Connecticut Attorney General Issues $85,000 Penalty for Deficient Privacy Policies

In its first fine for violations of the Connecticut Data Privacy Act (“CDPA”), the state’s omnibus data privacy law, the Connecticut Attorney General (“CT AG”) chose to make an example of deficient privacy notices. 

Nearly two years to the effective date of the CDPA, the CT AG issued the first monetary penalty for violations, an $85,000 settlement with TicketNetwork (“TN”), an online event tickets marketplace, for failure to cure privacy notices deficient under the CDPA’s requirements despite the CT AG’s continued outreach since 2023. This serves as a reminder that state-by-state compliance with privacy and other consumer protection laws is the new normal for businesses operating in the U.S.

Similar to other state omnibus data privacy laws enacted in the last decade, the CDPA empowers Connecticut consumers with certain rights to their data (the right to access, correct, and delete personal data stored and collected by businesses as well as the right to opt-out of the sale of personal data and targeted advertising). Generally speaking, the CDPA requires Connecticut businesses that process certain volumes and types of Connecticut consumer data to provide those consumers (specifically through privacy policies and embedded opt-out mechanisms) with the knowledge of and the means by which data rights may be enforced through the business.

TN’s privacy policies did not meet the CDPA’s requirements. According to the CT AG’s statement, the agency flagged TN’s privacy policy as “largely unreadable, missing key data rights, and contained rights mechanisms that were misconfigured or inoperable” in November 2023. By January 1, 2025, when a right to cure expired for violations under the CDPA, TN remained the only business that had not corrected deficiencies identified by the CT AG during the four “privacy notice sweeps” conducted since 2023.

The CT AG’s settlement is a reminder that while compliance with the patchwork of U.S. privacy laws may be costly and cumbersome, the risks and consequences of non-compliance continue to increase as more states enact omnibus data privacy laws and related consumer protections that step in where the federal government has declined or failed to take action. Maintaining a proactive data compliance program that can effectively and timely respond to changes in the law, agency, and consumer complaints is critical.