Client Alerts & Insights
Connecticut Attorney General Issues $85,000 Penalty for Deficient Privacy Policies
July 18, 2025
Authored By:
In its first fine for violations of the Connecticut Data Privacy Act (“CDPA”), the state’s omnibus data privacy law, the Connecticut Attorney General (“CT AG”) chose to make an example of deficient privacy notices.
Nearly two years to the effective date of the CDPA, the CT AG issued the first monetary penalty for violations, an $85,000 settlement with TicketNetwork (“TN”), an online event tickets marketplace, for failure to cure privacy notices deficient under the CDPA’s requirements despite the CT AG’s continued outreach since 2023. This serves as a reminder that state-by-state compliance with privacy and other consumer protection laws is the new normal for businesses operating in the U.S.
Similar to other state omnibus data privacy laws enacted in the last decade, the CDPA empowers Connecticut consumers with certain rights to their data (the right to access, correct, and delete personal data stored and collected by businesses as well as the right to opt-out of the sale of personal data and targeted advertising). Generally speaking, the CDPA requires Connecticut businesses that process certain volumes and types of Connecticut consumer data to provide those consumers (specifically through privacy policies and embedded opt-out mechanisms) with the knowledge of and the means by which data rights may be enforced through the business.
TN’s privacy policies did not meet the CDPA’s requirements. According to the CT AG’s statement, the agency flagged TN’s privacy policy as “largely unreadable, missing key data rights, and contained rights mechanisms that were misconfigured or inoperable” in November 2023. By January 1, 2025, when a right to cure expired for violations under the CDPA, TN remained the only business that had not corrected deficiencies identified by the CT AG during the four “privacy notice sweeps” conducted since 2023.
The CT AG’s settlement is a reminder that while compliance with the patchwork of U.S. privacy laws may be costly and cumbersome, the risks and consequences of non-compliance continue to increase as more states enact omnibus data privacy laws and related consumer protections that step in where the federal government has declined or failed to take action. Maintaining a proactive data compliance program that can effectively and timely respond to changes in the law, agency, and consumer complaints is critical.
Latest News
Judicial Green Light: Court Upholds NLRB’s Cemex Decision
On April 21st, 2026, the U.S. Court of Appeals for the Ninth Circuit upheld the National Labor Relations Board’s (“NLRB”) decision in Cemex Construction Materials Pacific, LLC., reinforcing a significant shift in federal labor law governing union recognition and employer conduct during organizing campaigns.
The LEAD Model—Kidney Care’s Value-Based Care Journey LEADs Here
The new LEAD Model, launching in 2027, is CMS’s next-generation value-based care framework for kidney care, integrating CKD and ESRD patients into standard ACOs with a 10-year benchmark period, new payment options and greater flexibility for nephrology-led organizations.
DOL Proposes Universal Guidance Meant to Simplify Joint Employer Analysis
On April 22, 2026, the Department of Labor’s Wage and Hour Division proposed a new rule to clarify joint employer status and the related analysis under the Fair Labor Standards Act (“FLSA”), Family Medical Leave Act (“FMLA”), and the Migrant and Seasonal Agricultural Protection Act (“MSAPA”).
Only the Strong Survive: Easy Pitfalls to Avoid as a Defamation Plaintiff
Filing a defamation lawsuit is one thing. Surviving the inevitable motion to dismiss is another. A recent case out of the Eastern District of North Carolina, McKnight v. FOXY/WFXC/K 107.1/104.3 Radio Station, et al., Civil Action No. 5:26-cv-102, provides a useful case study in the kinds of missteps that can doom a defamation complaint before it ever reaches discovery.