No More Cure Period for CCPA Violations

Since enforcement of the California Consumer Privacy Act (CCPA) began in 2020, the privacy law’s mandatory 30-day cure period has been the saving grace of many businesses, helping them avoid costly fines. That is no longer the case, however. 

Now that the changes from the California Privacy Rights Act (CPRA) have gone into effect, the CCPA’s mandatory cure period is a thing of the past.

What Is a Cure Period?

A cure period is time given by authorities to a person or organization to fix, or “cure,” alleged legal violations before enforcement actions begin. When originally passed, the CCPA contained a provision requiring that all businesses be given 30 days to get their operations compliant before being considered in violation and therefore subject to fines and injunctions. 

Many businesses have received cure notices from the Attorney General’s Office, but most were able to fix the issues in time and that was the end of the matter. The notable exception is Sephora, which was fined $1.2 million for CCPA violations, despite being given a 30-day cure period.

What Has Changed?

The CPRA made numerous, significant changes to the CCPA that went into effect at the start of 2023. A number of the new provisions are meant to strengthen enforcement of the law. Most conspicuous is the creation of a new government agency tasked exclusively with CCPA-related matters: the California Privacy Protection Agency. With a full staff of experts and a budget protected by statute, everyone expects enforcement actions to rise drastically under the Agency.

The CPRA also did away with the mandatory 30-day cure period. While it may not have garnered as many headlines, the removal of the cure-period provision is likely to have a significant impact on enforcement. If it so wishes, the Agency can now proceed directly to enforcement actions, such as imposing administrative fines. 

That doesn’t mean cure periods have gone away entirely; the Agency still has the option to grant businesses the opportunity to fix violations. When determining whether that would be appropriate, the statute provides two criteria to consider:

1. Lack of intent to violate the CCPA
2. Voluntary efforts undertaken by the business to cure the alleged violation prior to being notified by the Agency

What this basically comes down to is that if the Agency determines you were aware or should have been aware of your responsibilities under the CCPA but made no good-faith effort (like signing up for TrueVault US) to be compliant, it can proceed directly to imposing fines instead of giving you time to fix the violations.

U.S. Privacy Compliance

Waiting to get a cure notice was never a great strategy for CCPA compliance—being rushed to get everything fixed in time can lead to expensive mistakes, and non-compliance is likely to generate consumer complaints which make enforcement far more likely in the first place. With the end of the mandatory cure period, that strategy is no longer viable at all, and the very fact that you delayed compliance can be used against you when the California Privacy Protection Agency is deciding whether to give you a second chance.

The best strategy is to get compliant now, without the pressure of state officials looking over your shoulder. TrueVault US makes it possible for small and medium-sized businesses to handle compliance with privacy laws across the country, including the CCPA, in a cost-effective and time-efficient way. Designed by attorneys, our software guides you step-by-step through everything from vendor onboarding to responding to privacy requests. Instead of waiting weeks or months, you can get compliant on your own in as little as a few hours.

Contact our team to learn more and schedule a demo.