Connecticut Attorney General Releases Report on CTDPA Enforcement Actions
Connecticut’s Office of the Attorney General (“OAG”) has released a report detailing its preliminary enforcement actions under the Connecticut Data Privacy Act (“CTDPA”). The report, due by February 1, 2024, details the number of notices issued, nature of each violation, number of violations cured, and any relevant matters. The report provides insight into the OAG’s handling of consumer complaints, potential enforcement priorities, and legislative recommendations.
The OAG outlined in the report that they had issued over a dozen “cure notices” to companies regarding alleged CTDPA violations and broader information requests. The OAG raised concerns about sensitive data collection and use, particularly biometrics and children’s/teens’ data, and emphasized the need for better digital advertising practices, as outlined in the Report.
Since the CTDPA’s implementation, the OAG has received over 30 consumer complaints, primarily focusing on consumer rights and deletion requests. One-third of these complaints pertain to companies subject to exceptions or exempt or non-compliant personal data. The report underscores the significance of consumer complaints, stating that even a single one can lead to enforcement, emphasizing the need for companies to respond effectively.
The report identified several deficiencies in companies’ privacy policies and consumer rights request mechanisms. These include lack of disclosures, inadequate information, confusing disclosures, lack of rights mechanisms, burdensome rights mechanisms, and broken/inactive rights mechanisms. These deficiencies include the failure to incorporate notice of consumer rights under the CTDPA, insufficient information about Connecticut residents’ rights, confusing statements, and the absence of clear links to opt-out pages. Regarding privacy policies, the OAG urges companies to update their privacy policies, consent mechanisms, and disclosures related to consumer rights.
The OAG reported on inquiry letters and cure notices sent to companies collecting sensitive data, identified through media reports, consumer complaints, press releases, industry group reports, and data breach incidents. The communications primarily requested information on data collection, sharing, and compliance with CTDPA. The OAG emphasizes the importance of obtaining appropriate consent for the collection and use of sensitive data, as companies must understand and address the stringent consent requirements set by the CTDPA.
The OAG discussed their concerns about digital marketing practices, citing a complaint from a consumer who received an advertisement for cremation services after chemotherapy. The OAG has sent a cure notice and is investigating a data broker, highlighting the ongoing scrutiny of digital advertising.
The OAG also announced that it is monitoring advocacy groups’ activities to identify enforcement opportunities related to teens’ data and digital advertising practices.
And finally, the OAG proposed legislative changes to improve privacy protections. These include removing exemptions for non-profits and companies regulated by federal privacy laws, introducing a one-stop-shop data deletion mechanism, adding “Right to Know – Specific Third Parties” like Oregon and Delaware, expanding the definition of “Biometric Data” to cover all biometric data capable of such use, and correcting drafting errors that cause confusion regarding protections for teens’ data and the definition of “Publicly Available Information.” The OAG is concerned about whether consent can be obtained to target advertising to teens and the definition of “Publicly Available Information,” which is currently defined as information that is lawfully made available through government records or widely distributed media. The OAG believes the inclusion of the “and” was a scrivener’s error and may have been intended to align with other state privacy laws.
Explore our comprehensive CLIClaw Privacy Compliance Library for essential resources and step-by-step guidance to ensure your business is fully compliant.
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.