Flag of the state Connecticut.

Key point: The Connecticut Office of the Attorney General issued the third annual enforcement report under the Connecticut Data Privacy Act, focusing on the office’s privacy and security efforts, consumer complaints, data breaches, and enforcement priorities.

The Connecticut Office of the Attorney General (OAG) issued its 2025 enforcement report under the Connecticut Data Privacy Act (CTDPA) last week. This is the third report since the CTDPA went into effect in July 2023. The report provides an update on (1) privacy-related consumer complaints, (2) data breach notice review and enforcement, and (3) enforcement efforts and priorities. Importantly, the OAG emphasized that protecting “kids online remains a topmost priority” and that it would continue to pursue investigations and enforcement actions focused on companies that offer online services, products, or features to consumers under 18.

In the report, the OAG also outlined recent amendments to the CTDPA, which will take effect on July 1, 2026. For more information regarding these amendments, see the recording of our webinar on 2025 Key Updates on State Privacy and AI Laws.

This article summarizes the OAG’s report and the positions the OAG takes on various issues. While the report highlights the OAG’s strong pro-consumer stance and illustrates the OAG’s expansive view of the CTDPA and its provisions, in breaking down the report, this article takes no position on the substance of those positions.

1. Consumer Complaints

The OAG indicated that it has continued to receive a steady stream of CTDPA complaints, many of which continue to claim that consumers experience difficulty exercising basic data rights — especially deletion rights. The OAG noted that businesses’ failure to monitor privacy email addresses hinders resolution of consumer complaints. Businesses are expected to monitor all mechanisms for exercising data rights — including communications from both consumers and the OAG.

The report also flags that a third of the complaints it received involved allegations against entities that assert broad exemptions under the CTDPA. The OAG’s report expressed concern about businesses – but particularly people-search services and data brokers – relying on the “publicly available” data exemption. The OAG urged the Connecticut legislature to limit the exemption and to eliminate entity-level exemptions (including for HIPAA covered entities and non-profits) that are not contained in other state statutes.

2. Data Breaches

Data Breach Notices – Not Sufficiently Specific

The report notes the OAG received more than 60 complaints related to data breaches in 2025. According to the OAG, data breach notices frequently fail to explain to a consumer why they are receiving the notice. The report criticizes breach notices that fail to explain: (1) why a business has an individual’s data; (2) what information was compromised; and (3) how the entity is related to the data breach.

“Without Unreasonable Delay” – Means Early

More than 1,830 breach notifications were submitted in 2025. The OAG engaged with several companies and issued 63 warning letters to entities that were delayed in filing their breach notices. The statute requires companies to provide notice of a data breach without unreasonable delay, no later than 60 days after discovery. The OAG interprets the notice period as beginning to run the moment the company “becomes aware of suspicious activity.”

In November 2025, the OAG finalized a $105,000 settlement with a health care company where the entity did not report the data breach to the OAG until 14 months after the breach occurred.

Investigations and Recent Settlements

The OAG led or assisted state-specific or multistate investigations of large-scale breaches across several sectors and negotiated and entered into multiple settlements requiring robust data security and privacy governance controls, including:

(1) A dialysis provider required to implement a stringent information security program with new training and reporting obligations.

(2) A benefits administrator company required to maintain a comprehensive information security program and implement specific security safeguards including those related to enforcement of multifactor authentication, access controls, logging and monitoring, and risk assessment.

(3) A pharmaceutical business and its parent company required to strengthen its data security practices and maintain a comprehensive incident response plan that includes notification of next of kin if an impacted individual is deceased.

(4) An education technology provider required to strengthen its cybersecurity practices.

3. General Enforcement and Takeaways

Privacy Notices

The OAG has continued to sweep companies’ privacy notices to determine whether consumers have clear notice of data collection, data usage, and consumer rights. In July 2025, the OAG announced its first settlement with an online ticketing platform, over the company’s alleged failure to update its privacy notice more than a year after receiving a notice to cure. The OAG emphasized its intent to enforce the CTDPA’s privacy notice requirements.

Opt-Out Rights and Deceptive Patterns

The OAG noted that it has also broadened its enforcement efforts to focus on the CTDPA’s prohibition of “deceptive designs” or “dark patterns.” The OAG has signaled that it is paying close attention not only to what companies say in their notices, but how they present choices through user interfaces, particularly in cookie banners and consent flows. The report found such design choices to undermine consumers’ ability to make informed choices about their data and clarified that deceptive patterns violate both the CTDPA and the Connecticut Unfair Trade Practices Act.

The OAG expects businesses to be transparent, allow user control, and use language that is clear and conspicuous to consumers. Specifically, the OAG is concerned where an option to accept all cookies is not symmetrical to its equivalent option to reject them. This issue arises when the option to reject is buried, consists of multiple steps, or is absent altogether. The OAG increasingly views such designs as manipulative, especially when they appear intended to nudge users into allowing more extensive data use than they would reasonably choose if confronted with balanced options. The OAG instead recommends companies configure cookies related to targeted advertising or sales to be set to “off” by default in their cookie management tools.

In addition, the OAG is focused on whether controllers “clearly and conspicuously” disclose processing of data for targeted advertising or sale and include a clear and conspicuous link on the webpage allowing users to opt out. The OAG admits the CTDPA does not define “clear and conspicuous,” but borrows guidance from the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising and its “Dot Com Disclosures” to interpret the phrase. The OAG is concerned that opt out links buried in dense page footers without visual emphasis may not satisfy the CTDPA’s requirements. The OAG expects privacy choices to be prominent, understandable, and accessible without undue effort.

Universal Opt-Out Preference Signals

The OAG reaffirmed its focus on ensuring businesses honor consumers’ universal opt-out signals, such as the Global Privacy Control (GPC). The CTDPA’s requirement that businesses recognize such signals went into effect January 1, 2025, and in August 2025, the OAG announced an investigative sweep in conjunction with California and Colorado aimed at companies that are not complying with the universal opt-out requirement. Importantly, the OAG noted that businesses should process GPC signals as an opt-out across “all personal data,” not only data collected and shared via tracking technologies. The opt-out must also apply to all devices which a consumer uses to log into an account maintained by the business.

Additionally, the OAG stated it has a robust team examining compliance and will continue to focus on enforcing the universal opt-out requirement.

Genetic Data

The OAG recently intervened when a genetic testing and ancestry company filed for bankruptcy to ensure that the company’s genetic data would be protected and data rights would be honored and filed a proof of claim on behalf of Connecticut residents. The OAG used this example to urge the legislature to adopt a genetic data privacy law similar to other states that have enacted such laws.

Consumer Health Data

Ensuring compliance with consumer health data requirements continued to be a priority for the OAG in 2025. Under the CTDPA, consumer health data is “sensitive data,” and requires consumer consent before a business can process such data. In addition to special protections for “sensitive data” generally, the CTDPA also includes provisions specific to the use of consumer health data. These provisions apply broadly to any company that collects consumer health data and does business in Connecticut (the CTDPA’s traditional applicability thresholds do not apply to these consumer health data provisions). Under these provisions, companies must: (1) ensure employees or contractors are subject to a contractual or statutory duty of confidentiality before allowing access to consumer health data; (2) not provide processors with access to consumer health data unless proper contracts are in place; (3) not use a geofence around any mental health facility or reproductive or sexual health facility in order to identify, track, collect data from, or send a notification to a consumer regarding consumer health data; and (4) obtain consumer consent in order to sell, or offer to sell, consumer health data.

The OAG noted it is engaged in an ongoing investigation of a hormonal fertility tracker app/service. After testing the company’s app, the OAG found that the company’s privacy notice allegedly failed to account for the heightened protections required under the CTDPA. The OAG took the position that it is unlawful to process sensitive data without informing consumers about the heightened risks of harm, even when the consumer voluntarily shares consumer health data.

In 2025, the OAG also sent a notice of violation and inquiry letter to a large data broker regarding its disclosures and consent procedures for all “sensitive data” it processes, including consumer health data. The OAG emphasized the need for compliant data processing disclosures and consent procedures when processing sensitive data. Such compliance includes: (1) consent disclosures that identify what categories of sensitive data are collected, who it is shared with, and for what specific purposes; (2) opt-in consent procedures that allow for a freely given, specific, informed, and unambiguous affirmative act by the consumer confirming their agreement to the processing of their sensitive data; and (3) a mechanism for consumers to revoke their consent that is at least as easy as the mechanism through which the consumer provided their consent.

4. Minors’ Privacy Enforcement

The OAG repeatedly emphasized that protecting kids online is a top priority. Effective October 1, 2024, the CTDPA requires companies that offer online services, products, or features to minors (under 18) to obtain consent before: (1) processing a minor’s personal data for targeted advertising, profiling, or sale; (2) using a system design feature to significantly increase, sustain, or extend a minor’s time online; or (3) collecting a minor’s precise geolocation data. Covered companies must conduct risk assessments to understand and mitigate the potential risk of harm their services, products, and features could present to minor consumers before such services, products or features are offered. Companies with minor audiences must also adopt safeguards for direct messaging tools used by minors, and provide a signal to, minors when their precise geolocation data is being collected.

Investigatory Efforts

In 2025, the OAG outlined that it issued inquiry letters to three social media companies seeking information on how the companies complied with the CTDPA. Based on these interactions, the OAG advocated for stronger legislation resulting in legislative amendments to the CTDPA expanding protections for minors’ personal data. These amendments to the CTDPA, effective July 1, 2026, ban the processing of minors’ personal data for targeted advertising and sale and the collection of precise geolocation data unless strictly necessary, eliminating the previous consent structure.

The OAG emphasized in this section that it is requesting data protection assessments as part of its investigations and will continue to do so. The report clarified the OAG’s expectation that companies conduct these compliance assessments before engaging in a covered processing activity, not after the fact, in order to be compliant.

Messaging Apps

The OAG indicated it sent a notice of violation (NOV) and inquiry letter to a messaging platform provider, providing alleged deficiencies with the platform’s privacy notice and opt-out practices. The report did not provide any detail on the outcome of the NOV. The OAG clarified its focus on understanding the steps companies take to understand whether and how their platforms are being used by minors and what corresponding safeguards are in place to ensure minor safety.

Gaming Platforms and SDK Providers

The OAG sent an inquiry letter to a game provider. The office discovered that the provider’s mobile applications were allegedly collecting personal data of minors for targeted advertising. The office stated that companies cannot “willfully blind themselves to users’ age” and need to adjust their tracking technologies accordingly. The OAG also joined a multistate letter to a gaming studio, alleging deficient privacy notice and consent practices. Finally, the OAG revealed its investigation of a data broker that offers software development kits to app developers — including apps targeting minors — for potential violations.

AI Chatbots

Finally, the report expressed particular concern about artificial intelligence (AI) chatbots used by minors and highlighted Attorney General Tong’s participation in a bipartisan coalition of attorney generals demanding stronger safeguards from major AI companies. The OAG stressed that existing laws apply to the use of new technologies (including AI), but also called for standalone, chatbot legislation to protect Connecticut residents, especially minors.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Shelby Dolen Shelby Dolen

Shelby develops and implements comprehensive privacy programs that are tailored to the specific needs of each client, helping them to remain compliant as privacy laws continue to evolve at the state, federal, and international levels. She is well versed in all U.S. state…

Shelby develops and implements comprehensive privacy programs that are tailored to the specific needs of each client, helping them to remain compliant as privacy laws continue to evolve at the state, federal, and international levels. She is well versed in all U.S. state privacy laws, laws governing social media and children’s data, AI laws and regulations, and international data privacy laws, including the GDPR.

Read more about Shelby Dolen
Show more Show less
Photo of Marlaina Pinto Marlaina Pinto

Marlaina advises clients on a broad range of privacy and data protection matters, drawing on experience in marketing technology. She provides strategic counsel on consumer data use and regulatory obligations under both U.S. state privacy laws and international data privacy laws, such as…

Marlaina advises clients on a broad range of privacy and data protection matters, drawing on experience in marketing technology. She provides strategic counsel on consumer data use and regulatory obligations under both U.S. state privacy laws and international data privacy laws, such as the GDPR.

Read more about Marlaina Pinto
Show more Show less
Photo of Yulian Kolarov Yulian Kolarov

Yulian advises on a wide range of privacy, security, and AI matters. He is also an experienced litigator and assists with all aspects of litigation arising out of state and international privacy regulations, website management, consumer reporting, and data collection techniques. Yulian closely

Yulian advises on a wide range of privacy, security, and AI matters. He is also an experienced litigator and assists with all aspects of litigation arising out of state and international privacy regulations, website management, consumer reporting, and data collection techniques. Yulian closely tracks litigation trends and counsels clients on data governance and risk management under the CCPA, CIPA, VPPA, as well as other privacy protection statutes.

Read more about Yulian KolarovYulian's Linkedin Profile
Show more Show less
Photo of Laura Hamady Laura Hamady

Laura serves as counsel in the firm’s Privacy + Cyber practice. She brings more than 15 years of experience in privacy and cybersecurity related matters. Laura is an industry-experienced privacy leader and has served in senior privacy leadership positions at a variety of…

Laura serves as counsel in the firm’s Privacy + Cyber practice. She brings more than 15 years of experience in privacy and cybersecurity related matters. Laura is an industry-experienced privacy leader and has served in senior privacy leadership positions at a variety of large companies across various industry spaces, including Twitter, Visa, PayPal, Chronicle (a Google company), Groupon, Levi’s Takeda Pharmaceuticals, and more.

Read more about Laura Hamady
Show more Show less
Related Posts
 Is Individualized Pricing the Next Big Privacy Enforcement Issue? California AG Announces Investigative Sweep Around 'Surveillance Pricing' Practices
February 10, 2026
The South Carolina state flag waving along with the national flag of the United States of America
South Carolina Enacts Age-Appropriate Design Code Act
February 5, 2026
Picture1
Key Takeaways on Proposed State AI and Privacy Laws: January 2026
February 1, 2026