No More Warnings: Ignoring AG Costs $85,000
Connecticut Attorney General William Tong recently announced the state’s first-ever enforcement settlement under the Connecticut Data Privacy Act (CTDPA) with TicketNetwork, Inc., an online ticket marketplace. The settlement resulted from repeated warnings and notices to cure that the AG found that TicketNetwork failed to complete.
What Led to the Settlement:
Until January 1, 2025, the CTDPA provided businesses with a cure period of 60 days after a notice of violation from the Attorney General’s office. According to the settlement agreement, the initial cure notice was sent to TicketNetwork on November 9, 2023, flagging major deficiencies in the company’s privacy notice. In particular, the AG’s office alleged that the privacy notice was “largely unreadable,” missing disclosures of consumer data rights, and “misconfigured or inoperable” opt-out and data rights mechanisms. The AG’s press release stated that the company “repeatedly represented that they had resolved deficiencies when they had not done so, and failed to timely respond to follow-up correspondence.”
Under the settlement agreement, TicketNetwork has agreed to pay $85,000, implement full compliance with CTDPA requirements, and collect and report to the AG’s office on metrics relating to consumer rights requests.
“This law has now been in effect for two years. There is no excuse for continued non-compliance…”
--Attorney General William Tong
Takeaways for Businesses
- Audit Privacy Notices Regularly
Ensure clarity, readability, and accurate listing of CTDPA-specific rights—access, correction, deletion, and opt-out rights. - Test Consumer Rights Mechanisms Thoroughly
Validate that consumer request channels and opt-out tools work correctly and logs are maintained. Even if you have outsourced these functionalities to a third party, test them frequently. - Stay Current on Legal Changes – Follow Mintz Consumer Privacy Law!
CTDPA has already been amended (2023), with significant updates forthcoming by July 1, 2026—update policies proactively. - Prioritize Prompt Compliance
Non-compliance with notices from a regulatory authority can lead to immediate penalties. Ensure that such notices do not end up in “dead end” email boxes that are not regularly monitored (e.g. [email protected]). If your company receives a notice of violations, act quickly.
This settlement marks a significant moment in state-level privacy enforcement. Connecticut’s Attorney General is demonstrating readiness to deploy enforcement tools when necessary, signaling to businesses that robust data privacy compliance is no longer aspirational—it’s mandatory. Understand what state privacy laws apply to your business and check out your privacy notice today. If it hasn’t been updated in 12-18 months, it’s time for a review to avoid a notice of violation.
Author
