The Connecticut Privacy Law 2025 Enforcement Report

The Connecticut Office of the Attorney General (OAG) released its Connecticut Data Privacy Act (CTDPA) 2025 Enforcement Report. This is the third annual report since the law went into effect in 2023. It includes information on privacy-related consumer complaints, data breach notices and enforcements, and the AG’s enforcement priorities. The report also outlines amendments to the CTDPA that will take effect on July 1^st, 2026.

Consumer Complaints

The OAG has received nearly seventy consumer complaints over the last year. Many of the complaints revolved around unsuccessful attempts to exercise data rights, including the right to delete. The report notes that efforts to help consumers with data rights are often difficult due to businesses’ failure to have a privacy email or other methods for submitting complaints. The CTDPA requires businesses to promptly handle consumer privacy requests and maintain a privacy email that is checked regularly.

Twenty-two complaints involved data or entities that are potentially exempt under the CTDPA, specifically for “publicly available” records. The OAG is urging state lawmakers to narrow the definition of “publicly available information” so that people search sites and data brokers are fully covered under the law.

Data Breach Notices

The OAG received more than sixty complaints about data breach notices in 2025. The report states that many of the breach notices are too vague, failing to include information about:

• Why the business has the consumer’s data
• What information was compromised
• How the impacted business has a relationship with the consumer (if not direct)

Every data breach notification is reviewed. There were more than 1830 in 2025. In 63 of those cases, warning letters were sent because the impacted organization did not send the breach notification within the sixty-day window required by the CTDPA.

CTDPA Settlements

Notable settlements stemming from CTDPA violations include:

• Omni Healthcare paid $105,000 for waiting more than fourteen months to report a data breach to the OAG.
• Fresenius Medical Care Holdings agreed to pay $116,000 and implement a stringent information security program after a data breach exposed Social Security Numbers and health information.
• WebTPA Employer Services paid $200,000 and agreed to implement additional security measures after a data breach.
• After a data breach that impacted 5.8 million people, including 105,000 Connecticut residents, PharMerica paid $200,000, agreed to maintain a comprehensive incident response plan, and strengthen its security practices.
• TicketNetwork paid $85,000 after issuing a privacy notice that was hard to read, missing key data rights, and contained inoperable rights mechanisms.

Enforcement Priorities

Along with privacy notices, the OAG will focus on enforcing these additional elements of the CTDPA:

Opt-out Rights and Deceptive Patterns

The OAG has conducted several sweeps flagging cookie banners that make the path to “opt-out” of targeted advertising or sale more difficult or time-consuming than the “opt-in” path. The CTDPA requires companies that provide an option to accept all cookies to also provide a reject all cookies option. The OAG encourages companies to make it easy for consumers to understand and exercise their data rights. An example they provide is having targeted advertising or data sales turned off by default.

The OAG will also focus on companies providing “clear and conspicuous” disclosures for targeted advertising or the sale of data. The CTDPA does not define “clear and conspicuous,” but the OAG says it will use the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising and its “Dot Com Disclosures” for guidance.

Opt-out and disclosure links must be easy to find on a webpage, not buried in the footer or the bottom of a page.

Universal Opt-Out Preference Signals

The CTDPA requires businesses to recognize universal opt-out preference signals indicating consumers want to opt out of targeted advertising and the sale of their personal data across all website activities. Global Privacy Control (GPC) signals should trigger an opt-out across all personal data, not just data collected and shared via tracking technologies. The opt-out must apply to all devices used to log into an account.

Consumer Health Data

Protecting health data, which is considered “sensitive data” under Connecticut’s law, is a priority for the OAG. The CTDPA prohibits companies from:

• Selling, or offering to sell, consumer health data without first obtaining the consumer’s consent
• Providing any processor with access to consumer health data without proper contracts in place, including requiring that the processor keep the data confidential.
• Processing sensitive data, including voluntarily shared consumer health data, when companies do not inform consumers about the heightened risks of harm inherent to such processing.

Protecting the Privacy of Minors

The OAG states that protecting minors online is a top priority. The CTDPA prohibits:

• The processing of a minor’s personal data for targeted advertising, profiling, or sale without consent.
• Using a system design feature to significantly increase, sustain, or extend a minor’s time online without consent.
• Collecting a minor’s precise geolocation data without consent. Businesses are required to implement specific safeguards for direct messaging tools and provide a signal to minors while collecting their precise geolocation data.

Connecticut requires businesses to conduct data protection assessments (“DPAs”) addressing the potential risks of harm to minors.

Highlighted areas of concern regarding the privacy of minors include:

• Messaging Apps: OAG investigations have increasingly focused on whether messaging apps know about, or willfully disregard, the presence of minors on their platform, how the platforms restrict the ability of adults to send unsolicited messages to minors, and how they receive consent for the collection and use of minors’ precise geolocation data.
• Gaming Platforms: Testing done on a game provider’s iOS and Android apps revealed the use of software development kits (“SDKs”) that are commonly used for targeted advertising. Companies may not willfully blind themselves to users’ age and must adjust their tracking technologies to account for the heightened protections afforded to minors under the CTDPA.
• Chatbots: The OAG is investigating a chatbot platform over alleged harm to minors due to certain design features. Connecticut Attorney General Tong is also a part of a bipartisan coalition of 42 Attorneys General demanding more quality control and other safeguards over chatbot products. The OAG is calling for standalone, specific chatbot legislation to protect chatbot users, especially minors.

CTDPA Amendments

In 2025, Connecticut lawmakers passed the following amendments to the state’s data privacy law that will take effect on July 1^st, 2026:

• The applicability threshold was expanded to include businesses that: (i) process the data of more than 35,000 residents (down from 100,000); (ii) sell any personal data; or (iii) process any sensitive data.
• The entity-level exemption for businesses covered under the GLBA was removed.
• The definition of “sensitive data” in the law was expanded to include additional categories of data, including disability or treatment, status as non-binary or transgender, certain financial and government identifier information, and “neural” data.
• Controllers will be expressly required to disclose in their privacy notices whether they collect, use, or sell personal data for the purpose of training large language models.
• Connecticut residents’ right to opt out of profiling was expanded to include any automated processing.
• Connecticut residents have the right to contest the result of profiling decisions.
• Consumers will now have the right to access a list of specific third parties to whom a controller sells personal data.

The CompliancePoint team of privacy professionals can help your organization comply with all state data privacy laws. Contact us today at connect@compliancepoint.com to learn more about how we can help you.