Data v. Privacy

CTDPA

DSAR Metric Tracking for Privacy Programs

by Leave a Comment

If you’re involved in running a privacy program, you likely already monitor some data related to consumer requests. The recent enforcement kerfluffle between the Connecticut AG and TicketNetwork highlighted a few metrics that should be on your list if you aren’t already tracking them.

What happened?

On November 9, 2023, the Connecticut AG sent a cure notice to TicketNetwork, which is an online marketplace for buying and selling live event tickets, for violations of the Connecticut Data Privacy Act (CTDPA).

The cure notice flagged “deficiencies in the company’s privacy notice and [gave] the company the chance to come into compliance without penalty. In particular, the company’s privacy notice was largely unreadable, missing key data rights, and contained rights mechanisms that were misconfigured or inoperable. Under the CTDPA’s cure period, TicketNetwork had 60 days— until January 8, 2024— to resolve each deficiency.”

  • December 31, 2023: TicketNetwork responded to the Connecticut AG that it had cured its deficiencies under the CTDPA.
  • January 8, 2024: Cure period expired with uncured deficiencies from AG’s perspective.
  • February 2, 2024: AG sent another letter outlining the deficiencies with a deadline to respond by March 1, 2024.
  • March 1, 2024: Response deadline passed with no communication by TicketNetwork.
  • March 12, 2024: The AG sent a follow-up and received no response.
  • April 16, 2024: The AG contacted TicketNetwork yet again to ask when it would respond, and the company responded the same day with a link to its updated privacy notice, which it represented was now in compliance.
  • June 17, 2024: The AG sent another letter to TicketNetwork outlining the continued deficiencies and gave a July 2, 2024 deadline.
  • June 24, 2024: TicketNetwork responded that it was updating its privacy notice to address deficiencies and asked for extension to July 31, 2024. AG declines extension.
  • November-December 2024: TicketNetwork continued to address deficiencies regarding CTDPA compliance.
  • May 29, 2025: TicketNetwork, through its CFO, enters into an Assurance of Voluntary Compliance (AVC) with the Connecticut AG, outlining specific tasks it will perform to comply with CTDPA.

The AVC offers some general compliance requirements regarding consumer-facing privacy notice and DSAR submissions, which track closely with statutory language. Additionally, it outlined some problems to avoid that were tailored to TicketNetwork’s issues around formatting and technical implementation. Notably, “TicketNetwork shall not publish a privacy notice that:

  1. uses large blocks of text that consumers are unlikely to read;
  2. uses small font that is difficult to read;
  3. uses unnecessarily complicated language, including legal or technical jargon;
  4. uses mechanisms that make it difficult for a consumer to exercise their consumer rights, such as by requiring unnecessary steps or by using confusing interfaces or forms.”

Privacy Notice Review and DSAR Metrics

In order to ensure that TicketNetwork maintained ongoing compliance, the Connecticut AG included some privacy program governance and tracking requirements to the AVC.

Specifically, the AG required TicketNetwork to “regularly review and revise its public-facing privacy notice to reflect TicketNetwork’s data collection and processing activities. This review shall be conducted on at least an annual basis and upon any material change to its privacy practices.” (emphasis added.)

Additionally, the AG included reporting requirements with TicketNetwork’s first report due within 180 days. The report must document the consumer rights requests that TicketNetwork receives and then break down each category of request (e.g., right to access, right to delete, etc.) with the following metrics:

  1. the number of requests received;
  2. the mode by which they were received (e.g., by e-mail);
  3. the average length of time taken to complete the requests;
  4. whether the requests were fulfilled or rejected and, if rejected, the reason for the rejection;
  5. the number of appeal requests received;
  6. the average length of time taken to respond to the appeals; and
  7. whether the appeal requests were granted or denied and, if denied, the reason for the denial.

The AVC goes on to require TicketNetwork to maintain regular monitoring of these metrics, which are to made available to the AG upon request in the future.

For folks working in privacy programs, if you’re not already tracking all of the above metrics, it sure seems like a good time to start. All of these actions support a minimally-functioning privacy program. Given that they matter to an AG’s office enforcing an active US comprehensive privacy law, this should be low-hanging fruit to adopt.

NIST Privacy Framework Mapping

As a bonus, if you follow the NIST Privacy Framework 1.0, those metrics from the Connecticut AG all map directly to the Govern function in the Monitoring and Review category, GV.MT-P7 (Policies, processes, and procedures for receiving, tracking, and responding to complaints, concerns, and questions from individuals about organizational privacy practices are established and in place.)

Likewise, the requirement to annually (or upon material change) review and revise the privacy notice maps to CM.PO-P1 (Transparency policies, processes, and procedures for communicating data processing purposes, practices, and associated privacy risks are established and in place.) and GV.MT-P2 (Privacy values, policies, and training are reviewed and any updates are communicated.)

You can read the full Assurance of Voluntary Compliance below.

TicketNetwork Assurance of ComplianceDownload