August 5, 2025
Extensive Changes to Connecticut’s Privacy Law
Connecticut has passed a long list of changes its privacy law, adding to the growing complexity of the patchwork of state privacy laws in the U.S.
Demonstrating that data privacy remains a priority for the state, Connecticut’s Attorney General William Tong recently released his 2025 privacy enforcement summary. These annual reports provide valuable insight into the thinking of state regulators when it comes to privacy law, something that is even more important given that Connecticut announced its first privacy fine in 2025.
Here are three unexpected takeaways from the 2025 Connecticut privacy enforcement report.
One of the more eyebrow-raising statements in the report is: “Companies must do more than the bare minimum in terms of complying with the CTDPA.” It then goes on to list things that businesses should do to enhance transparency user control, including turning off targeting advertising and data sales by default.
It’s curious because bare-minimum compliance is still compliance, and while the report says businesses “must” do more (which, in legal terms, suggests a requirement), it follows up with several “should” statements. The CTDPA does not require opt-in consent for targeted advertising or data selling (unless it involves sensitive data), yet businesses should get consent anyway.
Is the CT Attorney General’s office pushing for a higher standard of privacy practice beyond what is required by the state’s data privacy law? In this same section, the report mentions that employing dark patterns in consent mechanisms and even opt-out processes could violate the state’s Unfair Trade Practices Act. When considered together, it suggests that the AG may be looking for creative ways to expand businesses’ data privacy obligations.
Like most state privacy laws, the CTDPA requires businesses to “clearly and conspicuously” disclose the fact that they engage in targeting advertising and/or data selling, along with a method for opting out. It has emerged as an almost universal practice among regulated businesses to include a “Do Not Sell or Share My Personal Information” or “Your Privacy Choices” link in the footers of their websites.
The Connecticut Attorney General appears to take issue with this practice, questioning whether opt-out links in the footer are prominent enough. To provide legal support for this, the report cites Federal Trade Commission guidance on whether a disclosure is clear and conspicuous, including that it should be “easily noticeable” and “unavoidable.” This suggests that the Attorney General thinks opt-out links should be at the top of the page or in a pop-up banner.
However, businesses may want to consider holding off before making any such changes. First, the FTC guidance cited is probably distinguishable as it relates to disclosures regarding endorsements and testimonials in advertising (which reasonably should be located near the endorsement/testimonial). Second, California’s CCPA regulations explicitly allow for an opt-out link to be located in a website’s footer; it seems unlikely that Connecticut will break with California’s accepted practices, especially without a clear legal mandate for doing so.
Given Connecticut’s extensive amendments to the CTDPA covering consumer health data, it may not be that surprising that it’s being given special attention. Still, it was interesting to learn that the state has multiple open investigations concerning health data.
The first involves an ongoing investigation into a fertility tracking app. The state’s contention is that, even when such sensitive data is collected voluntarily, it is unlawful unless the business informs the consumer that such processing presents a heightened risk of harm.
The other is an investigation into “a large data broker” regarding its processing of consumers’ sensitive data, including consumer health data. At issue is whether the data broker appropriately collected express consent from consumers, as opposed to relying on implied consent via its terms of use.
The most striking aspect of Connecticut’s latest enforcement report is that the Attorney General’s office is staking out aggressive positions on multiple fronts. Businesses trying to follow the rules cannot rely on a static reading of the law, and they must stay attentive to regulators’ priorities in order to avoid becoming entangled in disruptive and expensive investigations.
TrueVault brings privacy compliance within reach of businesses of all sizes. Within days, you can bring your company up to speed on years’ worth of privacy laws. We are constantly monitoring legislatures and regulators for changes to the law. When new laws are passed, old laws are amended, or enforcement cases are published, we incorporate those changes into our product at no extra cost.
Contact our team to learn how TrueVault can support your company’s privacy compliance.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
