On February 1, 2024, the Connecticut Office of the Attorney General (“OAG”) submitted to the Connecticut General Assembly its report on the first six months of the Connecticut Data Privacy Act (“CTDPA”). While the report includes important information about its enforcement efforts to date, the most noteworthy aspect may be its recommendation to the legislature to remove various exemptions from the CTDPA.
The report notes that the OAG has received more than thirty consumer complaints in the first six months of the CTDPA, which went into effect on July 1, 2023, many of which involved consumers’ attempts to exercise their new rights. The OAG noted, however, that around one-third of the complaints involved data or entities that were exempt under the CTDPA.
With respect to enforcement, the report provides summaries of four different areas: privacy policies, sensitive data, teens’ data, and data brokers. The report notes a different types of enforcement activities for each, but two are worth highlighting. First, the report notes that the OAG is actively reviewing companies’ privacy policies to assess compliance, resulting in the issuing of ten cure notices on the topic. Clearly, companies subject to the CTDPA should ensure that their public facing documents are at least facially sufficient.
Second, the report notes that it has sent a cure notice to “a popular car brand” based on reports that its connected vehicles may be collecting sensitive personal data. This focus on sensitive data is in line with what we have seen from other regulators, such as Colorado. But, it also demonstrates that public reports on privacy issues can direct regulators to focus on specific industries.
Finally, the OAG makes several legislative recommendations. One such recommendation is to scale back entity-level exemptions, specifically the non-profit, GLBA, and HIPAA exemptions. The OAG also recommends adding a right to know specific third parties with which controllers share personal data, similar to the Oregon law that goes into effect later this year.
Overall, the OAG’s report shows that regulators across states are taking generally similar approaches to enforcement, which appears to include a component of looking at companies’ privacy policies and opt-out mechanisms as an initial check on compliance. Businesses should expect more of the same, and they would be wise to update accordingly.