Tong, Maroney discuss new data privacy report

Today, the state’s Office of the Attorney General (OAG) released its 2025 enforcement report for the state’s Data Privacy Act (CTDPA). The report outlined the OAG’s efforts to enforce the CTDPA, and made several recommendations to strengthen or supplement the bill’s privacy provisions regarding minors, genetic data, and AI chatbots.

“Why do we care about data privacy?,” said Attorney General William Tong, in a press conference held earlier today. “Because it matters to everybody in this room. We engage all day, every day, and we’re sharing information. We’re buying things, and information is being collected about us. Even more importantly, and we’re going to talk a lot about this today, our kids are constantly on their devices, and they’re sharing information, giving information, and information is being collected about them, in real time, every day, all day.”

The CTDPA was first passed in April 2022, and first went into effect on July 2023, for the purpose of informing consumers of what data companies are collecting, providing them with the choice of limiting what personal data could be collected, offering consumers the option to request data deletions, and opt out of the use of their data for the purposes of sale, targeted advertising and profiling. Since its passage, it’s been amended several times, most recently last year, to include additional privacy provisions. Sen. Doug Maroney (D-Milford), Chair of the General Law Committee, said he will use today’s report to inform legislation this session.

“We’re going to work together with you, the Attorney General and the governor, to put in protections on chat bots,” said Maroney. “That’s both proposed in a Governor’s bill and that will be part of SB-5. In addition, based on this information from this report, we’re going to look at making a few changes and updates to our data privacy law. We’re going to look at banning the sale of geolocation data. We’re going to update the definition of publicly available information.”

Tong said that in the past year, the OAG has received 70 complaints, many of them centering around consumers’ “right to delete,” or right to have any personal information collected by a company deleted. One third of these complaints have contained what’s deemed “public information,” which is exempted from the CTDPA’s protections. Additionally, Tong said the OAG has been notified over 1,800 times of data breaches and has issued 63 warning letters to companies for notice delays. Both Tong and the OAG’s report highlighted the issue of consistent non-compliance by companies to state statutes regarding data breach notification timelines. Tong and the report cited several recent state settlements with companies who failed to follow the state’s notification timelines for data breaches.

“Once there’s a breach, they’re supposed to take action,” said Tong. “They’re supposed to let us know as soon as possible, and then they’re supposed to take action to protect all of us.”

In regards to enforcement actions, the report noted that OAG has been reviewing companies’ privacy notices for compliance with state statutes, cracking down on “problematic cookie banners” and “deceptive patterns” that the OAG claims make it considerably harder for residents to opt-out of data sharing or targeted advertising when using websites, and, since August 2025, has been working with California and Colorado to conduct an “investigative sweep” for companies that are not complying with the CTDPA’s universal opt-out provisions (OOPS) that went in to effect on Jan. 1, 2025. These provisions dictate that companies allow users the ability to “opt-out of targeted advertising and the sale of their personal data across all website-based activities,” as well as the ability to opt out of all personal data collection across all user devices, including phone apps.

The report noted that the OAG has intervened in the bankruptcy case of 23andMe, the genetic testing company, to ensure “genetic data would be protected and data rights would be honored,” and filed a proof of claim, which asserts the state’s intent to receive payment from the company, after it was involved in a data breach of 7 million users’ information. The report recommended the state legislature “adopt a standalone genetic data privacy law.” The OAG has also begun investigations into a fertility tracker app and broker of consumer health data, per the report.

The OAG has also begun investigating compliance with minor privacy protections included in the CTDPA that went into effect in October 2024. These protections currently ban companies from using minors’ data for targeted advertising without consent, designing systems intended to “significantly increase, sustain, or extend a minor’s time online without consent,” and collecting precise geolocation data without consent. The report notes that the legislature has since strengthened these provisions, by “prohibiting addictive design features outright and banning the processing of minors’ personal data for targeted advertising and sale (removing the consent structure currently in the law), as well as prohibiting controllers from collecting minors’ precise geolocation unless strictly necessary.” These amendments, as well as others listed at the bottom of the report, will go into effect on July 1, 2026. The OAG recommended “standalone legislation” to protect minors from “the harms of addictive feeds.” Such a bill was drafted last year, but died in session after passing the House.

Regarding its enforcement of minor privacy protection provisions, the report stated that the OAG has issued two violation notices to companies, issued three inquiry letters to social media companies for the purpose of understanding steps taken towards their compliance with these provisions, and have sent inquiry letters and notice of violations to gaming platforms and messaging apps widely used by minors, and “continues investigate a technology company that provides a chatbot platform regarding alleged harm to minors due to certain design features.”

The report said that minors’ use of chatbots should also be the subject of additional legislative scrutiny, stating ” we strongly believe that standalone, specific chatbot legislation is necessary to protect Connecticut residents and especially minors.” Tong said that “people are dying out there,” as a result of AI chatbots. Both Tong and Maroney cited the case of Stein-Erik Soelberg as an example; Soelberg was a Connecticut man who killed his mother and then himself after his paranoid delusions were allegedly validated by ChatGPT.

“This is really scary, and so we are taking action against companies that operate chatbots and fail to protect people and quality control over their products to keep people safe here in Connecticut,” said Tong.

Ultimately, the report said that companies “must be responsible corporate citizens and stewards of our personal data,” and repeatedly reminded them of their obligation to familiarize themselves with the law and its amendments to ensure proper compliance.

“Privacy and data security is not only paramount, but a competitive edge for companies that are the most successful in innovating,” concluded the report. “This Office will continue to be transparent in its privacy and cybersecurity efforts as well as work with the legislature to further develop the law for the benefit of all Connecticut residents, and especially our children.”