The Cost of Ignoring Privacy Rights

The Attorney General in Connecticut announced a settlement with an organization for continued violations of the Connecticut Data Privacy Act[1] (“CTDPA”). In a settlement with TicketNetwork, the Connecticut AG reported that it had sent a cure notice in November of 2023 to the company, which provided that the company’s privacy policy “was largely unreadable, missing key data rights, and contained rights mechanisms that were misconfigured or inoperable.”[2] The cure notice allowed TicketNetwork until January of 2024 to repair the deficiencies.

According to the AG’s office, TicketNetwork repeatedly represented to the AG that the deficiencies had been resolved, when in fact they had not. The AG also represented that the company failed to follow-up with timely communications.

The AG publicly announced that it has conducted sweeps of privacy policies and issued over two-dozen cure notices since the enactment of the CTDPA, but TicketNetwork was the only organization which failed to cure the identified issues. In the settlement, TicketNetwork agreed to pay the Connecticut AG’s office $85,000 as a fine.

The Connecticut AG’s office noted that since the inception of the CTDPA they have received dozens of complaints which can be summarized in the following categories:[3]

Lacking disclosures;
Inadequate disclosures;
Confusing disclosures;
Lacking rights mechanisms;
Burdensome rights mechanisms; and
Broken/inactive rights mechanisms (e.g., non-working links or dead-end mechanisms).

In addition to the complaints received, the AG’s office has issued dozens of cure notices. The AG specifically noted that companies were able to cure the issues by taking the following actions:[4]

Incorporating the CTDPA and specific mention of all of its consumer data rights;
Incorporating, bolstering, or fixing consumer rights’ request mechanisms, including adding clear and conspicuous links to opt out of targeted advertising and the sale of personal data;
Incorporating and enhancing disclosures regarding the requisite consumer appeal process; strengthening disclosures concerning the processing and sharing of personal data, including sensitive data;
Reformatting privacy notices into a dedicated webpage with clear spacing, typeface, and type size;
Removing language limiting consumers’ rights to access or to request a copy of their personal data only to data collected within the last twelve months, where no such limit exists in the CTDPA (or several other state data privacy acts for that matter);
Removing language implying a limit to the number of times a consumer may exercise certain data rights;
Removing language implying that the company will charge consumers for the exercise of data rights by default, as opposed to only for manifestly unfounded, excessive or repetitive requests; and
Removing conflicting language in privacy notices (i.e., where a company stated they did not process data for sale whereas other disclosures indicated that such sales were occurring).

As states have had privacy laws on the books for several years, AG offices are beginning to enforce their requirements. The AGs of Connecticut, California, and other states have been warning companies that they will be searching for offenders and seeking to enforce these acts. Connecticut, in particular, required the AG’s office to allow the company sixty-days (60) to cure the deficiency, but that requirement expired on January 1, 2025.[5] The AG is no longer is required to provide a cure period for companies.

If your company receives a notice of deficiency concerning privacy rights (from any state AG):

Do not ignore the letter;
Work with a website development team to fully understand the data being captured and the options provided to the website visitors;
Work with your privacy team to understand and implement the rights afforded to the visitors under their respective state law; and,
Consult with a privacy attorney to discuss a proper response to ensure compliance with the applicable state laws.