Six months after the Connecticut Data Privacy Act (CTDPA or “Law”) became effective, the Connecticut Office of Attorney General (AG) has let us know what they are most focused on by releasing its first Enforcement Report under the Law (the “Report”). The Report details the actions of the AG with regard to enforcing compliance with the CTDPA so far.
The CTDPA requires the AG to issue a report six months after the effective date of the Law to address: the number of violation notices issued; the nature of each violation; the number of violations cured; and any other matter the AG deems relevant. The AG’s early enforcement efforts include reviewing company privacy policies to determine compliance with the CTDPA, focusing on matters involving the collection of sensitive data and teens’ data, and examining the privacy practices of data brokers. The Report also includes suggestions for strengthening and clarifying the Law. (For an overview of the CTDPA, see our 5/19/22 client alert).
In the six months after the CTDPA took effect, the AG received more than 30 consumer complaints regarding the Law. Many of the complaints involved consumers’ attempts to exercise new data rights under the CTDPA, particularly the right to delete their personal data. About a third of the complaints did not involve violations of the CTDPA, since the businesses in question enjoyed an exception from the deletion provision of the Law, or the personal data in question was publicly available and therefore not covered by the Law. This prompted the AG to recommend scaling back entity-level exceptions in the CTDPA. The AG states in the Report that the office “reviews all consumer complaints for issues or patterns indicative of CTDPA violations—even a single consumer complaint could ultimately lead us down a path to enforcement.”
In the six months after the CTDPA took effect, the AG issued over a dozen cure notices, as well as several information requests under the Law. The AG notes that while many companies took prompt steps to address issues identified in cure notices and cooperated with information requests, several inquiries remain active and ongoing. The AG’s early enforcement efforts focus on four key areas—privacy policies, sensitive data, teens’ data, and data brokers.
The CTDPA requires that businesses provide consumers with a reasonably accessible, clear, and meaningful privacy notice that contains the information and components enumerated in the CTDPA, including the categories of personal data processed and the purposes for the processing. In particular, the privacy notice must include a description of the manner by which consumers can exercise their rights. In the Report, the AG states that “[t]ransparency requirements are a crucial component of the CTDPA—these provisions ensure that Connecticut residents have insight into the collection, use and sharing of their personal data, understand their new data rights, and are able to exercise those rights.”
As a result of the AG’s review of companies’ privacy policies, the AG issued 10 cure notices aimed at addressing deficiencies in the privacy policies. Companies that received such cure notices were from various industries, such as retail, fitness, event services, career services, parenting technologies, and home improvement. The AG identified the following deficiencies in the notices:
The CTDPA provides enhanced protections for Connecticut residents’ sensitive data, which is defined to include, among other data elements, genetic or biometric data, and precise geolocation data. The CTDPA requires that companies obtain consumers’ freely given, specific, informed, and unambiguous consent before processing sensitive data, subject to some exceptions.
The Report notes that the AG focused efforts on the Law’s protections of sensitive data. In this regard, for example, the AG sent an inquiry letter to “a major web service provider and retailer” after the company issued press releases concerning its plans to roll out its palm recognition service for identification, age verification, payment, loyalty membership, and entry. The AG also sent a cure notice to “a popular car brand” due to privacy concerns around connected vehicles; the cure notice included inquiries into the companies’ broader data collection and sharing practices. In addition, the AG sent an inquiry letter to a company questioning the company’s compliance with the CTDPA following a data security incident that exposed sensitive data of over five million individuals.
Teens’ data are also afforded enhanced protections under the CTDPA. Specifically, the Law prohibits companies from processing the personal data of a consumer for purposes of targeted advertising or selling the consumer’s personal data without the consumer’s consent, under circumstances where a business has actual knowledge, or willfully disregards, that the consumer is at least 13 but younger than the age of 16. The Report notes that the AG sent a cure notice to an app company in connection with its information collection and sharing practices and the nature and extent of its targeted advertising efforts directed towards teens.
The CTDPA provides that Connecticut residents have the right to delete personal data provided by, or obtained about, the consumer. This includes personal data held by a business that did not obtain the personal data directly from the consumer, such as data brokers. Following a consumer complaint, the AG sent a cure notice to a company for engaging in targeted advertising, as well as an inquiry letter to the data broker that identified the individual to be included on the targeted marketing list.
In the Report, the AG identifies several areas where legislative changes would strengthen or clarify privacy protections under the CTDPA, including, among others: scaling back entity-level exemptions; enacting one-stop-shop deletion mechanisms; expanding biometric definitions; and clarifying protections for teens’ data.
The AG has the authority under the CTDPA to impose monetary penalties under the Connecticut Unfair Trade Practices Act. The CTDPA provides, until December 31, 2024, a 60-day cure period upon written notice from the AG of an alleged violation, if the AG determines that a cure is possible. Beginning on January 1, 2025, the cure period sunsets, but the AG will still have discretion to grant an alleged violator an opportunity to cure depending on (1) the number of violations; (2) the size and complexity of the controller or processor; (3) the nature and extent of the controller’s or processor’s processing activities; (4) the substantial likelihood of injury to the public; (5) the safety of persons or property; and (6) whether the alleged violation was likely caused by human or technical error. As stated in the AG’s press release and the Report, the AG “remain[s] ready to do our part, encouraging and guiding compliance, but prepared to undertake enforcement when necessary.” Therefore, it is important that businesses subject to the CTDPA take certain steps, such as:
Kristina Hickerson, a Privacy Analyst in Morrison Foerster’s New York Office contributed to the writing of this alert.