Connecticut Attorney General William Tong Releases Updated Enforcement Report

Last week we got a signal that Connecticut is not going to mess around with data privacy in their state. On April 18, 2025, Connecticut Attorney General William Tong released an updated enforcement report detailing the state’s aggressive efforts to uphold the Connecticut Data Privacy Act (CTDPA), effective since July 1, 2023. As one of the nation’s first comprehensive consumer privacy laws, the CTDPA grants Connecticut residents significant rights over their personal data while imposing strict obligations on businesses. The 2024 report underscores the state’s commitment to enforcement, highlights key compliance challenges, and proposes legislative enhancements, positioning Connecticut as a leader in data privacy protection. If you’re not familiar with the CTDPA’s framework, recent enforcement actions, and the broader implications for businesses and consumers you soon will be.

According to Attorney General Tong: “Connecticut remains at the forefront of consumer data privacy,” . “Since the Connecticut Data Privacy Act took effect, our office has worked to educate consumers and companies alike about their rights and obligations. We remain focused on ensuring compliance with this important law going forward. Much remains to be done, including amending the CTDPA to provide stronger protections for Connecticut residents. We will continue to be transparent about our efforts to uphold and strengthen this important law.”

The CTDPA: A Consumer-Centric Framework

Signed into law on May 10, 2022, the CTDPA applies to businesses that conduct operations in Connecticut or target its residents, processing personal data of at least 100,000 consumers or 25,000 consumers with over 25% of revenue from data sales. It grants residents rights to access, correct, delete, and opt out of targeted advertising or data sales, with additional protections for minors requiring parental consent for certain activities. As of January 1, 2025, businesses must honor universal opt-out preference signals, such as the Global Privacy Control, reinforcing consumer control.

The law’s enforcement, exclusively handled by the Attorney General, allows for civil penalties up to $5,000 per violation under the Connecticut Unfair Trade Practices Act. A 60-day cure period was mandatory until December 31, 2024, but since January 1, 2025, cures are discretionary, reflecting a tougher stance. The CTDPA also mandates transparent privacy notices and prohibits discrimination against consumers exercising their rights, aligning with laws like California’s CCPA and Colorado’s CPA but tailored to Connecticut’s priorities.

Enforcement Last Year as A Proactive Approach

The 2024 enforcement report, released on April 18, 2025, details the Attorney General’s multifaceted efforts to ensure CTDPA compliance:

1. Consumer Complaints and Investigations: The Office received 75 consumer complaints, primarily concerning failures to honor opt-out requests, inadequate privacy notices, and dark patterns—deceptive designs that manipulate user consent. Investigations targeted non-compliant privacy policies, data broker practices, and facial recognition misuse by retailers.
2. Warning Letters and Notices of Violation: Dozens of warning letters were issued, addressing issues like missing or confusing disclosures, broken opt-out links, and burdensome rights mechanisms. Many businesses cured violations within the 60-day window, but persistent non-compliance triggered further scrutiny.
3. Facial Recognition Focus: The report highlights enforcement against retailers using facial recognition without proper disclosures, reflecting concerns about sensitive biometric data.
4. Data Broker Scrutiny: Investigations into data brokers emphasized their role in unauthorized data sales, with proposed amendments for a “one-stop-shop” deletion mechanism inspired by California’s Delete Act.

The report also notes broader privacy efforts, including warning letters for data breach notification delays under Connecticut’s separate breach law, signaling a holistic approach to data protection.

Compliance Challenges and Legislative Recommendations

Despite progress, the report identifies ongoing compliance gaps. Many businesses still fail to provide clear privacy notices, include functional opt-out mechanisms, or respect universal opt-out signals. Small and medium-sized enterprises, in particular, struggle with the law’s technical requirements, while larger firms face challenges scaling compliance across jurisdictions.

To address these issues, Attorney General Tong proposes several legislative enhancements:

• Eliminate Exemptions: Scale back exemptions for entities like nonprofits or those under federal laws (e.g., HIPAA), broadening the CTDPA’s scope.
• Strengthen Minor Protections: Enhance safeguards for children’s and teens’ data, addressing gaps in social media and adtech.
• One-Stop Deletion Mechanism: Implement a single, verified request system for consumers to delete data held by brokers.
• Expand Right to Know: Require disclosure of specific third parties receiving consumer data, aligning with Oregon and Delaware laws.

These recommendations aim to close loopholes and align Connecticut with evolving national standards, ensuring the CTDPA remains a robust tool for consumer protection.

Implications for Businesses

The end of the mandatory cure period on December 31, 2024, marks a shift to stricter enforcement. Businesses must now prioritize:

• Robust Privacy Notices: Ensure disclosures clearly outline consumer rights and opt-out processes, avoiding vague or misleading language.
• Functional Opt-Out Systems: Implement reliable mechanisms, including universal opt-out signal recognition, to comply with January 1, 2025, requirements.
• Data Mapping and Audits: Regularly assess data flows, especially for sensitive or minor-related data, to mitigate risks.
• Vendor Oversight: Scrutinize third-party processors and brokers to prevent unauthorized data sharing.

Non-compliance risks not only fines but also reputational damage, particularly as consumer awareness of privacy rights grows. The Attorney General’s focus on facial recognition and data brokers signals that emerging technologies and high-risk practices will face heightened scrutiny.

Connecticut’s Uncompromising Stance on Privacy

Connecticut’s aggressive enforcement of the CTDPA sends a clear message: privacy is non-negotiable. With already 75 consumer complaints investigated, dozens of warning letters issued, and targeted actions against facial recognition and data brokers, the state is not messing around. Attorney General Tong’s commitment to transparency evidenced by voluntary annual reports underscores a dedication to holding businesses accountable while empowering residents. As proposed amendments aim to strengthen the law, Connecticut is setting a national standard for consumer data protection. As we’re seeing with neighboring New York that Letita James is coming after businesses hard and Honda getting a $632,500 fine it’s just the beginning of the crusade of fines and litigation for those who don’t respect data subjects rights.

In an era where personal data fuels economies but also vulnerabilities, the CTDPA’s enforcement reflects a broader truth: privacy is a fundamental right, not a luxury. Businesses ignoring this risk severe consequences, while those embracing compliance build trust and resilience. Connecticut’s unwavering approach proves that strong privacy laws, backed by relentless enforcement, are critical to safeguarding dignity and autonomy in a digital world.