On February 1, Connecticut’s Attorney General William Tong released a comprehensive report detailing the initial strides made to enforce the Connecticut Data Privacy Act (CTDPA) and provided insightful recommendations for its future progression through means of amendments. Released only seven months after the act was enacted in July 2023, the report casts a whole new light on pivotal areas of early enforcement focuses from the top legal authority in the state, highlighting privacy policies, sensitive data treatment and data brokers.
Additionally, it suggests various legislative modifications aimed at fortifying the act, such as abolishing entity-level exemptions for organizations under certain federal privacy laws, adopting data deletion protocols similar to California's Delete Act for data held by brokers and broadening the CTDPA’s right to know to whom data is being shared. Although such a report is highly irregular, it does, in fact, provide litigators, consumers, companies and lawmakers with the necessary guidance and insights to help them further understand the enforcement priorities concerning the CTDPA.
As highlighted in the report, moving forward, a substantial emphasis will likely be placed on enforcing privacy policies in the early stages of CTDPA enforcement. Attorney General Tong has distributed notices regarding deficient privacy policies to companies across a diverse array of industries. Notably, the report underscores deficiencies in disclosures concerning consumer data rights, with numerous policies either lacking said disclosures or presenting them in an entirely unprofessional manner.
Additionally, issues with the mechanisms embedded in the organizations’ privacy policies, including dead links, were frequently noted. This highlight marks an imperative first step for companies, particularly those operating in Connecticut, to ensure that their privacy policies not only meet state procedural requirements but also comprehensively and clearly articulate consumers’ data rights.
While privacy policies have received the most spotlight, the report also sheds light on three other areas where Attorney General Tong has revealed early enforcement interest under the CTDPA: sensitive data, including biometric and geolocation data, underage user data and data brokers. Cure notices and inquiry letters have been dispatched to companies engaged in processing these types of data across various sectors, underscoring the necessity for data brokers and companies handling sensitive or teen data to ensure compliance with legal requirements.
The report also presented several recommendations for enhancing the CTDPA through future amendments. Notable recommendations included:
Minimizing Exemptions: The report critiques the CTDPA’s reliance on entity-level exemptions, advocating for narrowing these exemptions to avoid disadvantaging Connecticut residents.
One-Stop Deletion Shop: Proposing a “one-stop-shop” mechanism akin to California’s Delete Act, the AG suggests streamlining the process for consumers to delete their personal information held by data brokers.
Expanded the Right to Know: Drawing from recent comprehensive privacy laws in other states, the AG proposes expanding the CTDPA to provide consumers with the right to know specific third parties with whom their personal data is shared.
Status of Data Breach Notifications: While not the primary focus, the AG underscores the importance of adhering to the Connecticut data breach notification law’s timeframe, emphasizing the need for swift action in notifying consumers and regulators following a data breach.
To briefly conclude, Attorney General Tong’s report provides valuable insights into the early enforcement priorities of the CTDPA and suggests potential legislative amendments to not only fortify but further clarify data privacy laws in the state.
