A Privacy Notice That Nobody Could Read

We have been extremely diligent in warning companies operating to 1 of the 20 states with privacy laws that they need to adhere to the highest standards of privacy requirements. Connecticut’s Attorney General William Tong that we’ve covered for his ramp up of enforcements just dropped a bombshell: an $85,000 settlement with TicketNetwork, Inc., for flagrant violations of the Connecticut Data Privacy Act (CTDPA). Announced last week, this marks the state’s first major enforcement action since the CTDPA’s cure period expired on January 1, 2025. The issue? TicketNetwork’s privacy notice was a mess described as “largely unreadable” with tiny fonts, dense paragraphs, and broken opt-out mechanisms that left consumers in the dark about their data rights. Worse, the company ignored multiple warnings to fix it, making this not just a mistake but a masterclass in corporate negligence. The crazy thing is with our data privacy software solutions like our layered privacy policy software they could’ve automated all of this and saved thousands of dollars in fines and bad press.

A Wake-Up Call for Data Protection and AI Oversight in Connectict

TicketNetwork’s $85,000 privacy blunder isn’t just about a bad website design. It’s about a company failing to respect the rights of Connecticut residents to control their personal data rights like accessing, correcting, or deleting their information. The TicketNetwork case echoes other high-profile privacy fiascos, like the McDonald’s McHire breach that happened this month as well, where a hiring bot’s backend was cracked with the password “123456,” exposing 64 million applicants’ data. Both cases scream one thing: companies aren’t taking data privacy seriously, and regulators are starting to swing back. The trend of fines and litigation is starting to ramp up. Now TicketNetwork will most likely be targeted by litigators if they don’t fix things up. Lawsuits for privacy violations from the most well known law firms like Pacific Trial Attorneys, Tauler, and Swigart are looking at recent fines to see who is not being compliant.

TicketNetwork’s Epic Fail: Ignoring the Cure Notice

The CTDPA, which kicked in on July 1, 2023, is one of the nation’s first comprehensive consumer privacy laws, giving Connecticut residents rights to access, correct, delete, or opt out of the sale of their personal data. It also requires businesses to maintain clear, readable privacy notices. TicketNetwork, an online ticket marketplace, flunked this basic requirement. On November 9, 2023, Tong’s office sent a “cure notice” flagging the company’s unreadable privacy notice, missing data rights, and broken opt-out tools. They had 60 days to fix it—no penalty if they complied.

TicketNetwork’s response? A half-hearted attempt on December 31, 2023, claiming they’d fixed the issues. Spoiler: they hadn’t. The font was still tiny, the text was a wall of jargon, and the opt-out mechanisms were still broken. Tong’s office followed up on February 1, 2024, then again on March 12 and April 16, but TicketNetwork either ignored them or dragged its feet. By June 2024, the company was still promising fixes but asked for an extension until July 31, which Tong denied. The result: an $85,000 fine and a mandate to comply with the CTDPA, including annual privacy notice reviews and detailed reports on consumer rights requests all things that privacy software tools like Captain Compliance can automate to save them from a future fine.

What makes this egregious is TicketNetwork’s refusal to act despite repeated warnings. Unlike dozens of other companies that fixed their privacy notices after receiving cure notices, TicketNetwork stood out as the only one to repeatedly claim compliance while doing nothing meaningful. Attorney General Tong didn’t mince words: “This law has been in effect for two years. There is no excuse for continued non-compliance, and we are prepared to use the full weight of our enforcement authority.” This settlement signals a shift from warnings to real consequences, and it’s a warning shot for other businesses slacking on privacy.

McDonald’s Ghost Lingers: Lessons from Hot Coffee

TicketNetwork’s negligence isn’t an isolated case it’s part of a pattern of corporate carelessness that brings to mind McDonald’s. In 1994, Stella Liebeck sued McDonald’s after spilling scalding-hot coffee that caused severe burns, winning $2.86 million (later reduced) because the company ignored known risks. Fast forward to 2025, and McDonald’s McHire platform was hacked due to a laughably weak “123456” password, exposing 64 million job applicants’ data. Both cases show what happens when companies prioritize convenience over responsibility. TicketNetwork’s unreadable privacy notice and ignored warnings mirror this recklessness, risking consumer trust and legal fallout. If McDonald’s history teaches anything, it’s that ignoring risks can burn you—literally and figuratively.

The CTDPA: A Blueprint for Consumer Power

The CTDPA is a big deal because it puts consumers in the driver’s seat. It grants rights to access, correct, delete, or opt out of data sales and targeted ads, and it demands clear privacy notices so people actually understand what’s happening with their data. Businesses must also protect sensitive data, like health or biometric information, and get consent before processing kids’ data. The law applies to companies processing data of at least 35,000 Connecticut residents annually (lowered from 100,000 starting July 2026) or those handling sensitive data.

Enforcement is no joke. The Attorney General can slap violators with civil penalties up to $5,000 per violation under the Connecticut Unfair Trade Practices Act. TicketNetwork’s $85,000 fine is just the start—future penalties could climb higher as the cure period is gone. The state’s 2024 enforcement report noted 1,900 breach notifications and over two dozen cure notices, with most companies complying quickly. TicketNetwork’s stubbornness made it the poster child for what not to do.

AI Regulations: The Wild West Gets Rules

The CTDPA doesn’t directly regulate AI, but its focus on transparency and consumer rights overlaps with growing AI oversight. AI systems, like McDonald’s McHire bot or banking algorithms, often process vast amounts of personal data, making them prime targets for breaches and bias. Connecticut’s enforcement signals a broader trend: regulators are cracking down on tech that mishandles data or lacks transparency.

In California, the CCPA is leading the charge. In July 2025, Attorney General Rob Bonta announced a $1.55 million settlement with Healthline Media LLC for violating the CCPA. Healthline’s website, a top-40 global health platform, used tracking tech to share data suggesting users’ medical conditions without proper opt-out options. The settlement bans Healthline from sharing article titles that imply diagnoses and includes strict injunctive terms. This was Bonta’s fourth CCPA action, following a $500,000 settlement with Tilting Point Media for sharing kids’ data and a DoorDash case for selling data without notice.

Honda Motors also faced CCPA scrutiny, though specific details on a settlement are less clear. In 2023, California investigated Honda for potential privacy violations related to its data practices, signaling that even legacy industries aren’t immune to scrutiny. These cases show that AI-driven systems—whether in health, hiring, or automotive must prioritize transparency and security to avoid hefty fines.

Global Context: AI and Privacy Under Fire

The EU’s General Data Protection Regulation (GDPR) remains the gold standard, with fines up to €20 million or 4% of global revenue. In 2022, Italy fined Clearview AI €20 million for non-consensual biometric data collection. The EU AI Act, finalized in 2024, adds another layer, classifying AI systems like hiring bots as “high-risk” and imposing fines up to €35 million or 7% of revenue for non-compliance. If TicketNetwork or McDonald’s operated in the EU, their sloppiness could’ve cost millions.

In the U.S., states are filling the federal void. New York City’s Local Law 144 (2022) requires bias audits for AI hiring tools, while Illinois’ Biometric Information Privacy Act (BIPA) imposes fines up to $5,000 per violation for mishandling biometric data. These laws aim to prevent disasters like McHire’s breach or TicketNetwork’s unreadable privacy notice, but enforcement is just ramping up and tools like the ones developed by the compliance experts at Captain Compliance can help protect against these violations and fines.

What’s Next: A Call for Accountability in Connecticut

TicketNetwork’s $85,000 fine is a slap on the wrist compared to potential GDPR or CCPA penalties, but it’s a signal that regulators are done playing nice. Companies must prioritize clear privacy notices, secure AI systems, and compliance with consumer rights. TicketNetwork’s failure to fix a simple privacy notice after multiple warnings is a case study in what not to do. McDonald’s McHire breach, with its “123456” password, shows how even basic security lapses can expose millions. And Healthline’s $1.55 million fine proves that mishandling sensitive data like health information comes with a steep price.

For businesses, the message is clear: invest in cybersecurity, audit AI systems for bias, and respect consumer rights. McDonald’s hot coffee lawsuit should’ve taught corporate America that ignoring risks leads to pain. As AI and data privacy laws evolve, companies that drag their feet will face fines, lawsuits, and trashed reputations. TicketNetwork’s settlement is just the beginning expect more regulators to follow Tong’s lead and hit non-compliant companies with fines and cure notices. It’s happening all over the country Oregon’s enforcement team spoke up at the IAPP’s Global Privacy Summit and said that this is a requirement moving forward to respect users privacy and if a company doesn’t they will be put on notice just like TicketNetwork was.