HARTFORD, CT — Connecticut is ramping up investigations into digital data practices under its sweeping new privacy legislation, with state officials confirming multiple enforcement actions throughout 2024 under the Connecticut Data Privacy Act (CTDPA).
The report, released Wednesday by Attorney General William Tong, highlights a series of probes targeting companies across diverse industries—ranging from biometric service providers and connected vehicle manufacturers to anonymous teen messaging apps and retailers deploying facial recognition technology. These investigations were initiated in response to potential violations of residents’ data rights as outlined in the CTDPA, which took effect in July 2023.
“The Connecticut Data Privacy Act is one of the strongest consumer data protections in the country,” said Tong. “We are holding companies accountable for respecting the digital rights of Connecticut residents.”
Among the key investigations, the Attorney General’s Office scrutinized automotive manufacturers over connected vehicle data practices and reviewed palm recognition systems used by biometric services. Companies offering genetic testing and family history tools also came under scrutiny for potentially misusing sensitive health and lineage information.
Retailers and online platforms that rely on facial recognition or target teens with anonymous apps were warned about potential violations—particularly where consent and transparency mechanisms fell short.
The report underscores a growing concern over “dark patterns,” deceptive design features that manipulate users into giving up personal data unintentionally. Connecticut authorities noted specific cases where opt-out features were either buried or intentionally confusing, violating the CTDPA’s standards for consumer choice.
Enforcement teams also targeted companies for failing to provide clear privacy notices or for processing sensitive data without meeting the act’s heightened consent requirements.
To further bolster the law, the Attorney General recommended several legislative updates for 2025. These include eliminating entity-level exemptions, lowering thresholds that determine which companies must comply, and imposing stricter limits on how much data businesses can collect and retain.
“We’ve learned a lot in the first year of enforcement,” Tong added. “Now it’s time to fine-tune the law so we can better protect people from misuse of their data.”
The report signals Connecticut’s growing leadership in consumer privacy enforcement, echoing national calls for stronger digital protections amid rising concerns about surveillance, AI, and automated data tracking.
Residents and businesses can expect continued scrutiny, especially around the handling of biometric, genetic, and sensitive data categories.
For more details, the full enforcement report is available on the Attorney General’s website.
