Comparing U.S. Comprehensive State Privacy Laws: Enforcement and Opportunity to Cure
As of July 2023, 13 states have passed comprehensive data privacy laws (including Florida, which enacted a law with a broad set of consumer rights and requirements for companies, but which primarily applies to a small set of the largest internet companies). Cure provisions, both “rights to cure” and “opportunity to cure” are common elements across these laws, allowing parties a specified period to fix alleged violations before facing enforcement and penalties. The applicability and length of the cure period varies across the states (see chart below), but the right to cure is a useful tool for companies, particularly as they attempt to understand their compliance obligations in the face of so many new and different laws.
The non-discretionary right to cure and the discretionary opportunity to cure will both preclude the state from initiating formal enforcement actions for a statutorily sanctioned time period after notice of the alleged violation is received. Enforcement proceedings are prohibited if alleged violations are cured during the time period. In addition to curing the alleged violative act or practice, parties that receive written notice of alleged violations must also provide evidence of voluntary efforts to implement new and more secure mechanisms and practices in the collection and use of consumer data and make regular reports to the state Attorney General’s office.
| Cure Provision | Applicability | Cure Period | Operative Date & Cure Period Expiration | |
|---|---|---|---|---|
| California CCPA/CPRA | Opportunity to Cure | Business, service provider, contractor, or person | 30-day period | Operative Expired January 1, 2023 |
| Colorado SB 190 | Right to Cure(until expiration) | Controllers | 60-day period | Operative Expires Jan. 1, 2025 |
| Connecticut SB 6 | Right to Cure(until expiration) | Controllers | 60-day period | Operative Expires Dec. 31, 2024 |
| Delaware HB 154 | Right to Cure | Controllers or Processors | 60-day period | Effective January 1, 2025 Expires Dec. 31, 2025 |
| Florida FDBR | Opportunity to Cure | Online Platforms | 45-day period | Effective July 1, 2024 Does not expire |
| Indiana SB 0005 | Right to Cure | Controllers or Processors | 30-day period | Effective Jan. 1, 2026 Does not expire |
| Iowa SF 262 | Right to Cure | Controllers or Processors | 90-day period | Effective Jan. 1, 2025 Does not expire |
| Montana SB 384 | Right to Cure(until expiration) | Controllers | 60-day period | Effective Oct. 1, 2024 Expires April 1, 2026 |
| Oregon SB 619 | Right to Cure | Controllers | 30-day period | Effective July 1, 2024 Does not expire |
| Tennessee HB 1181 | Right to Cure | Controllers or Processors | 60-day period | Effective July 1, 2025 Does not expire |
| Texas HB 4 | Right to Cure | Persons | 30-day period | Effective July 1, 2024 Does not expire |
| Utah SB 227 | Right to Cure | Controllers or Processors | 30-day period | Effective Dec. 31, 2023 Does not expire |
| Virginia SB 1392 | Right to Cure | Controllers or Processors | 30-day period | Operative Does not expire |
Applicability of Cure Periods Across the States
Of the 13 states that enacted laws, only Florida did not provide a right to cure. Currently, four state laws are operative, Connecticut, Virginia, Colorado and California. Of these four states, three currently have cure periods. In California, the right to cure was provided with the enactment of the California Consumer Privacy Act (CCPA), but it sunset as of January 1, 2023, when the amendments created by the California Privacy Rights Act (CPRA) became operative. In Connecticut and Colorado, the cure period is only temporary and set to expire one year after the laws become operative. The logic behind this approach is that businesses should have the benefit of more lenient enforcement initially as they are working to come into compliance, but over time the expectation is that they should be in full compliance and not able to delay until they receive an enforcement notice.
In Florida, while there is not a mandatory cure period, the law explicitly directs the state’s attorney general to exercise discretion as to whether, and in which cases, companies are provided the fix alleged violations before initiating enforcement. Therefore, currently in both Florida and California, state attorney generals and the California Privacy Protection Agency may elect to provide an opportunity for companies to come into compliance before enforcement, that opportunity is solely discretionary. The same is, of course, true in other states, where various statutes either explicitly direct state attorneys general to use their discretion in whether to provide an opportunity to cure, and in other states where it is simply up to AGs to decide on their own whether to exercise leniency.
Importantly, four of the state laws that provided cure periods only extended the right to cure to “controllers,” which are generally defined as an individual or company who, alone or jointly, determines the purposes and means of processing consumer data. This significantly narrows the scope of the cure period’s applicability in these four states. However, the law may still consider processors to be controllers under the totality of circumstances and the nature of the agreement between the controller and the processor.
Sephora/CCPA Settlement
While the right to cure is viewed as a tremendous benefit to businesses in their efforts to avoid enforcement actions, the 2022 Sephora/CCPA settlement highlights that enforcement actions are still likely where companies are unable or unwilling to make the necessary fixes. In that case, the California State Attorney General alleged that Sephora failed to disclose to consumers that it was selling their personal information, and it failed to process user requests to opt out of sale via user-enabled global privacy controls. Sephora did not cure these violations within the CCPA’s 30-day period. Sephora’s failure to cure led to a settlement for $1.2 million in monetary penalties and further requirements to comply with important injunctive terms that will certainly be costly and burdensome for Sephora as it continues to operate in California.
Tennessee’s Affirmative Defense Clause
Tennessee’s data privacy law contains an affirmative defense clause for relevant data controllers or processors who voluntarily implement and comply with the National Institute for Standards and Technology (NIST) privacy framework or receive another authorized certification of compliance under the statute. This provision is unique because it creates a safe harbor for data controllers and processors that exists outside of the general right-to-cure time period. Members that conduct business in Tennessee or with its consumers should consider implementing the NIST program.
Conclusion
Generally, the right to cure exists and does not expire across state laws. However, there are significant differences that warrant attention from companies, including the scope of applicability and length of the cure period. The CCPA settlement with Sephora shows the importance of the cure period, which can be costly if ignored. Looking forward, Tennessee’s NIST defense clause could be a push towards establishing a single set of best practices that serve as evidence of compliance and best efforts in states where the cure period has expired and no opportunity to cure has been given.
