The Connecticut Attorney General (AG) has agreed to an $85,000 settlement with online events marketplace TicketNetwork after finding that the company’s privacy notice failed to meet the transparency requirements of the Connecticut Data Privacy Act (CTDPA).
Here’s a look at the background to this case and how to create a CTDPA-compliant privacy notice:
- The AG’s privacy notice sweep
- TicketNetwork’s cure notice
- The problems with TicketNetwork’s privacy notice
- Mandatory information in a CDTPA privacy notice
- A new era of state-level enforcement
The AG’s privacy notice sweep
In a report published one year after the CTDPA took effect, the AG said his office had begun proactively “reviewing companies’ privacy policies and the functionality of consumer rights mechanisms under the CTDPA.”
Businesses covered by the CTDPA must tell consumers about their privacy rights under the law, including via their privacy notices.
In this February 2024 report, the AG identified that businesses were failing to meet their obligations in the following ways:
- Lacking disclosures (e.g., failure to incorporate notice of consumer rights under the CTDPA at all).
- Inadequate disclosures (e.g., failure to sufficiently inform residents about their rights or how to appeal denials).
- Confusing disclosures (e.g., creating the impression that consumers would be charged for rights requests by default).
- Lacking rights mechanisms (e.g., failure to include a clear and conspicuous link to opt out of targeted advertising or data sales).
- Burdensome rights mechanisms (e.g., mechanisms that did not account for how consumers normally interact with the company).
- Broken or inactive rights mechanisms (e.g., non-working links or dead-end mechanisms).
At that time, the AG said his office had issued ten “cure” notices to businesses, offering them a 60 day period to address any CTDPA violations before facing legal action.
Since then, the AG has reportedly conducted four further enforcement sweeps, each specifically targeting companies’ transparency efforts. In a press release announcing the TicketNetwork settlement, the AG reported having issued “over two dozen” cure notices in total.
TicketNetwork’s cure notice
TicketNetwork was among the 24+ companies that received a cure notice from the AG’s office. But it was the only company that failed to act on that notice by fixing its allegedly unlawful privacy notice.
“TicketNetwork is the only entity that repeatedly represented that they had resolved deficiencies when they had not done so, and failed to timely respond to follow-up correspondence. Nearly all other companies took prompt steps to come into compliance.”
Notably, since January 2025, the CTDPA no longer requires the AG to offer a “cure period” to businesses accused of violating the law.
This means that the AG can bring enforcement action at any time, without warning.
The problems with TicketNetwork’s privacy notice
The AG has not released full details of the TicketNetwork settlement, but in a press release, he said the notice:
- Was “largely unreadable”
- Missed “key data rights”, and
- Contained “rights mechanisms that were misconfigured or inoperable”
The CTDPA requires businesses’ privacy notices to be “reasonably accessible, clear, and meaningful” and to provide a “secure and reliable means” for consumers to exercise their CTDPA rights.
Now let’s look in more detail at what a CTDPA-compliant privacy notice must contain.
Mandatory information in a CTDPA privacy notice
The CTDPA requires controllers (businesses covered by the law that decide how and why to process personal data) to provide the following information in their privacy notices:
- The categories of personal data they process
- Their purposes for processing personal data
- How consumers may exercise their consumer rights, including how a consumer may appeal the controller’s decision
- The categories of personal data they share with third parties, if any
- The categories of third parties, if any, with which they share personal data
- An active email address or other online mechanism that consumers can use to contact the controller.
Controllers must also provide a “clear and conspicuous link” on their website allowing consumers to exercise their rights under the CTDPA, which include obtaining a copy of their personal data, deleting or correcting their personal data, and opting out of targeted advertising.
A new era of state-level enforcement
We’ve now seen enforcement of comprehensive state privacy laws in California, Texas, and Connecticut.
With around 20 states having passed such legislation, businesses should take proactive steps to ensure compliance and avoid the sort of enforcement action seen by TicketNetwork.
