For nearly a decade, businesses navigating the patchwork of U.S. state privacy laws have benefited from a quiet but consequential safety net: the “right to cure.” When a state attorney general concluded that a company had violated a privacy statute, the company typically received a notice identifying the alleged violation and a window, usually thirty or sixty days, to fix the problem before civil penalties or injunctive relief could be pursued. Cure successfully, and the matter ended without a fine. Fail to cure, and enforcement proceeded.
That model is now disappearing. In 2026, several state cure periods sunset by design, and the regulatory rhetoric in others has shifted from “good-faith oversight” to “compliance is your obligation, not ours.” For companies that have grown comfortable treating the cure period as a backstop, the operating environment has changed materially.
Where the Cure Period Stands in 2026
The most direct way to grasp the shift is to look at the calendar. Connecticut’s cure period sunset on December 31, 2024, and the state attorney general now exercises enforcement discretion rather than affording an automatic cure window. Colorado followed a similar trajectory, with its cure period expiring on January 1, 2025.
Additional states are joining them this year. Delaware’s mandatory cure period also expired January 1, 2026. Oregon’s right-to-cure period expired on January 1, 2026. Minnesota’s right-to-cure period sunsets later in 2026. Montana’s Consumer Data Privacy Act cure period expired on April 1, 2026. Each transition converts the same legal exposure, what businesses have always owed Oregon, Minnesota, and Montana residents under the law, into a different practical risk: regulators may now act on day one of an investigation.
Rhode Island opened a separate front. The Rhode Island Data Transparency and Privacy Protection Act took effect on January 1, 2026, and it launched without any cure period at all. A Rhode Island business that violates the statute is exposed to penalties of up to $10,000 per violation immediately upon the attorney general’s determination of a violation, with no statutory grace window built in.
California has not had a cure period under the CPRA framework since 2023. Texas, already aggressive on consumer protection enforcement, retains a 30-day cure period, but Attorney General Ken Paxton’s office has signaled no patience for businesses treating the window as an extension of their compliance deadline. The Texas AG has already recovered huge settlements from multiple companies.
Two important counterexamples remain. Both Indiana and Kentucky, whose comprehensive laws took effect on January 1, 2026, deliberately chose the opposite path: each enacted a permanent 30-day cure period that does not sunset and requires no future legislative action to preserve. These business-friendly provisions are increasingly the exception rather than the rule. Indiana further built in a six-month enforcement grace period running from April 1, 2026, to July 1, 2026, but the grace period is distinct from the cure period—once the grace period ends, the Indiana attorney general can begin enforcing violations, and the permanent 30-day cure right then applies on a per-violation basis.
Why Regulators Are Walking Away from the Grace Period Model
The original rationale for cure periods was straightforward. State privacy laws imposed novel and operationally complex obligations, privacy notices with prescribed disclosures, consumer rights workflows, vendor contracting requirements, sensitive-data consent capture, and data protection assessments. Lawmakers recognized that even well-intentioned businesses would need time to operationalize compliance, and that punishing minor or technical violations with immediate civil penalties would yield little consumer benefit.
That rationale weakens with time. Privacy compliance vendors, model contracts, off-the-shelf consent-management platforms, and detailed regulator guidance are all widely available. The legislatures’ implicit message in sunsetting these provisions: businesses have had ample notice, and the period of regulatory forbearance is over.
There is also a strategic enforcement dimension. When the Connecticut Attorney General settled the state’s first major Connecticut Data Privacy Act enforcement action for $85,000, the underlying conduct, an unreadable privacy notice, missing consumer rights disclosures, and inoperable opt-out mechanisms, was less significant than the procedural posture: the company had already received a deficiency notice and failed to remediate adequately. Regulators are using such patterns to establish that recidivism, ignored notices, and surface-level fixes evidence willfulness, justifying higher penalties in subsequent matters. The cure period’s disappearance is the next step in that progression.
What This Means Operationally
For mid-sized businesses with multi-state customer footprints, the shift forces a reset of three internal assumptions.
First, the assumption that compliance can be reactive must go. Building or rehabilitating a privacy program in response to a regulator’s letter was never a sound strategy, but the cure period made it survivable. In states without a cure window, the first contact with the attorney general’s office may be a civil investigative demand or a complaint, not a courtesy notice. The economics of “build-it-when-they-ask” have changed.
Second, the assumption that all states warrant a single compliance posture is no longer defensible. A multi-state organization now operates across a regulatory spectrum, from Iowa (a 90-day cure period, the longest of any state) at one end, to Rhode Island and California (no cure period) at the other. Treating “state privacy compliance” as a monolithic line item underweights the higher-risk jurisdictions and overinvests in the lower-risk ones.
Third, the assumption that cure periods are the relevant compliance buffer must be replaced with attention to enforcement-priority signals. State attorneys general have become increasingly transparent about what they are looking at, sensitive data processing, opaque or nonfunctional opt-out mechanisms, children’s data, biometric data, dark-pattern consent flows, and AI-driven decisioning. Businesses that align internal audits with these published priorities will benefit from the shrinking cure window because they will be far less likely to be the subject of an enforcement action in the first place.
Practical Steps for the Next Two Quarters
Three concrete actions will pay disproportionate dividends in the immediate-enforcement era.
The first is a privacy notice audit, conducted with fresh eyes and against the most demanding state’s requirements rather than the easiest. If the notice will pass scrutiny in California, Connecticut, and Colorado, it will pass nearly anywhere; if it will only pass scrutiny in Utah, the company is exposed in a dozen other states.
The second is a consumer rights workflow test. Submit access, deletion, and opt-out requests to your own systems through the channels you have published, and confirm they actually work, that a request is received, routed, fulfilled within statutory timelines, and accurately logged. Connecticut’s first enforcement action turned, in significant part, on opt-out mechanisms that were facially present but functionally broken.
The third is a vendor and processor contract review. Most state privacy laws make controllers accountable for how their processors handle personal data, and a downstream vendor’s noncompliant practice can become the controller’s enforcement problem. The right time to verify that data processing agreements are in place, and that they impose the specific contractual terms required by Virginia-model statutes, is before a regulator asks.
Closing Thought
The cure period was never a substitute for compliance. It was a transitional accommodation that recognized the difficulty of building privacy programs in real time. As that accommodation expires across the country, the message from state legislatures and attorneys general is unmistakable: privacy compliance is a precondition of doing business, not a deficiency to be corrected on demand. The companies that internalize that shift in 2026 will spend the rest of the decade managing privacy as a routine operational discipline. Those that do not will spend it answering letters they no longer have time to respond to.