I’m back with a massive update to keep on your radar. In Connecticut, Attorney General William Tong has just reached a $85,000 settlement with TicketNetwork for violating the Connecticut Data Privacy Act (“CTDPA”), marking a significant shift in how state attorneys general approach privacy compliance. You can read the full press release from the Connecticut Attorney General’s office here. After two years of cure periods and educational enforcement, the gloves are officially off. As such, the January 1st expiration of Connecticut’s cure period marks the end of the “warning phase” and the beginning of what appears to be a much more aggressive enforcement strategy. Yikes!

For quick context, the CTDPA initially took effect on July 1, 2023, and was substantially amended by Public Act No. 25-113 on June 25, 2025. Starting July 1, 2026, the law applies to companies that process the personal data of at least 35,000 Connecticut residents annually (down from 100,000), or any company that controls or processes sensitive data, or offers personal data for sale in trade or commerce, regardless of volume. With this in mind, it grants consumers the right to access, correct, delete, and obtain a copy of their data, as well as opt out of targeted advertising and the sale of personal information. The June 2025 amendments also give consumers the right to know which specific third parties receive their data, add heightened protections for minors under 18 (including restrictions on selling their data or targeting them with ads), and impose new transparency obligations on businesses using personal data to train large language models. It also requires companies to provide clear privacy notices and implement secure mechanisms for exercising those rights.

Here is what I want to stress for companies. This isn’t just another regulatory slap on the wrist. This is a statement. We are dealing with a deliberate signal that state attorneys general are shifting from education to enforcement, and companies that have been dragging their feet on privacy compliance can face real consequences.

First, let’s break down what exactly happened with TicketNetwork and why it matters so much. For background, in November 2023, just four months after the CTDPA took effect, the AG’s office sent TicketNetwork a cure notice. Ok… that’s straightforward enough. This, in turn, wasn’t punishment – it was an opportunity. TicketNetwork had 60 days to fix clear problems with their privacy notice. Instead of taking this seriously, TicketNetwork apparently bungled the entire process. According to the AG’s office, their privacy notice was “largely unreadable,” missing key information about consumer rights, and the systems for exercising those rights were utterly broken. When the AG’s office followed up, TicketNetwork repeatedly claimed they had fixed issues that were still broken, and then simply ignored further communications. Yes, you read that correctly.

Let’s think about that for a second. You’re dealing with the state’s top legal enforcement officer, and you decide to ignore them? It’s hard to imagine a more effective way to ensure you become the prime example that other companies can learn from. And that’s exactly what happened.

What makes this matter particularly significant is how isolated TicketNetwork’s failures were. The Connecticut AG’s office has conducted four separate privacy notice sweeps involving over two dozen cure notices. Every other company except TicketNetwork took the hint and fixed their issues.

This is where the timeline becomes crucial. The cure period in Connecticut officially expired on January 1, 2025. So that means the training wheels are off, and AG William Tong is sending a very clear message: “This law has been in effect for two years. There is no excuse for continued non-compliance, and we are prepared to use the full weight of our enforcement authority to protect consumer privacy.”

That phrase “full weight of our enforcement authority” should make every privacy professional pay attention. This isn’t the language of someone who’s planning to keep issuing warnings. This is the language of someone ready to start handing out real consequences.

Keep in mind that Connecticut isn’t operating in a vacuum here. State privacy laws are spreading rapidly across the country, and attorneys general are closely monitoring each other’s enforcement strategies. When one state demonstrates that it’s willing to move from education to enforcement, other states typically follow suit. The TicketNetwork settlement is likely to become a template for enforcement actions in other states as their cure periods expire.

This brings us to the practical implications for your organization. First, if you think your privacy notice is fine because nobody’s complained yet, think again. The TicketNetwork notice was described as “largely unreadable” with “missing key data rights.” We’re not talking about minor technical violations here. We’re discussing fundamental failures in communication with consumers. Ask yourself: Is your privacy notice written for the average consumer, or is it primarily for your legal department?

Second, having privacy rights on paper means absolutely nothing if the systems to exercise those rights are not functional. The AG’s office found that TicketNetwork’s rights mechanisms were “misconfigured or inoperable.” They’re testing these systems, and they expect them to work. If someone can’t actually access, correct, or delete their data using your website, you’re not in compliance. Period.

Third, and this is where TicketNetwork sealed their fate, when the AG’s office reaches out to you, you need to take it seriously. This isn’t a routine regulatory inquiry. This is the chief law enforcement officer of your state telling you that you have a problem. Treating their communications as optional, like a spam folder filter, is a guaranteed way to escalate a fixable problem into a costly enforcement action.

The most frustrating aspect of this case is how completely avoidable it was. TicketNetwork had every opportunity to fix its problems without penalty. They initially had 60 days, then more months as the AG’s office tried to work with them. Instead of taking advantage of this grace period, they continued to claim they’d fixed things that were still broken and ignored follow-up communications.

Now, at least other companies will learn from TicketNetwork’s expensive mistake. The $85,000 settlement might seem manageable for a larger company, but this is just the beginning. As more states move past their cure periods and start issuing real penalties, those numbers are likely to increase significantly.

The lesson here is straightforward: treating state privacy laws as suggestions rather than requirements is officially over. The first wave of real enforcement is here, and it’s only going to intensify. The question isn’t whether you’ll face scrutiny from your state’s attorney general. The question is whether you’ll be ready when it happens, or whether you’ll be the following cautionary tale in a press release.

As always,

Keep it legal, keep it smart, and stay ahead of the game.