Data Privacy FAQ's: How do cure periods work under the new state privacy laws?

Do Companies have a cure period for alleged violations under the California Privacy Rights Act (“CPRA”)?

No, the CPRA eliminates the thirty (30) day cure period originally permitted under the California Consumer Privacy Act (“CCPA”). However, the CPRA allows the California Privacy Protection Agency (“CPPA”) to choose not to investigate a complaint or provide a business with a time period to cure the alleged violation. In determining an appropriate time period to cure, the CCPA may consider 1) the lack of intent to violate this title and 2) the voluntary efforts undertaken by the Company to cure the alleged violation prior to being notified by the agency of the complaint (§ 1798.199.45 (a)).

Do Companies have a cure period for alleged violations under the Colorado Privacy Act (“CPA”)?

Yes, the CPA provides a sixty (60) day cure period for alleged violations. This will remain in effect until January 1, 2025 (§ 6-1-1305(5)).

Do Companies have a cure period for alleged violations under the Virginia Consumer Data Protection Act (“VCDPA”)?

Yes, the VCDPA provides a thirty (30) day cure period for alleged violations. The VCDPA requires that Companies provide an express written statement that the alleged violations have been cured and that no further violations will occur (§ 59.1-579).

Do Companies have a cure period for alleged violations under the Utah Consumer Privacy Act (“UCPA”)?

Yes, the UCPA provides a thirty (30) day cure period for alleged violations. The UCPA requires that Companies provide an express written statement that the alleged violations have been cured and that no further violations will occur (§ 13-61-402).

Do Companies have a cure period for alleged violations under the Connecticut Data Privacy Act (“CDPA”)?

Yes, the CDPA provides a sixty (60) day cure period for alleged violations. This will remain in effect until January 1, 2024 (Public Act No. 22-15).