by Donald Eng CTNewsJunkie
HARTFORD, CT — The attorney general’s office took multiple actions under the Connecticut Data Privacy Act in 2025, according to Attorney General William Tong. Among those actions were enforcement and outreach in areas such as social media platforms and messaging apps and their use by children, connected vehicles and data showing drivers’ location and driving habits, and the design features and content of chatbots and artificial intelligence.
On Thursday, Tong and state Sen. James Maroney, D-Milford, discussed the report in a media briefing in the Legislative Office Building. The latest report includes information on multiple active and ongoing investigations related to the safety of children and teens online across numerous platforms, including online messaging, gaming and chat bots.
“In 2025, we held companies accountable for delayed and inadequate data breach notices and hidden consumer rights,” Tong said. “We launched active and ongoing investigations into multiple platforms that may have exploited and exposed our kids and their sensitive data to unacceptable privacy and security risks online. Privacy and data security are not optional and companies that do business in our state must take these requirements seriously.”
Maroney agreed, but said the state had more work to do.
“Too many of our residents’ requests fall under one of the exemptions in the law, and the harms from companion chatbots were not anticipated four years ago when the original bill passed,” he said. “I look forward to working together with the Attorney General, the governor and my colleagues to help rein in the harmful aspects of chatbots, so we can see the true benefits this technology promises.”
By the end of 2025, Tong said his office had issued dozens of notices of violations and warning letters, finalized multiple data breach settlements, and resolved its first enforcement action under the CTDPA.
Key changes highlighted in the report include stronger protections for minors’ data, broader definition of sensitive data, and new disclosure requirements related to artificial intelligence.
The report also identifies areas where the state legislature could strengthen or clarify the CTDPA’s protections. Recommendations include narrowing the definition of “publicly available information” to ensure full coverage of data brokers and people search websites, adopting a standalone genetic data privacy law, enacting safeguards and legislation governing chatbot and AI products and expanding the utility of the CTDPA’s universal opt-out provisions.