TicketNetwork Must Update Privacy Policy Under $85K Settlement with Connecticut

The online marketplace either failed to respond to letters from the AG or wrongly said updates were made; in one instance, the AG even "identified additional alleged deficiencies, including that the hyperlink to opt-out of the sale of personal data -- a mechanism required under the CTDPA -- was not operational," according to the settlement agreement, which the AG's office sent to Privacy Daily.

Connecticut's privacy law "gives consumers powerful baseline rights, including the right to access, correct, and delete personal data stored and collected by businesses, and the right to opt-out of the sale of personal data and targeted advertising,” Tong said in a news release. “Covered businesses must maintain clear privacy notices that describe these rights."

The AG said more than 24 cure notices were sent during four separate sweeps addressing privacy deficiencies, and that TicketNetwork repeatedly said it had fixed the issues when it hadn't.

Tong said his office sent its first cure notice to the company in November 2023, regarding privacy issues. TicketNetwork did not fix its privacy notice within the 60-day window to cure.

That notice identified "certain facial deficiencies" in the company’s "public-facing privacy notice, including that TicketNetwork had failed to include any mention of the CTDPA and gave the misimpression that many important data rights were exclusive to California residents," the settlement agreement said.

In addition to the monetary fine, TicketNetwork must comply with CTDPA requirements, keep metrics on consumer rights requests received under the Act, and provide a report of these metrics to the AG.

The company said in a statement Tuesday that the “agreement focuses on the format of TicketNetwork’s online privacy policy -- making that policy easier to locate and understand for consumers.”

The online marketplace said some updates now on its website include a dedicated Privacy Policy page that is separate from other legal disclosures, a streamlined consumer rights center to make it easier to submit and appeal requests under the CTDPA, and prominent links allowing users to opt-out of the sale of their personal data or targeted ads. It also increased the font size used in the notice, reduced paragraph length and gives clear section headings to make its privacy notices more readable.

“These enhancements underscore TicketNetwork’s ongoing commitment to transparency and user-friendly communications,” the company said.

Dickinson Wright attorney Greg Ewing said in a LinkedIn post Tuesday that “while the amount paid is relatively small,” the settlement is “a cautionary tale.” The deficiencies highlighted in TicketNetwork’s privacy policy “are issues that any company can fix," he said. “And almost any company can fix [them] the first time for FAR less than $85K and the costs of responding to an investigation."

In another LinkedIn post, Glenn Mills, founder of business consulting service Cover Compliance, called the enforcement action a “parable” filled with advice.

“Your public website privacy notice is indeed PUBLIC,” he said. “So: It represents the easiest point of reference for complaints about your practices, the easiest starting point for an investigation into your privacy failings, and the easiest thing to get right in terms of your actual privacy practices. That is, IF your notice simply reflects your actual practices AND you have made an effort to know and fulfill all your applicable regulatory requirements.”

The CTDPA took effect in July 2023 (see 2402010041). Accordingly, Tong said, "There is no excuse for continued non-compliance, and we are prepared to use the full weight of our enforcement authority to protect consumer privacy.”

This year’s legislative session voted to amend the privacy law, with updates set to take effect on July 1, 2026 (see 2506260005 and 2504170021).