Connecticut AG Releases Report on Connecticut Data Privacy Act (CTDPA)

On February 1, 2024, Connecticut’s Attorney General, William Tong, released a report on the Connecticut Data Privacy Act (CTDPA), the state’s newly minted data privacy law. 

The Connecticut Data Privacy Act (CTDPA), also known as Senate Bill 6, marks Connecticut's entry into the circle of US states with dedicated consumer privacy legislation when it was signed on May 10th, 2022. Effective July 1st, 2023, this law aligns Connecticut with states like California and Utah, which already have data privacy measures in place. While sharing common ground with the privacy laws of states like Colorado and Virginia, the CTDPA also introduces unique elements to address the evolving needs of data protection.

The report is a yearly requirement aimed at assessing the law's effectiveness, how many businesses got warnings for breaking the rules, what kind of mistakes were made, how issues were fixed, and other important information, while also potentially offering recommendations for improvement of the data privacy law. 

Section 11 (b) of the CTDPA stipulates as follows: 

Not later than February 1, 2024, the Attorney General shall submit a report, in accordance with section 11-4a of the general statutes, to the joint standing committee of the General Assembly having cognizance of matters relating to general law disclosing: (1) The number of notices of violation the Attorney General has issued; (2) the nature of each violation; (3) the number of violations that were cured during the sixty- day cure period; and (4) any other matter the Attorney General deems relevant for the purposes of such report.

In the press release, Attorney General Tong made the following statement: 

The Connecticut Data Privacy Act is among the nation’s first and strongest consumer privacy laws—granting consumers powerful new rights to access, correct and delete data, as well as rights to opt-out of the sale of personal data and targeted advertising. Since the law took effect, we have worked to educate both consumers and businesses about these important rights and obligations [...]. There is much yet to be done in the balancing act of privacy of consumer information and the need to use and maintain that same information in our global economy. We remain ready to do our part, encouraging and guiding compliance, but prepared to undertake enforcement when necessary. In that vein, we provide this Report not just to meet the specific requirements in the CTDPA but to continue the conversation in this expanding area of the law. 

So far, more than a dozen businesses across different fields like shopping, fitness, and home services have been told they're not following the rules properly. Mistakes include not telling people about their rights clearly enough and making it too hard for them to opt out of data sharing or ads aimed directly at them.

Special care is taken for kids' and teens' data, requiring businesses to get a green light from parents before selling data or targeting ads to young people under 16. But not every business in Connecticut needs to follow these rules; there are some exceptions based on how much money a business makes and what industry it's in.

The reports main highlights are as follows: 

• The report is mandated under the CTDPA to include the number of violation notices issued, the nature of each violation, the number of violations cured, and any other relevant matters.
• In six months since the CTDPA's effect, the OAG issued over a dozen notices of violation and broader information requests focusing on privacy policies, sensitive data, and teens’ data.
• The report provides an overview of the CTDPA, the Privacy Section's background, early enforcement efforts, and legislative recommendations for strengthening the CTDPA.
• The CTDPA grants Connecticut residents rights over their personal data, including access, correction, deletion, and opt-out rights for the sale of personal data and targeted advertising.
• The Privacy Section was established back in 2015 to handle matters related to the protection of Connecticut residents' personal information, advising on the enforcement of state and federal privacy laws.
• Since the effective date of the CTDPA in July of 2023, as part of their implementation efforts, the OAG have expanded the Privacy team and have focused on outreach to educate the public and businesses about the law.
• The OAG received over thirty consumer complaints in the first six months of the CTDPA, primarily concerning the "right to delete." One-third of these complaints involved data or entities exempt under the CTDPA.
• The OAG's early enforcement efforts included reviewing privacy policies, focusing on the collection of sensitive and teens’ data, and examining data brokers' privacy practices.
• Legislative Recommendations consist of the following: 
  • Scale Back Entity-Level Exemptions: reduce exemptions that exclude certain entities from the CTDPA's requirements; and align with other states' privacy laws that do not have such broad exemptions for non-profits and entities covered by federal laws.
  • Enact One-Stop-Shop Deletion Mechanism: introduce a mechanism for Connecticut residents to request deletion of their personal information from data brokers through a single request, similar to California's Delete Act.
  • Add "Right to Know" Specific Third Parties: strengthen disclosures about information sharing with third parties, allowing Connecticut residents to know the specific third parties receiving their data.
  • Expand the Definition for “Biometric Data”: broaden the definition of biometric data to include any data capable of identifying an individual, addressing privacy concerns related to biometric information.
  • Clarify Protections for Teens' Data: address ambiguities regarding the processing of teens' data for targeted advertising or sale, clarifying the law's stance on consent and targeted advertising restrictions.
  • Address "Publicly Available Information" Language: correct potential errors in the definition of "personal data" to clarify the exclusion of publicly available information, ensuring consistency with other state privacy laws.

The OAG’s report offers as a conclusion the idea that there is an ongoing need to balance consumer privacy with the use of information in the global economy and reaffirms its intention to  remain ready to guide compliance and undertake enforcement as necessary.