State consumer privacy enforcers have been turning up the heat on recalcitrant data controllers that have incomplete, inadequate or broken consumer privacy law (CPL) protection programs. On July 8, the Office of the Attorney General of Connecticut (CT OAG) announced a settlement with TicketNetwork, Inc related to deficiencies in the company’s privacy notice and non-compliance with consumer rights requirements. This came just a week following California’s announcement of its largest consumer privacy law settlement to date — US $1.55 million, involving an online publisher known as Healthline. A post breaking that case down will follow shortly. Today we look at the Connecticut case.

According to the CT OAG’s press release, the office sent a cure notice under the Connecticut Data Privacy Act (CTDPA) based on issues with TicketNetwork’s privacy policy and consumer rights request process. Specifically, the AG stated the policy was “largely unreadable, missing key data rights, and contained rights mechanisms that were misconfigured or inoperable.”

The CT OAG has reported that it had commenced dozens of enforcement actions, and we have dealt with that directly. However, this is the first to result in a public settlement and penalty payment. TicketNetwork failed to resolve the issues within the 60-day cure period provided by the state law (note that the mandatory cure period provision sunset on December 31, 2024, meaning that the AG now has the discretion on whether to offer a cure period in future enforcement actions or immediately seek penalties). AG Tong contrasted TicketNetwork’s failure to cure with other businesses who received similar cure notices. According to AG Tong, “[n]early all other companies took prompt steps to come into compliance.” 

As part of the settlement, TicketNetwork agreed to comply with the CTDPA’s requirements, maintain metrics for consumer rights requests received under the CTDPA, provide a report of such metrics to AG Tong, and pay a monetary fine of US $85,000.

This case along with the Healthline case provide valuable insight for businesses on where to focus their efforts in building and maintaining privacy compliance programs:

• Although California, having had a longer period to enforce its state consumer privacy law, has been the first mover in ramping up monetary settlements, we are seeing other states both staff up and actively pursue actions. Just as was the case with the GDPR, we expect to see penalties increase and opportunities for remediation without penalty to enter the rearview mirror.
• Also, enforcers are looking beyond the window dressing and digging into the back office. Regulators are now making sure businesses actually have the required contract terms service provider or processor. Remember in California the failure to do so is not only a violation of the statute, as it is in other states, but disqualifies a vendor or cookie partner as a processor and not a third party subject to opt-out, creating an additional set of violations. Expect to start seeing more assessment documentation inspections too, especially after California completes its rulemaking.
• State enforcers are particularly concerned with the effectiveness of consumer rights requests. This includes transparent notice as to the specific rights of the residents of the state, especially where they may differ from the majority, and a high-water mark is not applied, and how different rights work and are exercised. Regulators will not approve of businesses requiring more than is needed for consumer verification, or verification where it is not permitted. Proper implementation of Global Privacy Control (GPC) signals (12 states will require GPC obligations by the end of 2025) will remain a focus area along with making sure rights request tools are maintained to work consistently with the requirements—a broken tool is as bad as no process at all.
• Cookie banners and consent management platforms remain a focus. Frequently made mistakes include applying inadequately modified GDPR configurations, CIPA mitigation approaches, or clickwrap Terms of Use in ways that suggest asymmetry of choice as to CPL rights or do not explain the concept of sale/share opt-outs. Another common error is failing to explain the different process of opting out for cookie and non-cookie data, or not maintaining a one-step opt-out where it is possible to do so, such as with logged in account holders.
• Companies should also keep in mind that between July 1, 2025, and January 1, 2026, six new state laws go into effect, many with unique provisions—particularly Minnesota, Maryland, and Rhode Island. Please see our State Privacy Law Round Up post for more details on these laws.
• Although not a safe harbor, showing that you have conducted ongoing compliance audits and training, especially with outside counsel (which can provide the ability to claim privilege over some of the work), as part of a formal privacy program with executive leadership will go a long way in helping investigations go away, even if mistakes were made. The vast majority of inquiries still resolve privately and without penalty or injunction. Also, when you receive an inquiry from a regulator, engage through experienced outside counsel and take a cooperative approach. Ignoring the enforcer, or taking an overly confrontational approach, will not foster application of prosecutorial discretion in your favor. That said, regulators can be convinced that they are wrong on the facts or the law, especially when credibly and respectfully presented.

With scores of CPLs effective by year end, and California’s CCPA having been effective for five and a half years, we are entering into a new period where regulators expect businesses to understand their obligations and to have taken the time and attention to develop and maintain material, if not complete, compliance. There are many material differences between the CPLs, especially with the latest generation and as a result of recent amendments to earlier CPLs.