Connecticut's Wake-Up Call: 5 Privacy Notice Lessons from the TicketNetwork Settlement
Last week, the Connecticut Attorney General ("AG") announced their office's settlement with TicketNetwork, Inc. regarding TicketNetwork's privacy notice. The AG's settlement stemmed from violations of the Connecticut Data Privacy Act ("CTDPA").
Five key takeaways from the AG's Assurance of Voluntary Compliance:
Ensure your privacy notice includes all applicable states -- TicketNetwork failed to include any mention of the Connecticut Data Privacy Act in the privacy notice, and "gave the misimpression that many important data rights were exclusive to California residents."
Privacy notice has to be legible and clear -- Privacy notice was presented in "small font and large block paragraphs that were indistinguishably included within one webpage"
Any state notices need to be complete and accurate -- "In a section added to the privacy notice entitled "U.S. State Specific Laws," the privacy notice failed to identify the right to correct inaccuracies and the right to opt-out of targeted advertising -- two important consumer rights under the CTDPA"
Ensure your privacy policy contains the CORRECT state requirements and not more limited than the provided by the state laws -- "TicketNetwork limited a consumer's right to receive disclosures to a 12- month period preceding the receipt of the request, when no such limitation exists under the CTDPA"
Answer requests by the AG's office -- "On March 12, 2024, the Attorney General followed-up with TicketNetwork asking when it would receive a response. The Attorney General received no response from TicketNetwork." Then a later response from TicketNetwork asking for an extension was not granted by the AG's office.
The state level privacy requirements aren't going away. And Connecticut is showing how important it is to adhere to the state laws. "Good enough" is not going to cut it.
