On July 8, 2025, the Connecticut Attorney General (AG) publicly announced an enforcement action against TicketNetwork for violations of the CT Data Privacy Act (CTDPA). In this notable case—centered on improving Privacy notices, the Connecticut AG and TicketNetwork entered into an Assurance of Voluntary Compliance (AVC). Although TicketNetwork was fined only $85,000 under the AVC, the Agreement features significant injunctive provisions, as well as strict review and reporting requirements. This case marks the first standalone public enforcement action taken by the Connecticut AG under the CTDPA.

For more comprehensive guidance on the CTPDA you may find additional resources on CT.gov.

What Happened: The Timing is Critical to Privacy Compliance

On November 9, 2023, the Connecticut AG issued a cure notice to TicketNetwork. The notice highlighted deficiencies in TicketNetwork’s public privacy notice. Specifically, the Connecticut AG noted that the privacy statement employed a small font and large block paragraphs, making it difficult for consumers to read. With the CTDPA providing a 60-day cure period, addressing these Privacy issues promptly was crucial.

TicketNetwork responded on December 31, 2023 asserting that it had made changes that brought the privacy notice into compliance with the CTDPA.  However, the Connecticut AG identified the same concerns related to font size and paragraph blocks. In addition, the Connecticut AG raised new issues pertaining to specific CTDPA requirements that were not being met. The emphasis on Privacy and clarity in privacy notices concerning personal data was central to the Connecticut AG’s observations.

On February 1, 2024, the Connecticut AG reiterated the deficiencies and requested TicketNetwork provide a detailed response by March 1, 2024. Unfortunately, TicketNetwork did not offer any explanation. A follow-up sent on March 12, 2024, again received no answer, further complicating efforts to ensure Privacy compliance.

Several weeks later, on April 16, 2024, the Connecticut AG contacted TicketNetwork to ask for a definitive timeline for their response. Later that day, TicketNetwork provided a link to an updated privacy notice. Although TicketNetwork claimed that the revised privacy notice met CTDPA requirements, upon review the Connecticut AG discovered additional alleged deficiencies .

Finally, on June 17, 2024, a second follow-up letter was sent with a firm request for TicketNetwork to respond by July 2, 2024. Two weeks later, on June 24, 2024, TicketNetwork acknowledged that they were working to fix the deficiencies and requested an extension until July 31, 2024. The Connecticut AG, however, denied this extension request.

Injunctive Provisions: Enhancing Privacy Through Clear and Accessible Information

Under the AVC, TicketNetwork must fully comply with the CTDPA and deliver a “reasonably accessible, clear and meaningful privacy notice.” This Privacy notice is required to include:

• Detailed categories of personal data processed by TicketNetwork;
• Explicit purposes for personal data processing;
• Clear instructions on how consumers may exercise and appeal decisions made by TicketNetwork;
• A list of categories of third parties with whom TicketNetwork shares personal data; and
• Active contact information, such as an email address or other reliable mechanisms.

Moreover, TicketNetwork is obligated to provide a prominently visible link on their website, enabling consumers to opt out of targeted advertising or the sale of their data. The AVC contains explicit restrictions ensuring that the privacy notice does not use large blocks of text, small fonts, or unnecessarily complicated language. Privacy must be communicated in simple, readable terms free of confusing legal or technical jargon, making it easy for individuals to exercise their rights.

Regular Review and Reporting: Sustaining Privacy Standards

In addition to the clear guidelines for its privacy notice, TicketNetwork is now required to regularly review and revise their Privacy practices. At a minimum, TicketNetwork must conduct an annual review of its privacy notice to ensure continued compliance with the CTDPA. Furthermore, within 180 days of entering into the AVC, TicketNetwork must submit a detailed report to the Connecticut AG. This report is expected to include information on consumer requests related to exercise of Privacy rights and how TicketNetwork has addressed each inquiry.

Once the report is filed, TicketNetwork is obligated to keep the information updated and provide it upon request by the Connecticut AG. Notably, there does not appear to be an end date for these Privacy and injunctive requirements, meaning that proactive compliance will be an ongoing obligation for TicketNetwork.

Key Takeaways for Maintaining Privacy Compliance

The enforcement action against TicketNetwork offers several important lessons for organizations striving to achieve optimal Privacy compliance:

Do Not Ignore a Regulator’s Requests:
Always respond promptly and thoroughly to regulatory inquiries, even if you believe that the original concern has been addressed. Timely responses can minimize the risk of escalating into a formal enforcement action.

Accuracy and Clarity are Paramount:
When communicating with regulators, ensure that your disclosures and corrective actions are completely accurate and expressed in clear language.

Address Jurisdictional Nuances in Privacy:
Privacy regulators are meticulous in enforcing their specific guidelines. Compliance with the requirements of one jurisdiction (for example, California) does not automatically ensure compliance in another, such as Connecticut. Tailor your Privacy practices to meet each jurisdiction’s unique elements.

Presentation Matters in Privacy Notices:
Regulators are paying closer attention to the readability and design of privacy policies. Enforcement actions now scrutinize website design, font use, layout, and language—with a significant focus on enabling Privacy rights without confusion.

Final Thoughts

The TicketNetwork case underscores the critical role that Privacy plays in consumer protection and regulatory compliance. Organizations should view these regulatory actions as a clear signal: prioritize the clarity and effectiveness of your Privacy notice, respond swiftly to compliance issues, and maintain an ongoing dialogue with regulators.

For more detailed insights on the evolving nature of Privacy regulations, consider exploring relevant articles on Technology Law blog.