Connecticut Attorney General William Tong said the state will look into tightening data privacy laws following the release of his office’s annual enforcement report.
The Connecticut Data Privacy Act (CTDPA) passed in 2022 and outlines the state's data privacy laws, compliance expectations and enforcement for violations. Tong said when there is a breach at a company, university, hospital or any other public or private institution, they are required to inform the attorney general's office. This year’s report includes details about multiple investigations related to large-scale data breaches, failure to report and other consumer privacy concerns.
“We have more than 1800 breach notifications in 2025. That's a lot, that's a lot. We’ve issued 63 warning letters based on our investigations to companies that have failed to protect information,” Tong said.
Some cases were resolved through multimillion-dollar compliance settlements, while others remain under investigation. Tong said his office held companies accountable for delayed or inadequate data breach notices and for hiding consumer rights. The office entered into a voluntary compliance agreement with Omni Healthcare following a ransomware breach in January 2024, but did not report the breach until April 2025. Tong said it was a clear violation of the law. The company paid more than $100,000 in fines.
“Once there's a breach, they're supposed to take action. They're supposed to let us know as soon as possible and then they're supposed to take action to protect all of us,” Tong said. “Healthcare information. So this is stuff you don't want out there and now it's out there, swimming out there for 14 months before we know anything.”
Tong said other incidents that occurred fell under exemptions from the state’s data privacy laws, which he said highlight the need for amendments. Since its passage in 2022, Tong said the law needs changes to keep up with technologies like AI and geolocation tracking. He said his office will also work to further define “sensitive data” and expand the rights residents have with their personal data. Tong said one of his office’s priorities will include rights related to minors’ privacy.
“We launched active and ongoing investigations into multiple platforms that may have exploited and exposed our kids and their sensitive data to unacceptable privacy and security risks online. Privacy and data security are not optional and companies that do business in our state must take these requirements seriously,” Tong said.
It’s the first year since the CTDPA was enacted that looks into the enforcement of the law’s expanded minors’ privacy protections. Several bills introduced in the 2026 legislative session address concerns about the safety of children and teens online and risks of privacy breaches through online messaging, gaming, and chatbots. State Senator James Maroney is one of several legislators introducing bills that address online regulations.
"While we were one of the first states to grant our residents data privacy rights, this report makes it clear that we have more work to do. Too many of our residents' requests fall under one of the exemptions in the law, and the harms from companion chatbots were not anticipated 4 years ago when the original bill passed,” Maroney said.
As a co-chair of the general law committee, Maroney said he hopes to work with the attorney general to address concerns like social media platforms used by children and teens, chatbots and artificial intelligence. Maroney said research showed that 75% of teenagers reported interacting with a companion chatbot in the past.
“When this law was enacted in 2022, we hadn’t envisioned what chatbots would mean or how they would be used as companions and how many children would actually be using them,” Maroney said. “We know that we need to do more protection for them.”
The 2025 CTDPA report outlines recommended changes to strengthen protections, especially for minors’ data and new disclosure requirements related to artificial intelligence. The report also offers recommendations to the state legislature, like narrowing the definition of “publicly available information” to ensure full coverage, adopting a standalone genetic data privacy law, and legislation governing chatbot and AI products.
