Client Alerts & Insights
Connecticut Attorney General Issues $85,000 Penalty for Deficient Privacy Policies
July 18, 2025
Authored By:
In its first fine for violations of the Connecticut Data Privacy Act (“CDPA”), the state’s omnibus data privacy law, the Connecticut Attorney General (“CT AG”) chose to make an example of deficient privacy notices.
Nearly two years to the effective date of the CDPA, the CT AG issued the first monetary penalty for violations, an $85,000 settlement with TicketNetwork (“TN”), an online event tickets marketplace, for failure to cure privacy notices deficient under the CDPA’s requirements despite the CT AG’s continued outreach since 2023. This serves as a reminder that state-by-state compliance with privacy and other consumer protection laws is the new normal for businesses operating in the U.S.
Similar to other state omnibus data privacy laws enacted in the last decade, the CDPA empowers Connecticut consumers with certain rights to their data (the right to access, correct, and delete personal data stored and collected by businesses as well as the right to opt-out of the sale of personal data and targeted advertising). Generally speaking, the CDPA requires Connecticut businesses that process certain volumes and types of Connecticut consumer data to provide those consumers (specifically through privacy policies and embedded opt-out mechanisms) with the knowledge of and the means by which data rights may be enforced through the business.
TN’s privacy policies did not meet the CDPA’s requirements. According to the CT AG’s statement, the agency flagged TN’s privacy policy as “largely unreadable, missing key data rights, and contained rights mechanisms that were misconfigured or inoperable” in November 2023. By January 1, 2025, when a right to cure expired for violations under the CDPA, TN remained the only business that had not corrected deficiencies identified by the CT AG during the four “privacy notice sweeps” conducted since 2023.
The CT AG’s settlement is a reminder that while compliance with the patchwork of U.S. privacy laws may be costly and cumbersome, the risks and consequences of non-compliance continue to increase as more states enact omnibus data privacy laws and related consumer protections that step in where the federal government has declined or failed to take action. Maintaining a proactive data compliance program that can effectively and timely respond to changes in the law, agency, and consumer complaints is critical.
Latest News
SCOTUS Rules That States May Limit Women’s and Girls’ Sports to Biological Females – Another Chapter in the Delicate Legislative Balance Between Title IX and the Equal Protection Clause
Key Takeaways I. Background and Procedural History The Supreme Court consolidated two cases challenging state laws that restrict participation in …
Is Florida the New Hot Jurisdiction for Defamation Cases?
Florida is emerging as a favorable venue for defamation lawsuits because its long-arm statute makes it easier to bring out-of-state publishers into court—but plaintiffs still must clear the same substantive legal hurdles once the case gets there.
Forced Labor Tariffs – Public Comments Due Next Week for USTR Section 301 Investigation
US importers have the opportunity to submit public comment on proposed tariffs that will utilize Section 301 as a means of addressing forced labor in global supply chains. Comments are due to the U.S. Trade Representative (“USTR”) by July 6, 2026.
Influencer Marketing Under Fire: Gymshark Sued in New Class Action as Plaintiffs Target Undisclosed Paid Endorsements
Key Takeaways Overview Brands that leverage social-media influencers to promote products face a rapidly growing litigation threat. Over the past …