Cure Period

Overview

A cure period is a statutory grace window — typically 30 to 90 days — during which a controller that receives a notice of violation from the state attorney general (or equivalent regulator) can fix the violation and thereby avoid enforcement. Cure periods were a political compromise inserted into most state privacy laws to address business concerns about immediate exposure to penalties during the compliance learning curve.

They are a feature of early-stage enforcement, not a permanent feature. Several states structured their cure periods with sunset provisions that expired 12 to 24 months after the effective date, and the trend is clearly toward phasing them out. California never had a meaningful cure period for post-CPRA violations; Rhode Island enacted its law without one.

A cure period is not a safe harbor. It does not pause the underlying obligation, it does not prevent private-right-of-action lawsuits where those exist, and it generally does not apply to willful violations.

When It Applies

A controller becomes eligible for the cure period when all of the following are true:

1. The state's enforcement authority issues a notice of violation (not a generic inquiry)
2. The cure period is still active in that state (some have expired)
3. The controller responds within the statutory window with a written statement that the violation has been cured and that no similar violations will occur
4. The violation is not a category that falls outside cure eligibility (willful conduct, breach-triggered lawsuits, data-broker registration failures)

If the controller fails to cure within the window — or if the cure is rejected as incomplete — the attorney general may proceed with enforcement and seek the full statutory penalty plus any restitution.

Variations Across Jurisdictions

From docs/privacy-knowledge/consolidated/COMPLIANCE_MATRIX.md Matrix 1:

Key implications:

• The five states with no cure period (CA, CO, CT, OR, RI) offer no grace window — the first violation is enforceable.
• Iowa and Utah made their cure periods permanent, signaling a lower-enforcement posture.
• Several states have scheduled sunsets (NJ in July 2026; MD reduction in April 2027) — compliance roadmaps should plan for the stricter post-sunset regime.
• No state's cure period applies to private rights of action (CCPA breach lawsuits, BIPA, Massachusetts 93A).

How Inori Handles This

Inori's compliance posture is designed to operate as if no cure period existed, because the strictest states (CA, CO, CT, OR) effectively treat the first violation as actionable.

Grounding in code:

• Continuous readiness — src/content/legal/privacy.mdx v1.2 is versioned and updated whenever the privacy knowledge base changes; /legal/subprocessors is maintained as a live document.
• DSAR SLA — src/app/api/dsar/ enforces the 45-day response baseline with the statutory 45-day extension capped at 90 days total, matching the strictest state (California).
• GPC honoring — middleware.ts:respectGpc is already live; waiting for a notice of violation would be too late in no-cure states.
• Hard-purge discipline — src/app/api/cron/hard-purge-deleted-accounts runs on a cadence that matches the strictest retention deadline, not the most forgiving.
• Audit trail — certificates.guard_version and the domain-events bus (SP16) preserve the evidence needed to demonstrate remediation within the tightest active cure window (Nebraska, Indiana, Kentucky, New Jersey, Utah, Virginia — all 30 days) if a notice ever issues.

Related Concepts

Cure-period mechanics are embedded in the enforcement section of each state law — see CCPA/CPRA, VCDPA, CPA Colorado, CTDPA, and TDPSA for the jurisdiction-specific nuances.