Connecticut’s ambitious data privacy takeover just slapped an $85,000 fine on a business that couldn’t even fix its problems after being warned—and this is just the beginning of the government’s next regulatory power grab.
At a Glance
- Connecticut’s Attorney General hit TicketNetwork with an $85,000 settlement for failing to comply with state privacy laws despite warnings.
- The company’s privacy notices were deemed “unreadable,” and consumer rights systems were deemed “non-functional” by regulators.
- The Connecticut Data Privacy Act took effect in July 2023, with a mandatory cure period for violations ending on December 31, 2024.
- Businesses only need data from 100,000 Connecticut residents to fall under the law’s jurisdiction.
- AG William Tong promises to use the “full weight of our enforcement authority” against noncompliant businesses.
The Privacy Police Claim Their First Victim
Connecticut has fired the first shot in its war on business non-compliance, making an example out of the online marketplace TicketNetwork. The company was hit with an $85,000 settlement for failing to adhere to the state’s new data privacy law. Their supposed crimes? An “unreadable” privacy policy and a “non-functional” system for consumer rights requests.
Attorney General Tong Announces $85,000 Settlement with TicketNetwork for Violations of the Connecticut Data Privacy Act.
Here's the stettlement: https://t.co/aMyHa9U6HY pic.twitter.com/oMDprslQ5v
— Luis Montezuma | @[email protected] (@montezumachavez) July 8, 2025
Attorney General William Tong celebrated the penalty as a victory for consumers, but for businesses, it’s a chilling warning. “There is no excuse for continued non-compliance, and we are prepared to use the full weight of our enforcement authority to protect consumer privacy,” Tong declared. This isn’t about protection; it’s about punishment, and TicketNetwork is just the beginning.
A Regulatory Net Designed to Snare Small Business
Unlike other state privacy laws that target massive corporations, the Connecticut Data Privacy Act (CTDPA) casts a dangerously wide net. The law applies to any business that controls or processes the data of just 100,000 Connecticut residents. Even worse, if you handle data for only 25,000 residents but derive more than 25% of your revenue from selling personal data, you’re also in the state’s crosshairs.
As compliance firm TrustArc warns, this is a “HEADS UP” for small businesses that lack the sprawling legal departments of tech giants. They are now expected to navigate a complex web of new rules or face crippling fines from a state government seemingly eager to collect.
The End of Warnings: Comply or Be Crushed
Until the end of 2024, the government has offered a “cure period,” a window for businesses to fix violations after being warned. But that grace is ending. After December 31, 2024, the Attorney General will have the discretion to launch enforcement actions and impose fines immediately, without giving companies a chance to correct their mistakes.
The TicketNetwork case proves that even with a warning, satisfying the state’s demands can be impossible. The AG’s office has already sent numerous notices of violation to companies across various industries, signaling an aggressive hunt for infractions. This isn’t consumer protection; it’s a shakedown, placing an immense compliance burden on a private sector already battling inflation and labor shortages. The real cost will inevitably be passed on to consumers through higher prices and fewer choices.
