On February 1, 2024, the Connecticut Office of the Attorney General (the “OAG”) issued a report mandated by the Connecticut Data Privacy Act (the “CTDPA”), Conn. Gen. Stat. § 42-515 et seq. (the “Report”), which Report is required to include (i) the number of violation notices the OAG has issued since the CTDPA became effective on July 1, 2023; (ii) the nature of each such violation; (iii) the number of cured violations; and (iv) any other relative matters.
Overview of the Connecticut Data Privacy Act
The CTDPA provides Connecticut residents with rights to protect their personal data, including the rights to access, correct, and delete personal data and the right to opt out of certain uses and most sales of personal data. Conversely, the CTDPA imparts obligations on covered businesses to, among other things, limit their collection of personal data; establish, implement, and maintain reasonable data security practices; and heed specific requirements relating to biometric data, data relating to minors, and other sensitive data. The CTDPA does not set forth a private right of action for enforcement and designates the OAG as the sole enforcer of the law. The CTDPA contains a limited safe harbor, and covered businesses have a 60-day period to correct or cure certain violations until the end of 2024.
For more background and detail on the CTDPA, please visit our prior publications discussing its enactment (here and here).
Six Months of Enforcement
Since the CTDPA became effective, the OAG has issued more than 12 cure notices as well as broader information requests to covered businesses in a number of different industries. The Report highlights several areas of focus for the OAG, including the adequacy of privacy policies, heightened protections for sensitive data and data relating to teenagers, and data brokers’ privacy practices. These focus areas are each discussed in greater detail below.
Privacy Policies. The Report highlights the importance of the CTDPA transparency requirements. As a proactive measure after the CTDPA became effective, the OAG began reviewing certain businesses’ privacy policies and consumer rights mechanisms for CTDPA compliance. In connection with this review, the OAG has issued ten cure notices relating to deficiencies, including: (i) the failure to incorporate any notice of consumer rights; (ii) the failure to adequately inform Connecticut residents of their rights under the CTDPA; (iii) confusing disclosures; (iv) the failure to include a clear and conspicuous link for consumers to opt out of targeted advertising or the sale of their personal data; (v) implementation of burdensome rights enforcement mechanisms; and (vi) using defective links or dead-end consumer rights mechanisms.
Sensitive Data. The OAG has also analyzed businesses’ compliance with the CTDPA’s heightened requirements with respect to sensitive data, such as biometric and precise geolocation data, with a particular focus on concerns relating to the collection of sensitive data. For instance, the OAG sent a cure notice to a local grocery store that was using biometric software to monitor shoplifting activity and an inquiry letter to a web service provider and retailer that was promoting the expansion of its palm recognition software.
Data Relating to Teenagers. Another key area of the CTDPA is increased protections relating to the collection, sale and processing of teenagers’ data. In light of these heightened protections, the OAG – concerned about information collection and sharing practices and targeting advertising efforts directed towards teenagers – sent a cure notice to a company that had a mobile application with an anonymous peer messaging function directed at teenagers.
Data Brokers. The OAG stresses that data brokers are covered by the CTDPA, including with respect to a consumer’s right to delete personal data obtained about such consumer. The Report discusses an event that illustrates the role of data brokers in digital marketing efforts and emphasizes the importance of extending consumer rights to personal data that has been obtained by covered businesses from these sources.
The OAG also received over 30 consumer complaints relating to the CTDPA between July 1, 2023 and mid-January 2024, many of which involved attempts to exercise consumers’ right to delete their personal data, but approximately one-third of which related to data or entities expressly exempt under the CTDPA, highlighting the need for further public education regarding the law.
Connecticut Attorney General’s Legislative Recommendations
The Report includes several legislative recommendations for strengthening and clarifying the protections set forth in the CTDPA. Among other things, the OAG suggests narrowing the CTDPA’s entity-level exemptions, similar to the comprehensive privacy laws of states like California, Colorado and Delaware. The OAG also suggests implementing a “one-stop-shop” deletion mechanism for consumers, similar to California’s Delete Act, which would provide consumers with a direct portal to exercise their deletion rights under the CTDPA. Finally, the OAG recommends expanding the definition of biometric data and clarifying certain vague and confusing statutory language with respect to the CTDPA’s provisions addressing the protection of teenager’s data and publicly available information.
Concluding Thoughts
In sum, the Report demonstrates the OAG’s key focus areas under the CTDPA, including the adequacy of covered businesses’ privacy policies, as well as its desire to continue to improve upon the law to reflect developments in privacy law’s ever-changing landscape.
