Skip to content

Many modern data privacy statutes are designed to encourage compliance by permitting organizations to cure an alleged violation of the statute prior to a regulatory enforcement action. The ability to cure may have been included in recognition of the fact that modern data privacy statutes impose obligations that may be foreign to many organizations (i.e., new obligations that are not consistent with prior state laws), and statutory ambiguities may result in situations in which organizations are surprised by how a regulator might interpret a statute. A cure period permits an organization to decide whether to align its practices to a regulator’s interpretation, or to challenge the regulator’s interpretation in court. The following chart provides a breakdown of the cure provisions offered by the modern privacy statutes:

Guaranteed cure period.  Organizations are provided a period in which to cure alleged violations. Length of guaranteed cure period.  Length of time within which a company may cure an alleged violation. Discretionary cure period.  Regulator has discretion to provide a cure period. Length of discretionary cure period.  Length of time within which a company may cure an alleged violation.

California 2022

CCPA

[1]

(Sunsets on January 1, 2023 per CPRA)

30 days after being notified of alleged non-compliance. [6] N/A N/A

California 2023

CPRA

 

 

[11] None specified. [13]

Colorado 2023

CPA

[2]

(Sunsets January 1, 2025)

60 days after being notified  of alleged non-compliance. [7]

 

None expressly specified, however, within prosecutor’s discretion. None specified.

Conn. 2023

CTDPA

[3]

(Sunsets January 1, 2025)

60 days after being notified of alleged non-compliance. [8]

 

[12] None specified.

Utah 2023

UCPA 

[4]

(No sunset)

30 days after being notified of alleged non-compliance.[9] N/A N/A

Virginia 2023

VCDPA 

[5]

(No sunset)

30 days after being notified of alleged non-compliance.[10] N/A N/A

 

1 Cal. Civ. Code 1798.155(b) (West 2020).

2 C.R.S. 6-1-1311(d) (2022).

3 Connecticut Substitute Bill No. 6, § 11 (2022).

4 Utah Code Ann. 13-61-402 (2022).

5 Va. Code 59.1-579(B) (2022).

6 Cal. Civ. Code 1798.155(b) (West 2020).

7 C.R.S. 6-1-1311(d) (2022).

8 Connecticut Substitute Bill No. 6, § 11 (2022).

9 Utah Code Ann. 13-61-402 (2022).

10 Va. Code 59.1-579(B) (2022).

11 Cal. Civ. Code 1798.199.45(a) (West 2021).

12 Connecticut Substitute Bill No. 6, § 11 (2022).

13 Cal. Civ. Code 1798.199.45(a) (West 2021).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David A. Zetoony David A. Zetoony

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

David receives regular recognitions from clients and peers for his knowledge and experience in the fields of data privacy and security. The National Law Journal named him a “Cybersecurity and Data Privacy Trailblazer,” JD Supra recognized him four times as one of the most widely read names when it comes to data privacy, cyber security, or the collection and use of data, and Lexology identified him six times as the top “legal influencer” in the area of technology, media, and telecommunications in the United States, the European Union, and in the context of cross-border transfers of information. He is the author of the American Bar Associations primary publication on the European General Data Protection Regulation (GDPR) and is writing the American Bar Associations primary publication on the California Consumer Privacy Act (CCPA).