Connecticut’s Data Privacy Act 2025 Enforcement Report

Key Takeaways

• Connecticut’s Data Privacy Act stands as a pioneer among the country’s most robust data privacy measures, with recent amendments significantly strengthening protections for minors.
• Over 60 violation notices and warning letters were issued to companies, with over 1,800 breach notifications cited in the 2025 Annual Enforcement Report, reflecting expanded enforcement across social media platforms, artificial intelligence products, and gaming apps.
• Recommendations for policymakers include a more precise definition of “publicly available information” to ensure full coverage, as well as removing exceptions to consumer data privacy laws for HIPAA-covered entities and non-profits.

What Happened

In 2022, Connecticut passed the Connecticut Data Privacy Act (CTDPA), which gives residents certain rights over their personal data and mandates various standards for data controllers regarding their responsibilities in protecting privacy. Policymakers are prioritizing the protection of kids online and have focused on companies that offer services to users under 18. The 2025 annual Enforcement Report outlined some recent amendments to the act, in an attempt to correct the issue of an excessive number of residents falling within legal exceptions. Attorney General William Tong released the annual report for 2025 in January, describing how the Office of the Attorney General is launching investigations into various platforms that may have exploited children’s sensitive data. This legislation stands as a pioneer among the country’s most robust data privacy measures.

Privacy and Governance Concerns

Expanded enforcement has been seen regarding the protection of minors, breach settlements, geolocation data, social media platforms, gaming apps, and artificial intelligence products. By the end of last year, the Office of the Attorney General had issued over 60 violation notices and warning letters to companies, citing over 1800 breach notifications in the past year. A few of the cases were settled in court for multi-million dollar payouts, but many others still remain under investigation. Attorney General Tong stated that “his office held companies accountable for delayed or inadequate data breach notices and for hiding consumer rights,” while reflecting his disappointment in organizations that have failed to take the proper actions. One of the common difficulties in regulating data privacy is the rapidly advancing technology that seems to always outpace legislative processes.

Why It Matters / Policy Considerations

One Connecticut senator described how “the harms from companion chatbots were not anticipated four years ago when the original bill passed,” but also stated that he has hope for “working together with the Attorney General…to help rein in the harmful aspects of chatbots so [they] can see the true benefits this technology promises.” Within the 2025 CTDPA report, recommendations to the state legislature include a more precise definition of “publicly available information” to narrow its scope and ensure full coverage, as well as urging the omission of exceptions to consumer data privacy laws for HIPAA-covered entities and non-profits.