Connecticut continues to refine its data privacy act as it implements its first violation settlement. TicketNetwork, Inc., reached a settlement of $85,000 for deficiencies in its privacy notice to consumers. Despite receiving notice from the Office of the State Attorney General with a window of 60 days to fix the violations, TicketNetwork failed to resolve the issues or respond to correspondence in a timely manner.
Less than two weeks before charging the fine, the Connecticut governor signed off on additional changes to the Connecticut Data Privacy Act. These most recent changes expand the scope of the act, limit exemptions, modify consumer rights of access and ability to contest certain decisions, and make small alterations to other requirements as well as create new impact assessment requirements and strengthen protections for minors. The most recent fortifications are scheduled to take effect July 1, 2026. Once exempt, smaller businesses now need to be aware of the expanded parameters because companies will be subject to Connecticut’s Data Privacy Act if they 1) control or process the personal data of at least 35,000 consumers, instead of the previous 100,000 requirement; 2) control or process consumers’ sensitive data (excluding personal data controlled or processed solely for completing a payment transaction); or 3) offer consumers’ personal data for sale in trade or commerce. Connecticut also follows California by moving from an entity-level exception to one at the data level, meaning companies may not be exempted in whole. Rather, they will need to look at each set of data individually to see whether an exemption applies. Overall, the changes mean the law is likely to apply to more companies than before.
Entities doing business in Connecticut should review the new provisions to determine whether and how the changes impact their company.
One refrain heard from multiple states in the spring, and echoed in Connecticut’s hefty fine, is that companies need to respond to regulators in a timely fashion. Failing to set up websites and data privacy notices properly, fix issues, and respond to regulators will only mean more trouble as states step up their enforcement game.
[View source.]
