Conn. AG Recommends Tightening Exemptions in State's Data Privacy Act
The Connecticut Attorney General recommends that lawmakers bolster the Connecticut Data Privacy Act (CTDPA) by scaling back exemptions, lowering thresholds of applicability, strengthening data minimization provisions, clarifying definitions and increasing protections for minors’ data, it said in a report. In addition, the report, released Thursday, recommends halting targeted advertising to children and teens and selling their personal data.
Sign up for a free preview to unlock the rest of this article
CTDPA went into effect in July 2023, the report from the office of Attorney General William Tong (D) noted.
“The CTDPA has become a model for states considering and passing comprehensive consumer data privacy laws, so it is imperative that the CTDPA be updated to provide a strong foundation for future legislation,” the report said.
One recommendation calls for reducing exemptions, including for Health Insurance Portability and Accountability Act (HIPAA) entities, the Fair Credit Reporting Act’s data-level exemption and the entity-level exemption for nonprofit organizations. “Various states have now passed laws without these exemptions -- the CTDPA’s wholesale carveouts not only put Connecticut residents at a disadvantage, but further impact the OAG’s ability to uphold the CTDPA’s protections and join forces with our sister states in their efforts to enforce consumer data privacy laws against large national entities,” the report said.
In addition, it recommends following Maryland’s law, limiting data collection to what is reasonable and necessary. “We cannot underscore enough the importance of these provisions -- in many cases, serious privacy and data security concerns could have been offset -- if not fully alleviated -- if companies had properly minimized the data they collected and maintained,” it said. “Unfortunately, the CTDPA’s current notice-and-consent model sets an exploitable standard” that “contravenes data minimization principles outright— it allows businesses to collect data they simply do not need so long as it is disclosed in privacy notices that are often bulky, confusing, or worse, misleading.”
Tong also said the CTDPA's definitions need updates: some expanded, some narrowed. For example, sensitive data should “incorporate a comprehensive list of elements added by other states since the CTDPA’s passage,” including “Social Security numbers, government-issued identifiers, union membership, status as transgender or non-binary, income level or indebtedness, and neural data,” he said. On the flip side, "publicly available information" should be more narrowly defined.
In addition, the AG’s office said, “It has become more and more clear that targeted advertising to children and teens, and the sale of their personal data, should be banned,” and that “the ‘actual knowledge or willful disregard’ standard throughout the CTDPA is a weakness of the law.” The AG recommends altering the CTDPA to reflect Maryland’s law, prohibiting targeted ads if a company or business knows a user is a minor.
The report also mentioned that data breach notifications greatly increased in 2024, when the AG office received 1,900 notifications. That was up about 100 reports from 2023, 400 from 2021 and 2022, and 1,100 more than what was received in 2019. Moreover, consumer complaints continue revolving around unsuccessful attempts at utilizing data rights.
The report also noted several settlements “setting robust data security and privacy expectations” within the past year, including “with Marriott after an investigation into a large multi-year data breach of one of its guest reservation databases.” Connecticut led the 50-state coalition of attorneys general against the hotel chain. “Under the settlement, Marriott agreed to strengthen its data security practices using a dynamic risk-based approach, provide important consumer protections, and make a $52 million payment to the states,” said the report.
An initial report was released in Feb. 2024 covering the first six months of CTDPA enforcement (see 2402010041). Thursday's updated report covers the 2024 calendar year. “As the 2025 Enforcement Report is released, it's clear that Connecticut's commitment to data privacy is not just about safeguarding personal information—it's about protecting the dignity and autonomy of every resident,” said Sen. James Maroney in a press release from the AG’s office.
Tong said transparency and sensitive data processing are key parts of the CTDPA, but priorities have expanded as problematic practices are brought to his attention and as the legislature continues to pass privacy and data laws.
“Connecticut remains at the forefront of consumer data privacy,” Tong said. “Much remains to be done, including amending the CTDPA to provide stronger protections for Connecticut residents. We will continue to be transparent about our efforts to uphold and strengthen this important law.”