Skip to content

Menu

Network by SubjectChannelsBlogsHomeAboutContact
AI Legal Journal logo
Subscribe
Search
Close
PublishersBlogsNetwork by SubjectChannels
Subscribe

Connecticut Attorney General Releases 2025 CTDPA Enforcement Report

By Libbie Canter, Lindsey Tonsager, Jayne Ponder & Rosie Moss on February 20, 2026
Email this postTweet this postLike this postShare this post on LinkedIn

The Connecticut Office of the Attorney General (“OAG”) issued an updated Enforcement Report (“Enforcement Report”) under the Connecticut Data Privacy Act (“CTDPA”). The Enforcement Report discusses the OAG’s enforcement actions in 2025 and suggests some areas of focus from the regulator, summarized below.

  • Data Breach Notices: The Enforcement Report states that the Attorney General’s office received 1,830 breach notifications in 2025 and issued 63 warning letters regarding companies’ alleged delays in providing notice after discovery of a data breach.  The Enforcement Report states that the “statutory notice period [] run[s] from the date the company becomes aware of suspicious activity, not the date it determines full impact to personal information.” However, the Enforcement Report does not discuss how to apply this principle in the context of specific factual circumstances, such as where there is suspicious activity of some sort of security event without reasonable belief that Connecticut resident personal information was affected. The examples of enforcement discussed in the Enforcement Report include three examples where businesses provided notice between fourteen months and four years after a breach occurred.
  • Opt-Out Rights: The Attorney General’s office notes that it was focused on cookie banners that “undermine or override consumers’ ability to make important privacy choices.”  For example, the Enforcement Report notes that it should not be more difficult or time-consuming to “opt out” of targeted advertising or sale than to “opt in.” Although the underlying CTDPA does not require that controllers invite consumers to “opt in” to the use of such technologies, the Enforcement Report also suggests that companies may want to do more than the “bare minimum” in terms of complying with the CTDPA. Notably, the Connecticut law does not require the use of a cookie banner to comply with the targeted advertising opt-out requirements.  
  • Universal Opt-Out Preference Signals: The Enforcement Report highlights that universal opt-out provisions are an enforcement priority, specifically referencing the joint enforcement and resources developed with regulators in Colorado and California.
  • Chatbots: The Enforcement Report states the Attorney General’s focus is on chatbots.  The Enforcement Report specifically reflects that AI “has progressed to the point where interaction with a chatbot can be indistinguishable from interaction with a human” and emphasizes that the state’s privacy, data breach, and unfair and deceptive practices statute apply to the use of chatbots.
Photo of Libbie Canter Libbie Canter

Libbie Canter is a member of the Communications & Media, Data Privacy and Cybersecurity, and Litigation Practice Groups. She represents and advises clients on matters before Congress and various federal agencies, including the Federal Communications Commission and the Federal Trade Commission.  She has…

Libbie Canter is a member of the Communications & Media, Data Privacy and Cybersecurity, and Litigation Practice Groups. She represents and advises clients on matters before Congress and various federal agencies, including the Federal Communications Commission and the Federal Trade Commission.  She has advised clients on a broad range of privacy issues, including data security breach matters, online and mobile marketing, and social networking policies for employers.  Her legislative work focuses on the areas of communications and media, privacy law, and cloud computing policy.

Read more about Libbie Canter
Show more Show less
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the…

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions, including by self-regulatory bodies such as the Digital Advertising Alliance and Children’s Advertising Review Unit.

Ms. Tonsager’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, behavioral advertising, e-mail marketing, artificial intelligence the processing of “big data” in the Internet of Things, spectrum policy, online accessibility, compulsory copyright licensing, telecommunications and new technologies.

Ms. Tonsager also conducts privacy and data security diligence in complex corporate transactions and negotiates agreements with third-party service providers to ensure that robust protections are in place to avoid unauthorized access, use, or disclosure of customer data and other types of confidential information. She regularly assists clients in developing clear privacy disclosures and policies―including website and mobile app disclosures, terms of use, and internal social media and privacy-by-design programs.

Read more about Lindsey Tonsager
Show more Show less
Photo of Jayne Ponder Jayne Ponder

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection…

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection counsel to companies, including on topics related to privacy policies and data practices, the California Consumer Privacy Act, and cyber and data security incident response and preparedness.

Read more about Jayne Ponder
Show more Show less
Rosie Moss

Rosie Moss is an associate in the firm’s Washington, DC office. She is a member of the Data Privacy and Cybersecurity Practice Group and the Technology and Communications Regulation Practice Group.

Rosie advises clients on a wide range of data privacy and technology…

Rosie Moss is an associate in the firm’s Washington, DC office. She is a member of the Data Privacy and Cybersecurity Practice Group and the Technology and Communications Regulation Practice Group.

Rosie advises clients on a wide range of data privacy and technology regulatory issues, including emerging artificial intelligence compliance matters. She assists clients in complying with federal and state privacy laws and Federal Communications Commission (FCC) regulations. Rosie also maintains an active pro bono practice.

Read more about Rosie Moss
Show more Show less
  • Posted in:
    Privacy & Data Security
  • Blog:
    Inside Privacy
  • Organization:
    Covington & Burling LLP
  • Article: View Original Source
LexBlog logo
Copyright © 2026, LexBlog. All Rights Reserved.
Legal content Portal by LexBlog LexBlog Logo