Connecticut AG Issues Report to General Assembly on CTDPA

Madison Etherington, Gregory Szewczyk
Ballard Spahr LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Ballard Spahr LLP

On February 1, 2024, the Connecticut Office of the Attorney General (“OAG”) submitted to the Connecticut General Assembly its report on the first six months of the Connecticut Data Privacy Act (“CTDPA”).  While the report includes important information about its enforcement efforts to date, the most noteworthy aspect may be its recommendation to the legislature to remove various exemptions from the CTDPA. 

The report notes that the OAG has received more than thirty consumer complaints in the first six months of the CTDPA, which went into effect on July 1, 2023, many of which involved consumers’ attempts to exercise their new rights.  The OAG noted, however, that around one-third of the complaints involved data or entities that were exempt under the CTDPA. 

With respect to enforcement, the report provides summaries of four different areas:  privacy policies, sensitive data, teens’ data, and data brokers.  The report notes a different types of enforcement activities for each, but two are worth highlighting.  First, the report notes that the OAG is actively reviewing companies’ privacy policies to assess compliance, resulting in the issuing of ten cure notices on the topic.  Clearly, companies subject to the CTDPA should ensure that their public facing documents are at least facially sufficient. 

Second, the report notes that it has sent a cure notice to “a popular car brand” based on reports that its connected vehicles may be collecting sensitive personal data.  This focus on sensitive data is in line with what we have seen from other regulators, such as Colorado.  But, it also demonstrates that public reports on privacy issues can direct regulators to focus on specific industries.

Finally, the OAG makes several legislative recommendations.  One such recommendation is to scale back entity-level exemptions, specifically the non-profit, GLBA, and HIPAA exemptions.  The OAG also recommends adding a right to know specific third parties with which controllers share personal data, similar to the Oregon law that goes into effect later this year. 

Overall, the OAG’s report shows that regulators across states are taking generally similar approaches to enforcement, which appears to include a component of looking at companies’ privacy policies and opt-out mechanisms as an initial check on compliance.  Businesses should expect more of the same, and they would be wise to update accordingly. 

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Ballard Spahr LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide