Bad Medicine: 5 Lessons from the Connecticut AG's Report on CTDPA Cure Notices

On February 1, 2024, the Connecticut Office of the Attorney General (“OAG”) issued a Report to the General Assembly’s General Law Committee (“Report”), summarizing the OAG’s enforcement efforts during six months since the Connecticut Data Privacy Act (“CTDPA”) became effective. As a reminder, Connecticut was the fifth state to pass a comprehensive consumer privacy law, which took effect on July 1, 2023.

As we previously noted, the CTDPA includes a qualified right to cure alleged violations of the law until January 1, 2025, so that the OAG must, before initiating an enforcement action, issue a notice of violation to the controller if the OAG “determines that a cure is possible.” The OAG can then bring an enforcement action if the violation is not cured within 60 days. The Report describes key takeaways and common themes from the cure notices that the OAG has sent to covered businesses to date.

The Report reveals several practical steps that companies can take to avoid scrutiny from the OAG.

  1. Prioritize posting a clear, accurate, and compliant privacy policy.

Posting a deficient privacy policy on your company’s website is a common “own goal” in the privacy arena. The Report confirms that “after the CTDPA took effect, the OAG began reviewing companies’ privacy policies and the functionality of consumer rights mechanisms[.]” The Report identifies the following common privacy policy deficiencies:

  • Failing to describe consumers’ rights under the CTDPA;
  • Including some but not all required disclosures of consumers’ rights (e.g., excluding a statement about consumers’ right to appeal the controller’s decision on a consumer request);
  • Making confusing statements, such as by creating the impression that consumers may be charged for rights requests;
  • Lacking a mechanism for consumers to opt out of targeted advertising or sales of their personal data;
  • Using broken or inactive links as the mechanisms for consumers to exercise their rights.

Companies covered by the CTDPA should thus focus on ensuring that their public-facing privacy policy is updated to account for the CTDPA’s content requirements, including by clearly describing how consumers may exercise all of their rights under the CTDPA and providing functional mechanisms for consumers to exercise those rights.

  1. Focus on fulfilling individual rights.

Another key takeaway from the Report is that unsuccessful attempts to exercise individual rights are a key source of CTPDA-related complaints to the OAG. The Report states that among the 30-plus complaints it investigated “many involved consumers’ attempts to exercise new data rights under the CTDPA, and primarily, the ‘right to delete.’”

If your company is covered by the CTDPA, therefore, you should make sure you have processes in place to respond to individuals’ request to fulfill their rights under the law, including the right to:

  • Confirm whether a controller is processing the consumer’s personal data;
  • Access such personal data;
  • Correct inaccuracies in the consumer’s personal data;
  • Delete personal data provided by, or obtained about, the consumer;
  • Obtain a copy of the consumer’s personal data in a portable and readily usable format that allows the consumer to transmit the data to another controller without hindrance.
  1. Prevention is the best medicine. Aim to stay off the OAG’s radar by responding to consumer complaints and mitigating the risk of data breaches.

The Report reveals that along with consumer complaints, the other key driver of OAG investigations under the CTDPA is data breach reports received by the OAG’s office under Connecticut’s breach notification law. Companies should therefore seek to avoid both flavors of attention-grabbing events

As for consumer complaints, the Report notes that “even a single complaint could ultimately lead [the OAG] down a path to enforcement.” As such, companies should make sure consumers are offered clear mechanisms for exercising their rights under CTDPA, and make it easy for consumers to contact the company if they have questions or concerns. Especially if your company is in the business-to-consumer space, you’ll want to consider dedicating resources toward intake and response, and ensure your staff are trained to recognize privacy-related requests and respond appropriately.

On the breach notification front, the Report recounts an instance where a company reported a data breach to the OAG under Connecticut’s data breach notification law. In response, the OAG issued an inquiry letter to the company in which the OAG sought information about the breach, but also included questions focused on the company’s compliance with the CTDPA. The lesson here is clear: stay out of the spotlight by working to avoid data breaches, and be prepared to answer questions about your CTDPA compliance if you experience a breach that requires notification to the OAG.

  1. If you’re collecting sensitive data, implement opt-in consent and be prepared for regulatory scrutiny.

The Report states that since the CTDPA went into effect, the OAG has “focused on matters raising concerns regarding the collection of sensitive data,” and recounts four examples of instances when the OAG has investigated the data privacy practices of companies that collect or process “sensitive data,”  The Report reiterates that under the CTDPA, businesses must obtain Connecticut residents’ opt-in consent before processing this data, which includes genetic, biometric, precise geolocation, and consumer health data, as well as data collected from a known child.

If your company is covered by CTDPA, you should thus carefully assess whether you are collecting or processing data types that could be considered sensitive data. If you are, the CTDPA prohibits you from processing such sensitive data without obtaining the individual’s opt-in consent, which must be:

  • a clear affirmative act,
  • signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of sensitive data related to the consumer,
  • which may not be obtained by acceptance of general or broad terms of use or similar document, or through use of dark patterns.

Note also that if you have already implemented an opt-out mechanism for consumers to opt out of the sale of data or targeted advertisements, that mechanism will likely not be sufficient to address the CTDPA’s stringent opt-in requirement for the processing of sensitive data.

  1. Watch out for a possible future expansion of the CTDPA’s applicability.

In its closing remarks, the Report implores the Connecticut legislature to broaden the CTDPA’s applicability to cover more companies doing business in Connecticut. In particular, the OAG noted that at least six of the thirty complaints it received from consumers related to companies that were covered by entity-level exemptions, and a handful of other complaints related to data that were exempt for other reasons like the CTDPA’s exemption for publicly available information. The Report requests the legislature to eliminate entity-level exemptions like the GLBA, HIPAA, and nonprofit exemptions, arguing that data-level exemptions are more appropriate. If the legislature amends the CTDPA to eliminate or limit entity-level exemptions, then the CTDPA will apply to more companies that are not currently covered.

*             *             *

If you have questions about complying with the CTDPA, or any of the state comprehensive privacy laws, please contact any member of the Wyrick Robbins Privacy and Data Security team.