In the coming months, more states will be able to to initiate investigations into and penalize companies that violate state consumer privacy laws as mandatory cure periods expire. Five states—Delaware, Minnesota, Montana, New Hampshire, and Oregon—will sunset their mandatory cure provision, with varying expiration dates between Oct. 1, 2025, and Jan. 31, 2026, according to Bloomberg Law’s State Comprehensive Privacy Laws vs. GDPR Chart Builder.
Many states initially included a cure period (typically 30, 60, or 90 days) in their privacy laws as a way to encourage proactive compliance. Their aim was to give businesses time to understand new requirements ...