The Connecticut Data Privacy Act took effect on July 1 2023, making it one of the earlier US state privacy laws. Connecticut has been notably active in enforcement, issuing its first public fine in 2025 and publishing detailed enforcement reports.
How CTDPA Enforcement Works
The Connecticut Attorney General has exclusive enforcement authority under the CTDPA. Consumers cannot bring private lawsuits for violations.
The law originally included a cure period, which expired on December 31 2024. Since January 1 2025, the Attorney General can pursue enforcement immediately without offering a cure opportunity.
Violations are enforced under the Connecticut Unfair Trade Practices Act (CUTPA), with penalties up to $5,000 per willful violation.
Since January 1 2025, businesses must also honor universal opt-out preference signals sent by Connecticut residents.
Notable Enforcement Actions
TicketNetwork, Inc. (2025) – $85,000
Connecticut’s first public CTDPA enforcement action targeted TicketNetwork, a Connecticut-based online ticket marketplace.
The Attorney General identified privacy notice deficiencies during the initial cure period and sent a cure notice in 2024. After follow-up correspondence, the AG determined that privacy notice shortcomings remained and identified new issues, including that the hyperlink to opt out of personal data sales was not operational.
The enforcement resulted in an $85,000 fine. The company was also required to collect metrics on consumer rights requests and share them with the Attorney General.
Source: Connecticut AG Office
Enforcement Reports
Connecticut publishes regular enforcement reports providing insight into the AG’s priorities:
Initial Report (February 2024): Covered the first six months of enforcement. The AG issued over a dozen cure notices and broader information requests, focusing on privacy policies, sensitive data, and teenager data processing.
Updated Report (2025): Covered calendar year 2024, providing additional detail on enforcement patterns and priorities.
These reports are available on the Connecticut Attorney General’s website.
2025 Legislative Expansion
In June 2025, Connecticut enacted SB 1295, expanding and clarifying the CTDPA. Changes taking effect July 1 2026 include:
- Lowered applicability threshold to 35,000 consumers (down from 100,000)
- Additional requirements and clarifications
This expansion will bring more businesses under Connecticut’s privacy requirements.
Enforcement Focus Areas
Based on the TicketNetwork case and enforcement reports:
Functional opt-out mechanisms. The TicketNetwork case specifically cited a non-operational opt-out link. Opt-out mechanisms that exist but do not actually work are clear violations.
Privacy notice accuracy. Deficiencies in privacy notices were central to the TicketNetwork enforcement. Notices must accurately describe data practices.
Universal opt-out signals. Since January 2025, businesses must honor signals like Global Privacy Control. Non-compliance is easily detectable.
Teenager data. The AG has specifically mentioned teenager data as an enforcement focus in reporting.
What This Means for Your Organization
Connecticut’s active enforcement and public reporting demonstrate a commitment to privacy compliance. The end of the cure period in 2024 means violations discovered now can result in immediate penalties.
Businesses should:
- Verify opt-out mechanisms actually function (not just exist)
- Review privacy notices for accuracy and completeness
- Implement Global Privacy Control support
- Prepare for the lowered threshold taking effect July 2026
The $85,000 TicketNetwork fine shows Connecticut will pursue meaningful penalties for ongoing non-compliance.
