Connecticut Will Increase Enforcement Focus on Privacy Mechanisms, Assistant AGs Say
The Connecticut attorney general's office is shifting from focusing on transparency and facial requirements to more in-depth work, examining whether organizations' privacy mechanisms are working and in compliance, three assistant attorneys general said during an IAPP KnowledgeNet event Tuesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Assistant Attorneys General Jordan Levin, Laura Martella and Kileigh Nassau were the speakers.
Levin said the office will focus on universal opt-out provisions and mechanisms such as cookie banners. The banners must “facilitate the right to opt out of tracking” for targeted ads, not “undermine or even override” consumer ability to exercise their rights. A common example of a cookie banner undermining rights, he said, is when the opt-in ‘I agree’ button is prominent on a banner, but users must click through multiple links and/or manually toggle off tracking in order to opt out.
However, he and Nassau said the office also understands that sometimes mechanisms are buggy or break. “A company being able to show best efforts” to fix what is broken is a good defense and helps prove compliance, Levin said.
But the cure period under the Connecticut Data Privacy Act (CTDPA) is over now, Martella noted, and "now our office has started to issue notices of violation." The first settlement under the Act was announced earlier this month against online marketplace TicketNetwork, after it received more than two dozen cure notices, but failed to make necessary changes (see 2507080010 and 2507110003).
Nassau mentioned the omnibus bill, SB-1295, that passed the legislature and was signed into law in June, provides insight on privacy priorities and trends. Containing multiple amendments to the CTDPA, it becomes effective July 1, 2026 (see 2506050004 and 2506260005).
For example, Nassau noted, it includes lowering the applicability threshold for businesses to those who process the data of 35,000 state residents and amending the law to apply to any business that processes sensitive data or sells data. “A comprehensive set of data elements” that other states have added since the CTDPA’s passage have also been added to the definition of sensitive data, such as neural data, financial data and an individual’s status as nonbinary or transgender.
Privacy protections for adolescents under the amendments will apply to anyone younger than 18, not 16, and there is a ban on “design features that are aimed at keeping minors addicted to online services,” she said. There are key changes related to profiling and carve-outs included in the amendments that organizations should be aware of, Nassau said.
Martella said other states are considering these areas, too, noting some have even hired technologists who can “really look under the hood and test to see if these opt-out processes are working.”
It’s one thing to check if you have an opt-out link in a privacy notice that consumers can click, and another to see what goes on in the background when that happens, she said. Regulators are starting to look deeper, and “you're going to see more of that as a trend going forward.”
Office priorities will change and expand as more privacy concerns come to light, and legislation is passed, said Levin. Inputs from consumer advocacy groups and consumer complaints help the office learn about new privacy concerns, he added.
Since the CTDPA went into effect in 2023, the AG has released two enforcement reports, most recently in April (see 2504170021). Martella said the reports promote transparency and "address compliance.”