` US privacy regulation enforcement continues despite delays - Clarip Privacy Blog
ENTERPRISE    |    CONSUMER PRIVACY TIPS    |    DATA BREACHES & ALERTS    |    WHITEPAPERS

US privacy regulation enforcement continues despite delays

US privacy regulation enforcement delays

In a last-minute decision on June 30th, the Sacramento County Superior Court ruled on an enforcement complaint pertaining to the California Privacy Rights Act amendments of the California Consumer Privacy Act, effectively pushing enforcement of the CPRA regulations from July 1, 2023, to March 29, 2024.

This is significant because many organizations doing business in California have scrambled to meet deadlines, guidelines and requirements set forth by the CPRA amendments, July 1st enforcement, and end of cure periods for violations looming. Only to be presented with a virtual handbrake on the energetic push. This push to comply isn’t for not. In this article, we discuss why your organization’s CCPA/CPRA data privacy compliance efforts are important for today and beyond.

The CPRA is not completely delayed.

The court-ordered delay allows just 8 additional months to meet requirements for the California Act and amendments. However, the delay only pertains to specific CPRA rules. It does not affect the CPRA statute or regulations previously finalized under rulemaking provided for the CCPA. The California Privacy Protection Agency (CPPA) and the California Department of Justice can still bring enforcement actions on CPRA amendments as of July 1st.

The delay to March 2024 strictly pertains to data processing agreements, consumer opt-out mechanisms (Do not sell my information or my privacy choices in the footer of your website), mandatory recognition of opt-out preference signals (Global Privacy Controls), eliminating dark patterns, and consumer request handling.

Virginia, Colorado, and Connecticut are in enforcement.

Organizations may feel comfortable with their current data privacy program and how they addressed CCPA concerns and measures of the CPRA amendments to the CCPA. Virginia, Colorado, and Connecticut’s privacy laws came into effect on July 1, 2023 as well. The consumer request handling must take these, and future, laws into consideration.

US privacy acts follow the same declaration of consumer rights with varying nuances. The Right to Access and Delete, as well as data portability. The Do Not Sell or Share (DNSS) requirement is not only a California requirement.

  • The Virginia Consumer Data Protection Act (VCDPA) – The VCDPA is significantly more concise than the CCPA. The VCDPA clearly defines whose personal data is covered, describing consumers as Virginia residents “acting only in an individual or household context. The VCDPA requires businesses to give consumers the ability to opt-out of the processing of their personal data for the purposes of targeted advertising, sale of personal data, or profiling.
  • The Colorado Privacy Act (CPA) – Colorado residents also have the rights to access, correct and delete their personal data as well as the right to opt out of the sale of their personal data or its use for targeted advertising or certain kinds of profiling.
  • The Connecticut Data Privacy Act (CTDPA) – An Act Concerning Personal Data Privacy and Online Monitoring” (CTDPA or “Act”). The CTDPA’s protections apply to ‘consumers’ defined as individuals who are residents of Connecticut. However, the CTDPA’s definition of ‘consumer’ does not include individuals acting in a commercial or employment context. A consumer can opt-out of the sale of personal data to third parties. A consumer can also designate a third party to opt-out on his or her behalf.

Future privacy laws with official dates:

  • The Utah Consumer Privacy Act (UCPA) – Goes into effect on December 31, 2023
  • California Privacy Rights Act (CPRA) – Postponed until March 29, 2024, but still in effect as of July 1st
  • Texas Data Privacy and Security Act (TDPSA) – Goes into effect on July 1, 2024
  • Montana Consumer Data Privacy Act (MCDPA) – Goes into effect on October 1, 2024
  • Iowa Data Privacy Law (IDPL) – Goes into effect on January 1, 2025
  • Tennessee Information Privacy Act (TIPA) – Goes into effect on July 1, 2025
  • Indiana Consumer Data Protection Act (ICDPA) – Goes into effect on January 1, 2026

Cure periods aren’t a safeguard for catching up.

While cure periods can provide organizations time to address and rectify violations, the allotted time frame for rectification is less than adequate (On average 30 to 60 days for US regulations). Thus, the CPRA delay. Be aware of other states cure periods and requirements as well (those states either already in enforcement or in effect soon):

  • California’s CPRA eliminated the thirty (30) day cure period, but the CPRA allows the California Privacy Protection Agency (“CPPA”) to choose not to investigate a complaint or provide a business with a time period to cure the alleged violation. In determining an appropriate time period to cure, the CCPA may consider 1) the lack of intent to violate this title and 2) the voluntary efforts undertaken by the Company to cure the alleged violation prior to being notified by the agency of the complaint.
  • The VCDPA provides a thirty (30) day cure period for alleged violations. The VCDPA requires that Companies provide an express written statement that the alleged violations have been cured and that no further violations will occur.
  • The CPA provides a sixty (60) day cure period for alleged violations. This will remain in effect until January 1, 2025.
  • The CTDPA provides a sixty (60) day cure period for alleged violations. This will remain in effect until January 1, 2024.
  • The Utah Consumer Privacy Act (UCPA), which goes into effect on December 31, 2023, provides a thirty (30) day cure period for alleged violations. The UCPA requires that Companies provide an express written statement that the alleged violations have been cured and that no further violations will occur.

The number of US data privacy regulations continues to grow. These laws have similar provisions that tend to give corporations clear guidelines, notices, and time frames of enforcement. This can rapidly change either via committee, attorney general of the state, or superior court. Essentially, a company operating under these regulations must be proactive in keeping up with these changes.

For more 2023 Privacy Readiness on all emerging US laws, request a copy today! Learn how Clarip’s privacy governance platform is powered with true automation. Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust!

Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.

Email Now:

Mike Mango, VP of Sales
mmango@clarip.com

Related Content:

Making the Case for Data Minimization
Automated Data Mapping
Data Discovery
Looking for Product Data Sheets?

Contact

  • 1521, Concord Pike, Suite #301,
    Wilmington, DE 19803 USA
  • 20 Montchanin Road, Suite 20,
    Greenville, DE 19807 USA
  • Contact Online

888-252-5653

About

Consumers

Businesses

The pixel
Show Buttons
Hide Buttons