On February 1, Connecticut Attorney General (AG) William Tong released a report detailing the AG's initial efforts to enforce the Connecticut Data Privacy Act (CTDPA or "the Act") and providing recommendations on how the Act could be strengthened through future amendments. Coming seven months after the CTDPA took effect in July 2023, the report identifies privacy policies, sensitive data, teen data, and data brokers as notable areas of early enforcement focus from the AG. Meanwhile, as to legislative recommendations, the report flags several areas where the CTDPA could be strengthened by amendment, including by eliminating entity-level exemptions for organizations that fall within the purview of certain federal privacy laws, adopting a California Delete Act-style data deletion mechanism for information held by data brokers, and expanding the CTDPA's right to know to encompass specific third parties with whom data is shared. Though this type of report is unusual, it offers helpful insight for companies seeking to understand what the Connecticut AG's enforcement priorities are in relation to the CTDPA.

In this post, we summarize key takeaways from the Connecticut AG's report and discuss what this report means for the future of state privacy law enforcement both in Connecticut and across the country. To stay up to date on the latest state privacy law developments, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.

KEY TAKEAWAYS

1. Enforcement Focus on Privacy Policies. According to the report, privacy policies have been a key focus on the Connecticut AG's initial CTDPA enforcement efforts. The report asserts that the AG has sent 10 cure notices regarding deficient privacy policies to companies across a range of industries. One notable area of privacy policy enforcement highlighted in the report concerns disclosures regarding consumer data rights, with the report noting that many of the deficient policies failed to include any such disclosures, or included disclosures that were either inadequate (e.g., failing to explain how Connecticut residents could appeal decisions regarding exercises of their data rights) or confusing (e.g., implying that consumers could be charged money for exercising their rights). The AG has also encountered issues associated with the rights mechanisms embedded in organizations' privacy policies, with some of these notices either failing to provide such mechanisms or including dead links.

The AG's focus on privacy policies should serve as a reminder to companies — particularly those operating in Connecticut — that privacy policies are more than a pro forma exercise. Rather, companies should ensure that their privacy policies adequately and accurately explain consumers' data rights and provide them with effective mechanisms for exercising those rights.

2. Other Areas of Enforcement Focus — Sensitive Data, Teen Data, and Data Brokers. Though privacy policies appear to have constituted the primary focus of the AG's CTDPA enforcement efforts to date, the report notes three other areas in which the AG has taken an early enforcement interest — specifically, sensitive data (including, for example, biometric, genetic, and precise geolocation data), teen data, and data brokers. The report describes the AG as having sent cure notices and inquiry letters to companies engaged in these types of data processing across a spectrum of sectors, including app developers, grocery stores, genetic testing companies, and car manufacturers. Of course, these areas of focus are hardly surprising — indeed, the AG's emphasis on these types of data processing is consistent with recent developments in other states (as well as Connecticut itself) and at the federal level. Nonetheless, the AG's report further demonstrates the need for data brokers and companies that handle sensitive and teen data to ensure that their data processing activities comply with relevant legal requirements.

3. Legislative Recommendations. The report includes several recommendations from the AG as to how the CTDPA could be improved through future amendments. Though several of these recommendations concern minor definition tweaks and clarification of ambiguous statutory language, a few of the recommendations are worth discussing in greater depth:

  • Minimizing Entity-Level Exemptions. The report criticizes the CTDPA's reliance on entity-level exemptions, such as its broad exemptions for entities governed by the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA). The AG argues that these exemptions are "sweeping" and serve to "put Connecticut residents at a disadvantage," and proposes that the legislature narrow these exemptions where possible, such as by limiting the HIPAA and GLBA exemptions to data covered by those laws, rather than entities. These types of entity-level exemptions are a common feature across many states' comprehensive privacy laws, so it will be interesting to see whether the AG's recommendation finds any sort of receptive audience among Connecticut lawmakers.
  • "One Stop Shop" Deletion Mechanism. The AG proposes that Connecticut follow the example of California's Delete Act by implementing a "one-stop-shop" mechanism that allows consumers "to delete their personal information held by data brokers through a single, verified request."
  • Expanded Right to Know: Pointing to recently enacted comprehensive privacy laws in Oregon and Delaware, the AG proposes that the CTDPA, which currently only requires that companies disclose in their privacy notices the categories of personal data shared with third parties and the categories of third parties with which this personal data is shared, be expanded to offer a right to know specific third parties with which personal data is shared.

4. Data Breach Notification Timelines. Though not the focus of the report, which is directed primarily at CTDPA enforcement, the AG also mentions that it has issued warning letters to multiple companies for failing to adhere to the Connecticut data breach notification law's 60-day timeframe for notifying the AG and Connecticut residents of data breaches. Here, the AG notes that it views the 60-day statutory period "to run from the date that a company becomes aware of the suspicious activity" and cautions that "[w]hile [it] understand[s] that companies need time to investigate breaches and determine the full impact to personal information, lengthy notice timelines—absent clear justification— do not satisfy the requirements of state law." The AG's warning demonstrates the need for companies to move quickly in the wake of a data breach to identify the scope of the incident and deliver notifications to consumers and regulators in accordance with relevant legal requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.