As expected, state consumer privacy law enforcement is starting to heat up along with the summer temperatures.

On the heels of the California Attorney General’s largest California Consumer Privacy Act-related settlement yet (see GT Alert), the Connecticut Office of the Attorney General (CT AG) has announced its first public enforcement action under the Connecticut Data Privacy Act (CTDPA).

The CT AG issued a $85,000 fine against TicketNetwork, Inc., a Connecticut-headquartered online marketplace for buyers and sellers of tickets to live entertainment events, and mandated that the company collect metrics regarding consumer rights requests and share them with the CT AG. The CT AG identified several areas where it determined the company erred in complying with the CTDPA. This blog post summarizes the main issues and takeaways from the case.

Honor Any Cure Notices ASAP and Be Responsive to Regulator Requests.

Until Dec. 31, 2024, the CTDPA provided businesses 60 days from date of being notified by the CT AG of any alleged deficiencies under that law to “cure” the identified problems to the CT AG’s satisfaction, or else risk further investigation or enforcement.

In this case, the CT AG initially sent a cure notice to the company on Nov. 9, 2023, setting forth perceived facial deficiencies in the company’s privacy notice (see below). On Dec. 31, 2023, the company responded to the cure notice, informing the AG’s office that it had made the appropriate changes to come into compliance.

The CT AG determined that several deficiencies remained. On Feb. 1, 2024, the CT AG sent a follow-up letter to the company, requesting a response by March 1. Hearing nothing, the CT AG reached out to the company again on March 12 and April 16. Following the April 16 letter, the company replied it had made the relevant updates.

Upon review, however, the CT AG determined the same privacy notice shortcomings remained, and it identified new alleged deficiencies, including that the hyperlink to opt out of the sale of personal data was not operational. The CT AG sent a follow-up letter on June 17, 2024, requesting a response by July 2. On June 24, the company requested an extension until the end of July 2024 to remedy the issues pointed out—which the CT AG denied.

A clear signal from these case facts? If your business receives an inquiry or request from a regulator, providing a timely and responsive to the regulator is important so that the regulator understands the business is taking the request or allegations seriously. In some cases, it may make sense to attempt to establish milestones or timeframes by which particular items will be updated, and to communicate with the regulator throughout.

Ensure Your Privacy Notice Takes Connecticut Into Account.

A major focus of the CT AG’s attention was the company’s privacy notice, which the regulator determined was not compliant with the CTDPA because:

• it was “written in small font, used large block paragraphs, and was indistinguishably included within one webpage that contained unrelated legal policy disclosures”;
• the “U.S. State Specific Laws” section failed to advise consumers of the right to correct inaccurate personal data, the right to opt out of targeted advertising, or the right to appeal a decision and how to do so;
• it limited access requests and the information contained in such responses to a 12-month lookback period, and limited the number of requests a consumer could submit within a year, even though no such limitations exist under the CTDPA; and
• it limited certain consumer rights to California residents, rather than to Connecticut consumers or others (the company even used a “californiaconsumerrights@company.com” email address, which gave the appearance of excluding other states’ residents).

Viewed together, these facts evidence the CT AG’s focus on both form and substance in privacy notices. The emphasis on font size and placement does not explicitly reference “dark patterns” but does bring to mind some of the same attributes that other regulators have set forth to ensure meaningful consumer comprehension as to how their personal data will be collected and used, and the rights they have in relation to same.

The settlement also clarifies that businesses should not attempt to rely on their privacy notice’s consumer rights disclosures for other states (such as California) as sufficient for Connecticut. Rather, consumer rights disclosures must be tailored to the respective state laws to which a company is subject and must articulate whatever is required on a state-by-state basis. Relatedly, use of a state-specific email address for consumer requests may be considered confusing to consumers given the proliferation in state consumer privacy legislation since the implementation of the California Consumer Privacy Act in 2020.

The action also reinforces that in-scope businesses must understand the specific provisions of each state’s privacy law in order to accurately process consumer access requests—and not inadvertently, but unlawfully, limit the information to be included, timeframes covered, or frequency with which the consumer privacy requests may be made in good faith.

***

Although these takeaways are, on the surface, specific to the CTDPA, the principles are applicable in other state privacy law contexts. We expect further enforcement this year from state regulators.