Data & Analytics

Connecticut AG says state’s data privacy law should be stronger

Connecticut Attorney General William Tong said lawmakers can go further to protect consumer data by making additions to the state's data privacy law.

By Keely Quinlan

April 18, 2025

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

Connecticut Attorney General William Tong speaks during a press conference on the Department of Government Efficiency (DOGE) at Manhattan Federal Courthouse on February 14, 2025 in New York City. (Michael M. Santiago / Getty Images)

In a report shared Thursday by The Connecticut Office of the Attorney General detailing its first year of enforcing the state’s comprehensive data privacy law, the office said the law should be made stronger by the state’s legislature.

The report’s recommendation, which included several additional actions that can be taken to bolster the data privacy protections offered under Connecticut Data Privacy Act, or CTDPA, follows a year of enforcement actions the office of Attorney General William Tong said it has taken.

The office said it’s issued dozens of enforcement actions, including sending “warning letters” or notices of violation; investigating consumer complaints; and tackling problematic uses of facial recognition technology by Connecticut retailers. While the office said “Connecticut remains at the forefront of consumer data privacy,” it added that steps can be taken to improve these types of protections.

“It is clear that there is much to be done, including amending the CTDPA to provide stronger protections for Connecticut residents,” the report concludes. “We will continue to be transparent about our efforts to uphold this important law.”

The law, which was signed in 2022 and took effect on July 1, 2023, made Connecticut one the of the first states to pass a “comprehensive” data privacy law, a term describing wide consumer protections. The law mandated the attorney general’s office give an update annually of its its work, and the office released its first report in February of 2024. Thursday’s report covers actions taken in 2024.

The CTDPA has been critiqued for its lack of teeth, however. A report published last February by the nonprofit Electronic Privacy Information Center and the research organization U.S. PIRG Education Fund evaluated the 14 state “comprehensive” privacy laws on the books for their efficacy, and gave Connecticut’s a D grade.

The AG’s office suggested scaling back exemptions of covered entities to include nonprofits, and strengthening protections for the data of minors. It also suggested legislators consider adding a data minimization requirement to the CTDPA. Data minimization is a practice advocated for by data privacy experts that involves only collecting the information that is necessary from consumers to achieve a specific objective.

“We cannot underscore enough the importance of these provisions— in many cases, serious privacy and data security concerns could have been offset— if not fully alleviated— if companies had properly minimized the data they collected and maintained,” the report reads. “We believe the legislature should amend the CTDPA to mirror Maryland’s law, which limits collection to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer.”