Connecticut has become a hotbed for U.S. state-level digital policy in recent years, including the Connecticut Data Privacy Act. State officials recently unpacked the 2025 enforcement activities under the comprehensive privacy law while previewing what state lawmakers have in store for digital proposals during the 2026 legislative session.
The Connecticut attorney general's office held a joint press conference 5 Feb. with state Sen. James Maroney, D-Conn., to unveil the 2025 CTDPA enforcement report. It provided a full rundown of attorney general actions under the comprehensive law in the last year, including fresh insights into open privacy cases.
More specifically, the report delves into the 70 CTDPA complaints and more than 1,830 data breach notifications the office received since its prior enforcement review. It also provided takeaways and observations from specific enforcement areas, including recognition of universal opt-out signals, privacy notices and treatment of both genetic and health data.
"We put a law into effect and we are testing and measuring," Maroney said of the report. The CTDPA originally took effect 1 July 2023. "For three years now, (the attorney general's annual report) has given us how this law is working in the real world. And it's giving us information to go back and change the law, if needed."
During the press conference, Connecticut Attorney General William Tong said a majority of the new CTDPA complaints focused on insufficient responses to data deletion requests, noting companies are "making it hard" to exercise the right to delete. He added the U.S. as a whole was "late to party" on treating individual's data as a "personal property right," leading to growing issues around the "surveillance economy" that the CTDPA attempts to address.
The report also made specific callouts to children's privacy enforcement. The state amended the CTDPA in 2024 to add enhanced children's privacy requirements, which took effect 1 Oct. 2024.
The expanded enforcement took shape over the last year, with the attorney general's office focusing on compliance among messaging apps, gaming platforms and AI chatbots. The report states the office's children's work "relied more heavily on information requests since many of these issues are complex, do not involve facial deficiencies, and are not easily 'fixed.'"
With regard to what the report means for potential 2026 CTDPA amendments, Maroney said he will look to tighten coverage exemptions specific to deletion rights. Another expected area of attention will be how the law applies to AI chatbots, including child interactions and chat history retention.
"When we passed the law in 2022, we hadn't envisioned what chatbots would mean, how they would be used as companions and how many children would be using them," Maroney said. "Seventy-five percent of teenagers have interacted with a companion chatbot and we know we need more protections for them."
Maroney will be on an IAPP Global Summit 2026 breakout panel discussing insights on how states addressed AI last year and offering predictions for how states will forge ahead over the coming years.
Florida's attorney general to combat foreign adversaries' privacy threats
Florida Attorney General James Uthmeier launched a new section of his office dedicated to addressing data privacy concerns stemming from foreign companies' access to U.S. citizens data.
The Consumer Harm from International Nefarious Actors Prevention Unit is first-of-its-kind unit that will conduct more focused oversight and investigations into the data practices of companies with ties to China and other foreign adversaries.
"If a company is funneling Floridians’ personal information to China or other foreign countries of concern, we will hold them accountable," Uthmeier said in a statement.
Before the unit was launched, the attorney general's office had already issued subpoenas to a handful of companies with suspected ties to China regarding their data sharing practices and alleged foreign surveillance via data collection.
The unit's first action was filing a subpoena to e-commerce platform Shein over data privacy allegations. Uthmeier is also asking the unit to demand audits of several medical device manufacturers with Chinese ties.
South Carolina enacts age-appropriate design bill
Gov. Henry McMaster, R-S.C., enacted House Bill 3431, the Age-Appropriate Code Design, following South Carolina Legislature approval 21 Jan. The bill, which took effect with the governor's signature, has novelties compared to similar age-appropriate design bills passed in other states.Â
The multi-pronged coverage threshold defines a "covered online service" as "a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that owns, operates, controls, or provides an online service that conducts business in this State." The definition also includes a reasonable knowledge standard for minors under age 18 and coverage of services that determine "the purposes and means of the processing of consumer's personal data alone."
The bill also includes data minimization standards, opt-out rights around personalized recommendation systems and a third-party audit requirement. The audits will be submitted to the attorney general for public disclosure.
Industry stakeholders, including NetChoice and the Software Information Industry Association, previously urged McMaster to veto the bill. NetChoice has ongoing litigation against several states seeking to block their age-appropriate bills.
Minnesota's comprehensive privacy law in full effect
Minnesota Attorney General Keith Ellison issued an advisory on the state's comprehensive privacy law becoming fully applicable. The cure provision in the law expired 31 Jan., meaning Ellison's office is no longer required to issue 30-day notices before bringing enforcement actions.
"I encourage people across our state to make use of this powerful new law to protect their data and minimize their digital footprint," Ellison said in a statement. "And remember, if you try to assert your rights under the Consumer Data Privacy Act and don’t hear back from the business in question within 45 days, file a complaint with my office."
Ellison also revealed recent enforcement notes. His office received 200 complaints under the comprehensive law over the last six months, with a majority pertaining to deletion rights. It sent out "dozens" of enforcement notices that resulted in productive responses and "quick corrections."
Joe Duball is the news editor for the IAPP.
