On April 17, 2025, the Connecticut Office of the Attorney General (“OAG”) released an Updated Enforcement Report Pursuant to the Connecticut Data Privacy Act (“Report”). The Report, the second issued by OAG (read our takeaways from the first one here), offers a detailed look into OAG’s first year of enforcing the Connecticut Data Privacy Act (“CTDPA”) and provides insights into its top enforcement priorities. The Report also offers several “legislative recommendations” from OAG that it says are meant to strengthen or clarify the privacy protections under the CTDPA.
As a reminder, the CTDPA first took effect July 1, 2023. The Connecticut legislature amended the CTDPA to expand protections for minors under the age of 18 and to add requirements for businesses processing consumer health data. These amendments took effect on October 1, 2024.
This post outlines key enforcement themes from the Report, highlights OAG’s recommended changes to the CTDPA, and offers practical takeaways for businesses subject to the law.
Consumer Complaints Continue to Drive Enforcement
OAG reports that it continues to receive a steady stream of consumer complaints about alleged violations of the CTDPA, and these complaints are a key driver of investigations and inquiries. Many consumers submitted complaints that stemmed from broken or inadequate rights request mechanisms.
To avoid consumer complaints and to stay off OAG’s radar, make sure your business honors valid requests, has properly functioning data rights mechanisms, and sufficient internal processes in place to address consumer rights requests.
Clarity and Consistency in Privacy Policies Are Non-Negotiable
The Report also highlights OAG’s continued focus on insufficient privacy policies. Since the CTDPA took effect, OAG has conducted multiple sweeps resulting in over two dozen cure notices. Common issues include:
- Omissions of CTDPA specific consumer rights
- Broken, unclear, or hard-to-find opt-out mechanisms
- Misleading statements about data access and deletion rights
OAG warned that “[c]ompanies should consider all privacy notices and public-facing representations to be under review.” If your organization hasn’t updated its privacy policy recently, now is the time to revisit it.
Facial Recognition Technology is a Top Concern
While much of the Report outlines OAG’s enforcement priorities, part of the Report functions as an “informal guidance” to communicate OAG’s baseline expectations for businesses using facial recognition technology. The Report emphasizes that OAG believes facial recognition technology inherently requires a business to collect, use, and sometimes share biometric information, which the CTDPA defines as sensitive information. According to OAG’s guidance, businesses deploying facial recognition technology should:
- Provide consumers with a reasonably accessible, clear, and meaningful notice about the business’s use of facial recognition technology and the consumer’s available rights
- Obtain consumers affirmative, opt-in consent
- Provide an effective mechanism for a consumer to revoke consent for facial recognition processing
- Conduct Data Protection Assessments surrounding the facial recognition technology
- Apply data minimization principles by collecting only the data necessary for stated purposes
- Establish clear retention and deletion policies
- Establish a robust information security program that includes strong access controls, multifactor authentication, and separation of facial recognition data from other systems or datasets
This informal guidance is reportedly the result of an OAG investigation surrounding a retail company’s use of facial recognition technology to detect and prevent shoplifting. While the CTDPA does have a crime/fraud exception that should apply to processing related to loss prevention, the Report stresses that “this is not a blanket exception.” Even if your company is leveraging an exception, OAG states that the CTDPA’s data minimization, purpose limitation, and data security requirements still apply. If your business is using facial recognition technology, evaluate how your practices align with this informal guidance—even if you think an exception otherwise applies.
Consumer Health Data
As of October 1, 2024, the CTDPA applies to a new set of businesses: consumer health data controllers. Consumer health data controllers are businesses that conduct business in Connecticut and process consumer health data. Consumer health data is broadly defined and includes data related to physical or mental health conditions, reproductive or sexual health data, or gender-affirming care. Unlike the CTDPA’s general threshold, consumer health data controllers are subject to the law regardless of size or revenue.
The Report highlights consumer health data as an area of focus for OAG, noting that OAG has already sent inquiry letters to two different telehealth companies regarding their use of online tracking tools on their website.
New Rights for Minors
The amendments effective October 1, 2024 also create new requirements for businesses that offer any “online service, product, or feature” to individuals under 18.
To that end, the CTDPA now requires opt-in consent to process a minor’s personal data for targeted advertising, profiling, or sale. The law also now requires opt-in consent to collect precise geolocation data from minors and prohibits practices designed to “significantly increase, sustain, or extend” minors’ time online.
The Report announces that OAG has already initiated inquiries in this area and makes clear that this remains a continuing enforcement priority.
Recognize Universal Opt-Out Signals
Starting January 1, 2025, the CTDPA requires all covered businesses to recognize universal opt-out preference signals (e.g., GPC) that indicate a Connecticut resident’s intent to opt out of targeted advertising or any sales of personal data.
The Report sends a clear message that OAG is focused on ensuring covered businesses are upholding this consumer right.
Legislative Recommendations: Changes on the Horizon?
The Report also proposed several recommendations to the Connecticut Legislature to strengthen the CTDPA, including:
- Scale Back Exemptions: The report suggests removing entity-level exemptions for GLBA- and HIPAA-covered entities, narrowing the FCRA exemption, and eliminating the nonprofit exemption.
- Data Minimization: OAG urges the legislature to adopt data minimization standards like Maryland’s comprehensive privacy law—which takes effect October 1, 2025. It recommends limiting all data collection to what is strictly necessary to provide or maintain a specific product or service requested by the consumer.
- Right to Know Specific Parties: The Report recommends adopting Oregon’s “right-to-know” specific third parties that receive personal data from covered businesses. It also recommends adopting Delaware’s right to allow consumers to obtain a list of the categories of third parties to which the controller has disclosed that consumer’s personal data.
- Expanded Definition of Sensitive Data: The Report recommends expanding the CTDPA’s definition of sensitive data to include additional categories like social security numbers and union membership.
- Lower Applicability Thresholds: OAG recommends updating the CTDPA’s applicability threshold to align with Delaware and New Hampshire. It proposes covering businesses that process data from at least 35,000 consumers annually, or 10,000 consumers if more than 20% of revenue comes from data sales. This is a significant reduction from its current threshold, which applies to businesses that process data from at least 100,000 consumers annually, or 25,000 consumers if more than 20% of revenue comes from data sales.
- Enact a “One-Stop-Shop” Deletion Mechanism: The Report urges the Connecticut legislature to consider a “one-stop-shop” deletion approach like California’s Delete Act, enabling consumers to delete their personal information held by data brokers through a single, verified request.
Taken together, those recommendations show that OAG is paying close attention and taking notes from its peer states in its efforts to strengthen the CTDPA.
Practical Takeaways
The Report offers a clear compliance roadmap for businesses to evaluate their current practices. If your business is subject to the CTDPA now is the time to:
- Review and update your company’s privacy policy
- Test your data rights request mechanisms and train staff to respond appropriately and timely
- If you use facial recognition technology, review your practices to ensure they align with OAG’s expectations, even if you think an exception may apply
- Evaluate whether you qualify as a consumer health data controller or if your services target minors
- Verify that your website honors GPC and other universal opt-out signals
