Focused On Privacy

Connecticut Doubles Down on Children and Digital Privacy: What the 2025 CTDPA Report Reveals

In a newly released 2025 enforcement report, Connecticut Attorney General Tong announced sweeping actions under the Connecticut Data Privacy Act (CTDPA), signaling a more aggressive era of privacy enforcement.

The report not only outlines the Office of the Attorney General’s enforcement efforts over the past year but also reveals multiple active and ongoing investigations into platforms used by minors, including messaging apps, gaming environments, and AI-powered chatbots.

A Quick Refresher: What Is the CTDPA?

The Connecticut Data Privacy Act took effect in July 2023, granting residents important rights over their personal data and imposing compliance obligations on covered businesses.

Connecticut was among the first states to pass a comprehensive consumer data privacy law. This is the third annual CTDPA report, but notably the first to reflect enforcement of the law’s expanded minors’ privacy protections, which took effect October 1, 2024.

2025 Enforcement: A Focus on Children and Emerging Tech

Based on this new report, in 2025, the Attorney General’s Office opened and advanced investigations involving:

  • Connected vehicles and geolocation tracking
  • Social media and messaging platforms used by children and teens
  • Gaming platforms and app developers potentially using minors’ data for targeted advertising or sale
  • Chatbots and AI products posing manipulation and safety risks
  • Data brokers and people-search platforms

For the first time, the Office disclosed ongoing investigations into platforms that may have exposed children’s sensitive data to unacceptable privacy and security risks.

Attorney General Tong emphasized:

“Privacy and data security are not optional and companies that do business in our state must take these requirements seriously.”

By the end of 2025, the Office had:

  • Issued dozens of notices of violations and warning letters
  • Finalized multiple data breach settlements
  • Resolved its first enforcement action under the CTDPA
  • Held companies accountable for delayed and inadequate breach notices

Stronger Protections for Minors

A major theme of the 2025 report is expanded protections for children and teens.

New provisions now include:

  • Prohibitions on targeted advertising to minors
  • Ban on the sale of minors’ personal data
  • Increased scrutiny of AI and chatbot design features that could manipulate or harm young users

State Senator James Maroney underscored that while Connecticut was early to grant privacy rights, gaps remain—particularly regarding companion chatbots and emerging AI technologies that were not anticipated when the law was originally drafted.

Major CTDPA Amendments for 2025

The report highlights significant statutory changes that expand the law’s reach:

1. Lowered Applicability Thresholds

All sensitive data processing and all sales of personal data are now covered—broadening compliance obligations.

2. Expanded Definition of Sensitive Data

New categories include:

  • Disability and treatment information
  • Non-binary and transgender status

This expansion reflects a growing recognition of how vulnerable communities may face heightened risks from misuse of personal data.

3. AI Disclosure Requirement

Companies must now disclose whether personal data is used to train large language models (LLMs).

This is one of the more forward-looking provisions, directly addressing the rapid growth of generative AI tools.

Legislative Recommendations: What May Come Next

The report also outlines areas for potential legislative action:

  • Narrowing the definition of “publicly available information” to ensure data brokers cannot exploit loopholes
  • Passing a standalone genetic data privacy law
  • Enacting safeguards specifically governing chatbot and AI products
  • Expanding the utility of universal opt-out mechanisms

Taken together, these recommendations suggest Connecticut is positioning itself as a leader in AI accountability and children’s online safety.

What This Means for Businesses

If your organization collects, processes, sells, or trains AI models on personal data, especially if minors are involved, you should be paying attention.

Key compliance priorities now include:

  • Reviewing whether your data practices fall under newly lowered thresholds
  • Auditing use of sensitive data categories
  • Ensuring targeted advertising systems exclude minors
  • Evaluating AI training disclosures
  • Tightening data breach response timelines and notice procedures

Enforcement is no longer theoretical. The Attorney General’s Office has made clear it is prepared to investigate, issue violations, and pursue settlements.

The Bigger Picture

Connecticut’s 2025 CTDPA report reflects a broader national shift: state-level regulators are increasingly stepping into the privacy and AI governance space as federal legislation remains stalled.

With active investigations into gaming, social media, chatbots, and AI systems, Connecticut is signaling that innovation must be paired with accountability.

Posted

in

by

Erin Illman

Tags:

, , , ,

Comments

Leave a comment