It’s been six months since Connecticut’s massive data privacy law went into effect. In that time, the Office of Attorney General William Tong says it has received 30 complaints from the public and issued six violations to businesses that were not in compliance with the new regulations.
The Consumer Data Privacy Act (CTDPA), which was passed in April of 2022 and went into effect on July 1stof last year, attempts to offer consumers more control over the personal data collected by businesses online. Under the statute, businesses operating online would be required to be transparent about the way they use and protect customer data. They would also be required to allow customers to opt out of data collection and allow them to edit or delete their data if they want to.
It also provides the State Attorney General’s Office sole authority to enforce the law. During efforts to implement the law before July, the AG’s Office added two attorneys to its existing data privacy team. Funding provided to the department also allowed for additional hiring, but in a report issued Thursday to the General Assembly, office leadership admits they have had some trouble filling a position for a technologist under current job classifications.
The report also outlined how things have been going since the CTDPA went into effect. Among notable headlines, the AG’s office says they have issued a half dozen violation notices to companies that are non-compliant with the law. These notices do not carry punishments as of yet, as the CTDPA allows for a one-year curing period, during which the AG’s office notifies companies of violations and allows them to correct the issue.
Among these violations, the AG’s office sent a curing notice to a national cremation services company after one Connecticut resident complained that they had received an advertisement for cremation shortly after completing chemotherapy treatments. The office also issued a notice to the data broker who had provided the information to that company.
In other cases, the AG’s office issued notices to an app aimed at private messaging for teens for violating data privacy of minors, to stores and service providers using biometric data without appropriate consent, and to connected vehicle manufacturers for collecting additional sensitive data, also without appropriate consent.
Some of these notices were issued after the office received a customer complaint from a consumer in Connecticut. The AG’s office received at least 30 such complaints since the CTDPA went into effect, though the content of these complaints varied widely.
In addition to providing information on companies that had not yet complied with the state’s new privacy protections, the complaints also informed the AG’s Office of certain potential gaps in that protection. For one, the report outlines concerns that the law provides too many exceptions for certain types of businesses. The report specifies non-profits and any business covered by federal laws like Gramm-Leach-Billey and the Health Insurance Portability and Accountability Acts (HIPAA). Other states with similar laws (California and Oregon) do not exempt non-profits and limit exemptions to the specific data covered by the federal laws.
Additionally, the AG’s Office report urges the state’s General Assembly to create a more straightforward and streamlined ability to delete any collected data, to clarify protections for teens, and to expand the definition of biometric data.
Any and all of these provisions could come up for debate once the new General Assembly session gets underway on February 7th.
Republish our articles for free, online or in print, under a Creative Commons license.
