Skip to content

Comparing U.S. Comprehensive State Privacy Laws: Enforcement and Opportunity to Cure

Micah Russel
August 14, 2023

As of July 2023, 13 states have passed comprehensive data privacy laws (including Florida, which enacted a law with a broad set of consumer rights and requirements for companies, but which primarily applies to a small set of the largest internet companies). Cure provisions, both “rights to cure” and “opportunity to cure” are common elements across these laws, allowing parties a specified period to fix alleged violations before facing enforcement and penalties. The applicability and length of the cure period varies across the states (see chart below), but the right to cure is a useful tool for companies, particularly as they attempt to understand their compliance obligations in the face of so many new and different laws. 

The non-discretionary right to cure and the discretionary opportunity to cure will both preclude the state from initiating formal enforcement actions for a statutorily sanctioned time period after notice of the alleged violation is received. Enforcement proceedings are prohibited if alleged violations are cured during the time period. In addition to curing the alleged violative act or practice, parties that receive written notice of alleged violations must also provide evidence of voluntary efforts to implement new and more secure mechanisms and practices in the collection and use of consumer data and make regular reports to the state Attorney General’s office.

Cure ProvisionApplicabilityCure PeriodOperative Date & Cure Period Expiration
California CCPA/CPRA Opportunity to CureBusiness, service provider, contractor, or person30-day periodOperative Expired January 1, 2023
Colorado SB 190Right to Cure(until expiration)Controllers60-day periodOperative Expires Jan. 1, 2025
Connecticut SB 6Right to Cure(until expiration)Controllers60-day periodOperative Expires Dec. 31, 2024
Delaware HB 154Right to CureControllers or Processors60-day periodEffective January 1, 2025
Expires Dec. 31, 2025
Florida FDBROpportunity to CureOnline Platforms45-day periodEffective July 1, 2024
Does not expire
Indiana SB 0005Right to CureControllers or Processors30-day periodEffective Jan. 1, 2026
Does not expire
Iowa SF 262Right to CureControllers or Processors90-day periodEffective Jan. 1, 2025
Does not expire
Montana SB 384Right to Cure(until expiration)Controllers60-day periodEffective Oct. 1, 2024
Expires April 1, 2026
Oregon SB 619Right to CureControllers30-day periodEffective July 1, 2024
Does not expire
Tennessee HB 1181Right to CureControllers or Processors60-day periodEffective July 1, 2025
Does not expire
Texas HB 4Right to CurePersons30-day periodEffective July 1, 2024
Does not expire
Utah SB 227Right to CureControllers or Processors30-day periodEffective Dec. 31, 2023
Does not expire
Virginia SB 1392Right to CureControllers or Processors30-day periodOperative
Does not expire

Applicability of Cure Periods Across the States

Of the 13 states that enacted laws, only Florida did not provide a right to cure. Currently, four state laws are operative, Connecticut, Virginia, Colorado and California. Of these four states, three currently have cure periods. In California, the right to cure was provided with the enactment of the California Consumer Privacy Act (CCPA), but it sunset as of January 1, 2023, when the amendments created by the California Privacy Rights Act (CPRA) became operative. In Connecticut and Colorado, the cure period is only temporary and set to expire one year after the laws become operative. The logic behind this approach is that businesses should have the benefit of more lenient enforcement initially as they are working to come into compliance, but over time the expectation is that they should be in full compliance and not able to delay until they receive an enforcement notice. 

In Florida, while there is not a mandatory cure period, the law explicitly directs the state’s attorney general to exercise discretion as to whether, and in which cases, companies are provided the fix alleged violations before initiating enforcement. Therefore, currently in both Florida and California, state attorney generals and the California Privacy Protection Agency may elect to provide an opportunity for companies to come into compliance before enforcement, that opportunity is solely discretionary. The same is, of course, true in other states, where various statutes either explicitly direct state attorneys general to use their discretion in whether to provide an opportunity to cure, and in other states where it is simply up to AGs to decide on their own whether to exercise leniency. 

Importantly, four of the state laws that provided cure periods only extended the right to cure to “controllers,” which are generally defined as an individual or company who, alone or jointly, determines the purposes and means of processing consumer data. This significantly narrows the scope of the cure period’s applicability in these four states. However, the law may still consider processors to be controllers under the totality of circumstances and the nature of the agreement between the controller and the processor.

Sephora/CCPA Settlement

While the right to cure is viewed as a tremendous benefit to businesses in their efforts to avoid enforcement actions, the 2022 Sephora/CCPA settlement highlights that enforcement actions are still likely where companies are unable or unwilling to make the necessary fixes. In that case, the California State Attorney General alleged that Sephora failed to disclose to consumers that it was selling their personal information, and it failed to process user requests to opt out of sale via user-enabled global privacy controls. Sephora did not cure these violations within the CCPA’s 30-day period. Sephora’s failure to cure led to a settlement for $1.2 million in monetary penalties and further requirements to comply with important injunctive terms that will certainly be costly and burdensome for Sephora as it continues to operate in California.

Tennessee’s Affirmative Defense Clause

Tennessee’s data privacy law contains an affirmative defense clause for relevant data controllers or processors who voluntarily implement and comply with the National Institute for Standards and Technology (NIST) privacy framework or receive another authorized certification of compliance under the statute. This provision is unique because it creates a safe harbor for data controllers and processors that exists outside of the general right-to-cure time period. Members that conduct business in Tennessee or with its consumers should consider implementing the NIST program.

Conclusion

Generally, the right to cure exists and does not expire across state laws. However, there are significant differences that warrant attention from companies, including the scope of applicability and length of the cure period. The CCPA settlement with Sephora shows the importance of the cure period, which can be costly if ignored. Looking forward, Tennessee’s NIST defense clause could be a push towards establishing a single set of best practices that serve as evidence of compliance and best efforts in states where the cure period has expired and no opportunity to cure has been given.

Similar Posts

Benefits of Tailored Advertising

March 26, 2021
Tailored advertising plays an integral role in driving economic growth and encouraging competition among companies. It affords small businesses and startups the ability to create new content and services. We’re
Read More