The Connecticut Data Privacy Act (CDPA), which became effective on July 1, 2023, provides Connecticut residents with certain rights over their personal information and establishes responsibilities and privacy protection standards for businesses that process personal information. Notably, the CDPA allows businesses a 60-day cure period to correct violations without penalties through the end of 2024. However, after that cure period, civil penalties may be enforced for up to $5,000 per violation. The CDPA applies to businesses that control or process the data of at least 100,000 Connecticut residents per year, or 25,000 residents per year, if more than 25 percent of their gross revenue comes from selling personal data. A new report was recently released by the office of the Connecticut Attorney General (AG), which outlines how the state has been enforcing this new law. 

The report summarizes the enforcement of this law since its effective date, indicating that the AG’s office has issued about a dozen violation notices to businesses related to the collection and use of consumer data. Of course, these violation notices granted the companies the ability to correct the violation within the 60-day cure period. According to the report, most of Connecticut’s enforcement efforts so far have focused on privacy policies that had confusing disclosures or failed to provide consumers with a clear and conspicuous way to exercise their privacy rights under the CDPA. Additionally, there were a few violation notices sent to businesses for violations related to the collection of sensitive data, such as a grocery store collecting biometric data to prevent shoplifting.

The report concludes, “There is much yet to be done in the balancing act of privacy of consumer information and the need to use and maintain that same information in our global economy. We remain ready to do our part, encouraging and guiding compliance, but prepared to undertake enforcement when necessary.”

The Electronic Privacy Information Center gave Connecticut a D grade for the CDPA, citing the fact that the law is overly favorable to the tech industry and “a favored piece of template legislation for lobbyists.”

In addition to the violation notices sent by the AG’s office, the office also received over 30 individual consumer complaints. However, many of those complaints were related to companies or data that are exempt from the CDPA, such as nonprofits and entities covered under the Health Insurance Portability and Accountability Act.

To read the full report, click here.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy and Security Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy and Security Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.