Connecticut AG Settles Claims Over Deficient Privacy Notice: 6 Key Lessons for Businesses that Collect and Use Consumer Data

While website privacy notices are now commonplace – and consumers might only skim them – a recent settlement highlights the importance of staying vigilant about complying with applicable consumer privacy laws. The Connecticut Attorney General recently reached an $85k settlement with a company whose privacy notice was deemed deficient under the state’s laws. How can you avoid the same fate? If your business is subject to state consumer privacy laws – and most companies are – failure to make sure your privacy notice complies with applicable law could lead to both monetary and non-monetary penalties. Here’s what led to the recent settlement and six steps you can take to ensure compliance.

What Happened?

• Settlement Details: The Connecticut Office of the Attorney General announced on July 8 that it had reached a settlement with TicketNetwork, Inc., a company that the AG had previously said was not complying with the requirements of the Connecticut Data Privacy Act (CTDPA). TicketNetwork agreed to pay $85,000 to resolve the dispute and also agreed to comply with the requirements of the CTDPA going forward. Additionally, the company said it would share data with the Attorney General about the consumer rights requests it received under the CTDPA.
• Time to Cure: Notably, the Attorney General had sent the company a CTDPA “cure notice” in late 2023 that flagged deficiencies in its privacy notice – and the company had 60 days to comply without penalty. Specifically, the AG alleged that TicketNetwork’s privacy notice was “largely unreadable, missing key data rights, and contained rights mechanisms that were misconfigured or inoperable.” The AG alleged that the company not only failed to resolve the deficiencies, in spite of representations that they had done so, but also failed to timely respond to correspondence from the AG to follow up on the cure notice.
• Focus on Compliance: The TicketNetwork settlement, as well as other cure notices, underscore the Connecticut AG’s commitment to holding businesses accountable for non-compliance with the CTDPA, and in particular, with its privacy notice requirements. Indeed, the Attorney General’s Office has sent out more than two dozen cure notices as part of four separate privacy notice “sweeps.”

6 Key Steps to Reduce Your Risk

Businesses that are subject to the CTDPA should review practices to ensure compliance with the CTDPA’s requirements, even if you are already compliant with other state privacy laws that have proliferated in the last few years. Here are six key steps you should consider taking now to reduce the risks of regulatory scrutiny.

1. Shore Up Compliance with the CTDPA

The Connecticut AG has warned businesses that further non-compliance with the CTDPA will not be tolerated: “This law has now been in effect for two years. There is no excuse for continued non-compliance, and we are prepared to use the full weight of our enforcement authority to protect consumer privacy.”

2. Review and Update Your Privacy Notices

Ensure your privacy notice properly discloses consumer rights, including the right to access, correct, and delete personal data stored and collected by businesses, and the right to opt-out of the sale of personal data and targeted advertising. Mechanisms for exercising those rights must work properly, with a process in place to ensure a timely response to consumer requests. Notably, in its settlement with TicketNetwork, the Connecticut AG asserted that the notice was “missing key data rights” and “contained rights mechanisms that were misconfigured or inoperable.” 

If your privacy notice was drafted at the inception of the CTDPA and has not been reviewed since, look at it again: the CTDPA has been amended twice already. The first amendment was enacted in 2023, and significant amendments made last month will take effect on July 1, 2026. All privacy notices should already be compliant with the 2023 amendments, and they must be compliant with the new amendments by July 1, 2026.

3. Do Not Assume That You Will Receive an Opportunity to Cure Deficiencies

Connecticut businesses are no longer entitled to advance notice and an opportunity to cure deficiencies in compliance with the CTDPA: beginning on January 1, 2025, the right-to-cure provisions under the CTDPA expired. The AG is no longer required to issue a cure notice before pursuing an alleged violation, which constitutes an unfair trade practice under state law.

4. Use Clear and Simple Language for the Privacy Notice

Another issue that the Connecticut AG raised was that the privacy notice was “largely unreadable.” While privacy notices address legal rights and obligations, you should avoid using excessive legal jargon to the extent possible and use clear, simple language to notify consumers about their rights and the mechanisms for exercising those rights. In addition, be as succinct as possible to help consumers locate the information they need to understand and exercise applicable rights.

Make sure privacy notices clearly indicate that Connecticut residents have rights under the CTDPA: earlier this year, in an April 17 enforcement report relating to the CTDPA, the Connecticut AG specifically noted that “companies must avoid language that creates ambiguities over whether Connecticut residents have data rights, or conversely, that create the false impression that Connecticut residents lack those rights.”

5. Check Your Cookie Banners

In its April 2025 enforcement report, the Attorney General’s Office stated that its next wave of enforcement efforts would focus on cookie banners in addition to privacy notices. It already has identified a number of cookie banners that allegedly undermined or even overrode consumers’ ability to make certain privacy choices, including the right to opt out of targeted advertising or the sale of personal data through the use of tracking technologies. In the fall of 2024, the AG issued a cure notice sweep aimed at addressing these practices and announced that it had identified additional companies for a second sweep.

The AG provided guidance that under the CTDPA, if a business uses cookie banners to permit a consumer to opt-out of some data processing, such as targeted advertising, the consumer must be provided with a symmetrical choice. In other words, it has to be as clear and as easy for the consumer to opt out of such use of their personal data as it would be to opt in. This includes making the options to accept all cookies and to reject all cookies visible on the screen at the same time and in the same color, font, and size. The AG has also said that whenever possible, the banner should either display each time the consumer accesses the site and/or the mechanism to update/change cookie preferences should be prominently displayed on the site so that the consumer has the means to update/change those preferences at any time.

6. Respond Promptly to Any Attorney General Inquiries

Businesses that receive inquiries should immediately engage experienced privacy counsel to help remedy the issue as quickly as possible and respond to any inquiry or charge with transparency and speed. 

Conclusion

Fisher Phillips will continue to monitor developments in this area and provide updates as warranted, so make sure you are subscribed to Fisher Phillips’ Insight System to get the most up-to-date information direct to your inbox. You can also visit FP’s U.S. Consumer Privacy Hub for additional resources to help you navigate this area. If you have questions, please contact your Fisher Phillips attorney, the authors of this Insight, or any member of our Privacy and Cyber team.