Privacy Law Cure Periods by State: Which States Still Allow Time to Fix Violations in 2026?
What Is a Cure Period in Privacy Law?
A cure period is a window of time — typically 30 to 90 days — that a state attorney general must give a business to fix an alleged privacy law violation before taking enforcement action. During this window, the business can remedy the violation, and if the AG is satisfied that the issue has been resolved, no penalty is imposed.
Think of it as a grace period. Instead of immediately facing fines and legal action, businesses get a chance to correct course. But here is the critical trend: cure periods are disappearing across the United States. States that originally included them are letting them expire, and newer privacy laws often do not include them at all.
This matters because once a cure period is gone, an attorney general can pursue enforcement — including substantial fines — immediately upon discovering a violation, with no obligation to give you a heads-up first.
The Trend: Cure Periods Are Sunsetting
When the first wave of state privacy laws passed (Virginia, Colorado, Connecticut in 2021), most included cure periods as a concession to businesses. The idea was to give companies time to adapt to brand-new compliance requirements.
But legislators built in sunset dates. The message was clear: the grace period is temporary. Here is the timeline of cure period expirations:
- January 1, 2025 — Colorado and Connecticut cure periods expired
- October 1, 2025 — Montana cure period expired
- January 1, 2026 — Oregon cure period expired
- July 1, 2026 — Tennessee cure period is set to expire (upcoming)
Meanwhile, several states never included a cure period at all: California (CCPA), Rhode Island, and Maryland all allow immediate enforcement.
Cure Periods by State: Complete Comparison Table
| State | Cure Period (Days) | Status | Notes |
|---|---|---|---|
| California | None | No cure period | CCPA never included a mandatory cure period. The AG may consider a business’s compliance efforts as a mitigating factor. |
| Virginia | 30 days | Active (permanent) | Written into statute without a sunset date. AG must provide written notice and 30-day cure window. |
| Colorado | 0 | Expired Jan 1, 2025 | Was 60 days. AG now has full discretion on enforcement. |
| Connecticut | 0 | Expired Jan 1, 2025 | Was 60 days. AG may still consider good-faith compliance efforts. |
| Utah | 30 days | Active (permanent) | AG must provide written notice. Business-friendly enforcement approach. |
| Iowa | 90 days | Active (permanent) | Longest cure period of any state. Very business-friendly. |
| Indiana | 30 days | Active (permanent) | AG must provide written notice before enforcement. |
| Kentucky | 30 days | Active | Standard 30-day window after AG notice. |
| Rhode Island | None | No cure period | AG can enforce immediately. No mandatory notice requirement. |
| Tennessee | 60 days | Expires July 1, 2026 | Currently active but sunsets mid-2026. Businesses should prepare now. |
| Montana | 0 | Expired Oct 1, 2025 | Was part of the original law. AG now has immediate enforcement authority. |
| Texas | 30 days | Active | AG must notify and allow cure. Texas AG has been active on privacy enforcement. |
| Oregon | 0 | Expired Jan 1, 2026 | Was 30 days. Oregon AG can now pursue enforcement without prior notice. |
| Delaware | 60 days | Active | AG must provide written notice with specific violations identified. |
| New Hampshire | 60 days | Active | Standard notice-and-cure before AG action. |
| New Jersey | 30 days | Active | AG must provide notice. NJ Division of Consumer Affairs enforces. |
| Nebraska | 30 days | Active | AG must provide written notice before seeking penalties. |
| Minnesota | 30 days | Active | AG provides notice. Minnesota law effective July 31, 2025. |
| Maryland | None | No cure period | MODPA includes no cure period. Enforcement began April 1, 2026. |
| Florida | 45 days | Active | Written notice required. Applies only to businesses meeting Florida’s high revenue threshold ($1B+). |
| Oklahoma | 30 days | Active | Newly enacted (March 2026). AG must provide written notice. |
What It Means When a Cure Period Expires
When a cure period expires or a state has none, the practical impact is significant:
- Immediate enforcement — The attorney general can file an enforcement action without first contacting your business. There is no mandatory warning.
- Higher financial exposure — Without the safety net of a cure period, penalties can accumulate faster. For states like California with per-violation penalties, the total can grow quickly. See our penalties and fines guide for specific amounts.
- No guaranteed second chance — Even if you discover a compliance gap, you cannot count on having time to fix it before enforcement begins.
- Discretionary consideration — Most AGs retain discretion to consider good-faith compliance efforts, but this is not guaranteed and is not a legal right.
States to Watch: Tennessee Cure Period Expiring July 2026
Tennessee is the next state where the cure period is set to expire, on July 1, 2026. This is just three months away. Businesses subject to the Tennessee Information Protection Act should treat this as a hard deadline to ensure full compliance.
After July 1, the Tennessee AG will have discretion to pursue enforcement without providing advance notice. Given that Tennessee requires businesses processing data of at least 175,000 consumers or 25,000 consumers with revenue from data sales, this affects a significant number of companies operating in the state.
5-Step Action Plan for Businesses
Whether your state still has a cure period or not, proactive compliance is always better than reactive remediation. Here is what to do:
- Identify which states apply to you — Use our Privacy Law Calculator to determine which state laws your business must comply with based on your revenue, consumer count, and data practices.
- Check cure period status — For each applicable state, confirm whether a cure period exists and whether it is permanent or sunsetting. Use the table above as your reference.
- Prioritize states without cure periods — California, Colorado, Connecticut, Oregon, Montana, Rhode Island, and Maryland all allow immediate enforcement. If you are subject to these laws, compliance gaps carry the highest risk.
- Run a compliance audit — Review your data practices, privacy policies, opt-out mechanisms, and DSAR processes against each applicable state law. Use our state comparison tool to identify differences in requirements.
- Document your compliance efforts — Even in states without a cure period, demonstrating good-faith compliance efforts can be a mitigating factor. Keep records of your audits, policy updates, training, and remediation steps.
Frequently Asked Questions
Does California have a cure period for CCPA violations?
No. The CCPA as amended by the CPRA does not include a mandatory cure period. The CPPA and the California AG can pursue enforcement — including fines of up to $2,500 per violation or $7,500 per intentional violation — without first giving businesses an opportunity to cure. However, enforcement authorities may consider a business’s compliance efforts when deciding whether and how to pursue an action.
What happens if I fix a violation during a cure period?
If your state has an active cure period and you receive notice from the AG, you typically have the specified number of days (usually 30) to remedy the violation. If the AG is satisfied that you have cured the violation and provided a written statement that no further violations will occur, the matter is typically closed without penalties. However, if the same violation recurs, most states allow the AG to pursue enforcement without providing another cure opportunity.
Can a state attorney general still pursue enforcement even if a cure period exists?
In states with active cure periods, the AG generally must provide notice and allow the cure window before seeking penalties. However, if the business fails to cure within the window, or if the AG determines the violation was intentional, enforcement can proceed. The cure period protects against immediate penalties — it does not provide immunity.
Which state has the longest cure period?
Iowa has the longest cure period at 90 days. This is three times the standard 30-day window used by most states. Iowa’s privacy law is generally considered the most business-friendly of the comprehensive state privacy laws.
Are more states expected to eliminate their cure periods?
The clear trend is toward elimination. Tennessee’s cure period expires July 1, 2026. While we cannot predict legislative changes, the pattern suggests that states may continue to sunset cure periods as their privacy laws mature. Businesses should not rely on cure periods as a long-term compliance strategy — treat every state as if immediate enforcement is possible.
Last updated: March 29, 2026.Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.