Connecticut's TicketNetwork Settlement Signals Enforcement Crackdown, Privacy Pros Say

“Companies need to take care of the low-hanging fruit when it comes to spinning up and monitoring a privacy compliance program,” Dalton Cline, a Dentons privacy attorney, said in an email to Privacy Daily.

Cline contrasted the Connecticut settlement with a recent action in California against Healthline (see 2507010074). In that situation, the office of California AG Rob Bonta (D) is said to have conducted a relatively in-depth investigation. Cline said that probe monitored network traffic to determine what tracking technologies were used. It also reviewed publicly available documentation for cookies that Healthline used and checked the local storage of the browser, he said. In addition, investigators "contacted data brokers to exercise the right to access their personal data … to track disclosures.”

The Connecticut investigation was far more basic. There, the office of AG William Tong (D) "appears to have merely looked at [TicketNetwork's] privacy notice and tried to use the consumer rights mechanism,” Cline said. “That’s a much lower bar of technical sophistication, and yet it still resulted in a penalty of $85,000.”

In a statement the day of the ruling, TicketNetwork stressed that the action was aimed at "the format" of the company's online privacy policy, "making that policy easier to locate and understand for consumers” (see 2507080039).

In a July 9 blog post, Troutman Amin attorney Blake Landis said the settlement means “the gloves are officially off” for the state AG. The expiration of Connecticut’s cure period on Jan. 1 this year marked "the end of the 'warning phase' and the beginning of what appears to be a much more aggressive enforcement strategy.”

In addition, the settlement wasn't "just another regulatory slap on the wrist." Instead, it was "a statement," Landis said. "We are dealing with a deliberate signal that state attorneys general are shifting from education to enforcement, and companies that have been dragging their feet on privacy compliance can face real consequences.”

Timing also played a crucial role in the TicketNetwork situation, ZwillGen Law's Alexei Klestoff said. "TicketNetwork’s slow response appears to have driven the outcome," he said in an email. "The AG’s [settlement] press release made that clear: while most companies took prompt steps to comply, TicketNetwork repeatedly said it had resolved issues -- but hadn’t -- and failed to respond to multiple follow-ups."

Landis agreed. “You’re dealing with the state’s top legal enforcement officer, and you decide to ignore them?” he asked rhetorically. “It’s hard to imagine a more effective way to ensure you become the prime example that other companies can learn from.”

“This is where TicketNetwork sealed their fate," Landis added. "When the AG’s office reaches out to you, you need to take it seriously.” He continued, “This isn’t a routine regulatory inquiry. This is the chief law enforcement officer of your state telling you that you have a problem."

Instead, Landis said, TicketNetwork treated its dealings with the state as "optional, like a spam folder filter, [which] is a guaranteed way to escalate a fixable problem into a costly enforcement action.”

But in an emailed statement to us Friday for this story, the company said it was working with Tong on its issues. "TicketNetwork believed in good faith that it was working to address the AG's concerns and continued to work with their office to resolve the matter," a spokesperson said. "We look forward to continuing our commitment to data privacy and providing top level quality service for our customers."

Any Enforcement Is Big Enforcement

For Ben Winters, Consumer Federation of America director of AI and privacy, any enforcement of state privacy laws is "notable since there hasn't been enough in general.” But it’s especially notable, as here, “when it signals the first under a law,” he said. “It's important the laws are actively enforced, so behavior exactly like TicketNetwork is meaningfully deterred.”

However, Winters raised concerns about the "light penalty for truly unacceptable and illegal behavior." For him, the fine is "hard to even describe ... as a slap on the wrist.”

Winters blamed that on the CTDPA’s inclusion of a right to cure and lack of a private right of action. There “was a series of crystal-clear violations that the company had no interest in remedying, and lied to regulators about,” but it wasn’t resolved until more than 18 months after the first contact from the AG's office, he said.

“This is a key example of why the Connecticut model of privacy law is worse off for consumers, and tailor-made to make it easier for companies to evade meaningful consequences for breaking the law.”

Justin Kloczko, Consumer Watchdog tech and privacy advocate, agreed that an $85,000 fine “isn’t going to impact the company’s bottom line,” but “it’s a good start for privacy enforcement in the state and hopefully companies who might not be in compliance are taking note,” he said.

Connecticut enforcers should be applauded for addressing dark patterns, “which are subtle ways in which companies will lull you into not exercising your data privacy rights,” said Kloczko: That issue is not often litigated, he added. “Here, the company’s privacy notice appeared buried along with other company information. For data privacy rights to matter in the first place, people have to know about them, and burying them in an avalanche of text is one way to get consumers to stop caring.”

Just because the monetary penalty was modest doesn't mean the settlement wasn't severe in other ways, said Klestoff. For instance, it "imposes reporting obligations that go beyond what the Connecticut Data Privacy Act requires," he said. "It’s a reminder that when companies drag their feet with regulators, they may end up with stricter, ongoing obligations than what the law mandates."

TicketNetwork’s Many Issues

What makes the TicketNetwork matter "particularly significant is how isolated [its] failures were,” said Landis. “The Connecticut AG’s office conducted four separate privacy notice sweeps involving over two-dozen cure notices. Every other company except TicketNetwork took the hint and fixed their issues.”

Cline noted that, as of Wednesday, “TicketNetwork is still actually out of compliance!”

TicketNetwork's press release states that its "privacy notice was ‘missing key data rights,’” he said. “If I take a look at their privacy notice in the wayback machine, it appears that there was a really significant revision between December of 2024 and January of 2025,” but the most recent amendment to the CTDPA “was effective July 1, 2025.”

That amendment, SB-1295, “requires a privacy notice to have ‘a statement disclosing whether the controller collects, uses or sells personal data for the purpose of training large language models,’” as well as a right to “review automated legal or similarly significant decisions made on the basis of a profile created about the consumer,” he said. “With how fast the laws are changing, just because you were compliant last year doesn’t mean you are [compliant] now.”

Landis zeroed in on Tong’s press release. “That phrase ‘full weight of our enforcement authority’ [in the release] should make every privacy professional pay attention,” the lawyer said. “This isn’t the language of someone who’s planning to keep issuing warnings. This is the language of someone ready to start handing out real consequences.”

Klestoff added, "Substantively, what stands out is the AG’s focus on the readability of TicketNetwork’s policy, and the settlement’s prohibition of 'unnecessarily complicated language, including legal or technical jargon.'" This "standard is pretty squishy," he said, but it gives "the AG a future hook to require additional clarity."

How Companies Can Comply

Among the takeaways from TicketNetwork is that avoiding enforcement requires companies "to review their privacy notices not just [on] an annual basis, but when there is a change in legislation,” Cline said.

Landis concurred. “The most frustrating aspect of this case is how completely avoidable it was,” he said. “TicketNetwork had every opportunity to fix its problems without penalty." Initially, it had 60 days to fix its privacy notice. More months were added subsequently as the AG tried to work with TicketNetwork on a fix.

Instead of taking advantage of this grace period, TicketNetwork "continued to claim they’d fixed things that were still broken and ignored follow-up communications.”

Klestoff agreed. "The lesson there is to take regulatory inquiries seriously -- ignoring a regulator is almost never a good idea."

Luis Alberto Montezuma, a privacy consultant, said in an email that while it's "common for businesses to use privacy policies that comply with all U.S. states' consumer privacy laws, particularly the [California Consumer Protection Act], the CT decision indicates that a more tailored approach is necessary.”

“This settlement opens the door for organizations to customize their privacy policies according to each specific law," Montezuma said. This means they must ensure their privacy policies are not only comprehensive but also precisely aligned with the requirements of each state.”

Klestoff said this is "a growing trend: state AGs increasingly expect privacy policies to explicitly call out their own state’s laws and aren’t satisfied with statements that just reference 'applicable law.'”

Another takeaway from the settlement, Cline said, is that it demonstrates the importance of taking cure notices seriously. Tong “had allegedly already sent TicketNetwork a cure notice, and TicketNetwork allegedly continued to represent" that its "privacy notice was [compliant] even when the regulator was telling them it wasn’t.” As cure periods for states' comprehensive privacy laws "continue to expire across the nation, companies will start to receive comparatively fewer 'at-bats' to get compliance right.”

Winters said there’s “definitely an uptick of privacy enforcement now -- from all over the country with different authorities and different political makeups.” He pointed to the Healthline settlement and Nebraska’s lawsuit this week against GM/OnStar (see 2507080048). “As more laws go into effect and more AGs put forth strong cases about how violations are popping up, I expect more to follow suit. Action absolutely begets action, and it's critical to send an unambiguous signal to industry that the privacy laws are more than just words on a page.”

Landis added, “The question isn’t whether you’ll face scrutiny from your state’s attorney general.” Instead, "it's whether you’ll be ready when it happens" or you’ll be "a cautionary tale in a press release.”