California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
Since enforcement of the California Consumer Privacy Act (CCPA) began in 2020, the privacy law’s mandatory 30-day cure period has been the saving grace of many businesses, helping them avoid costly fines. That is no longer the case, however.
Now that the changes from the California Privacy Rights Act (CPRA) have gone into effect, the CCPA’s mandatory cure period is a thing of the past.
A cure period is time given by authorities to a person or organization to fix, or “cure,” alleged legal violations before enforcement actions begin. When originally passed, the CCPA contained a provision requiring that all businesses be given 30 days to get their operations compliant before being considered in violation and therefore subject to fines and injunctions.
Many businesses have received cure notices from the Attorney General’s Office, but most were able to fix the issues in time and that was the end of the matter. The notable exception is Sephora, which was fined $1.2 million for CCPA violations, despite being given a 30-day cure period.
The CPRA made numerous, significant changes to the CCPA that went into effect at the start of 2023. A number of the new provisions are meant to strengthen enforcement of the law. Most conspicuous is the creation of a new government agency tasked exclusively with CCPA-related matters: the California Privacy Protection Agency. With a full staff of experts and a budget protected by statute, everyone expects enforcement actions to rise drastically under the Agency.
The CPRA also did away with the mandatory 30-day cure period. While it may not have garnered as many headlines, the removal of the cure-period provision is likely to have a significant impact on enforcement. If it so wishes, the Agency can now proceed directly to enforcement actions, such as imposing administrative fines.
That doesn’t mean cure periods have gone away entirely; the Agency still has the option to grant businesses the opportunity to fix violations. When determining whether that would be appropriate, the statute provides two criteria to consider:
What this basically comes down to is that if the Agency determines you were aware or should have been aware of your responsibilities under the CCPA but made no good-faith effort (like signing up for TrueVault US) to be compliant, it can proceed directly to imposing fines instead of giving you time to fix the violations.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.