BlogLine

Connecticut’s first CTDPA enforcement action – a critical reminder for businesses

7/30/25

By: Michael R. Brown and David A. Cole

The Connecticut attorney general announced its first public enforcement action under the Connecticut Data Privacy Act (“CTDPA”), resulting in an $85,000 settlement with TicketNetwork, Inc., for failing to comply with the law’s requirements. The case provides insight into the state’s enforcement strategies and helpful lessons for businesses on privacy compliance.

CTDPA Requires Clear and Accessible Notice of Data Practices

The CTDPA is Connecticut’s comprehensive consumer data privacy law, which took effect on July 1, 2023. Modeled on other state laws like Virginia’s and Colorado’s, the CTDPA gives Connecticut residents rights over their personal data and requires companies to post a clear and accessible privacy notification that discloses (1) the type of data they collect and the purposes of the collection; (2) a notification of consumer rights to access, correct and delete their data; and (3) methods for exercising these rights and (4) an opt-out mechanism, among others. The Connecticut attorney general has exclusive enforcement authority and, until January 1, 2025, was required to issue a notice of violation and allow 60 days to cure. Since that date, enforcement can proceed without warning.

What Did TicketNetwork Supposedly Do Wrong?

According to the AG’s investigation, TicketNetwork’s online privacy notice allegedly:

• Was “largely unreadable”, written in dense legal jargon;
• Failed to disclose Connecticut consumers’ rights under the CTDPA;
• Did not include required explanations about the types of data collected, how it’s shared or how consumers could opt out of targeted advertising or data sales; and
• Contained broken or misconfigured links that were supposed to allow consumers to exercise their rights.

In short, the AG alleged that TicketNetwork’s privacy notice failed both substantively and functionally to meet the CTDPA’s requirements. The AG thus issued a “cure notice”, directing TicketNetwork correct the alleged deficiencies.

TicketNetwork responded that changed its policy so that it now complied with the CTDPA. However, the AG argued the updates were insufficient and that some of the same concerns related to font size and paragraph blocks remained. In addition, the AG raised new concerns about specificity and clarity in the privacy notice. Despite several additional extensions, TicketNetwork did not respond further and the AG ultimately determined that TicketNetwork did not correct the deficiencies.

Key Takeaways from the Enforcement and Settlement

As a result of the alleged noncompliance, the AG brought enforcement proceedings against TicketNetwork that ultimately resulted in an agreed upon settlement. Under the terms of the settlement, TicketNetwork:

• Agreed to pay an $85,000 penalty;
• Committed to bring its privacy practices into compliance with the CTDPA;
• Must report metrics on the number of consumer data rights requests it receives and how it handles them; and
• Is subject to ongoing oversight by the attorney general’s office.

While the Connecticut AG has issued dozens of cure notices since the CTDPA took effect, this is the first case where enforcement followed a company’s failure to act. And now that the statutory cure period has expired, more direct enforcement actions can be expected.

For companies doing business in Connecticut or any other states with similar laws, the message is clear: privacy compliance is not optional or advisable, it is required. Companies must clearly and honestly communicate their data practices through privacy notices and continuously review the notices to ensure they accurately reflect the company’s practices and comply with legal requirements. Under the CTDPA and most other laws, clarity and accessibility are key components. Placing required notifications in the middle of standard legal terms and conditions or burying them in small font amidst legal jargon will not do. Instead, notices should be clearly displayed and accessible to website users, contain all required information and be written in understandable terms.

In addition, if you receive an inquiry or cure notice from a regulator, do not ignore them. This does not mean roll over and accede to every demand. But you should cooperate in the process with the goal of achieving compliance and avoiding the necessity of further litigation when possible. In the end, good data security and privacy practices are not just about compliance: it’s also good business.

For any questions or further clarification, please contact Michael R. Brown at michael.brown@fmglaw.com, David A. Cole at david.cole@fmglaw.com or your local FMG attorney.

Information conveyed herein should not be construed as legal advice or represent any specific or binding policy or procedure of any organization. Information provided is for educational purposes only. These materials are written in a general format and not intended to be advice applicable to any specific circumstance. Legal opinions may vary when based on subtle factual distinctions. All rights reserved. No part of this presentation may be reproduced, published or posted without the written permission of Freeman Mathis & Gary, LLP.