Will Be Published on the Front Page: The Importance of Internal Compliance with FINRA and Text Message Production
Earlier this month, Benjamin Edwards, a broker-dealer firm, agreed to a censure and to pay a $750,000 fine for failing to properly supervise and preserve its employees’ business-related text messages.
Increased Medicare Enforcement Forthcoming? Minnesota Legislature, Attorney General Propose Expanded Charging Authority, Higher Penalties
On February 25, 2026, Minnesota Attorney General Keith Ellison, together with bipartisan legislative sponsors, introduced the 2026 Medical Assistance Protection Act (“MAP”), a sweeping proposal that would materially expand the state’s Medicaid fraud enforcement framework.