New Privacy Laws Are in Effect, and the Grace Period Is Ending

June 25, 2026

Twenty states now have comprehensive privacy laws in effect, and the cure periods that once gave companies time to fix problems are expiring. Many companies are now in scope without having noticed.

For years, many companies treated state privacy law as something that applied to someone larger. That assumption is increasingly out of date. 

As of 2026, twenty states have comprehensive privacy laws in effect. Three new ones took effect on January 1. Several existing laws were amended. And the cure periods that once gave companies a window to fix a problem before penalties applied are starting to expire across the country. 

This does not mean every company is suddenly out of compliance. It does mean the line for who is covered has moved, and a number of companies are now inside it without having noticed. 

Why this matters now 

For most of the last few years, the practical reality of state privacy law was forgiving. The number of states with comprehensive laws was small, thresholds were high, and enforcement often came with a cure period, a window to fix a violation before any penalty attached. 

That posture is changing on two fronts at once. 

First, coverage is widening. Indiana, Kentucky, and Rhode Island laws took effect on January 1, 2026, with amendments to Connecticut, Arkansas, and Utah following on July 1. Rhode Island’s law is worth noting in particular: its thresholds are low enough to reach companies handling the data of roughly 35,000 consumers. Plenty of businesses that assumed they were too small to worry are now within scope. 

Second, the safety net is being removed. Cure periods are expiring. Delaware’s ended on December 31, 2025. Montana’s lapses on April 1, 2026. New Jersey’s is set to expire mid-year. As those windows close, regulators can move directly to enforcement, and penalties generally run between $7,500 and $10,000 per violation. 

None of this means a wave of enforcement is coming for every company. It does mean the assumption that there will always be time to fix things later is no longer safe. 

Compliance is not only a legal exercise 

Like diligence in a financing, privacy compliance is partly a trust exercise. 

Customers, enterprise buyers, and partners increasingly ask how a company handles personal data before they sign. A clear, accurate privacy posture sends a signal that the company is organized and credible. An outdated policy that no longer matches actual practice sends the opposite signal, and it tends to surface at inconvenient moments, such as during a sales cycle, a financing, or an acquirer’s diligence. 

So the question is not only whether a regulator might act. It is also whether the company can answer a basic question with confidence: do our stated data practices match what we actually do? 

Common gaps that create privacy exposure 

The most common problems are rarely dramatic. They are usually small gaps that accumulate over time. 

A privacy policy may have been copied from an early template and never updated. The stated practices may no longer match how the product actually collects and uses data. There may be no clear process for handling consumer rights requests, such as access, deletion, correction, and portability, even though several state laws now require one. Sensitive data may be processed without the consent that some states now require for it. Vendor and data processing agreements may be inconsistent or incomplete. 

Again, these issues do not always create a serious legal problem. But they can create exposure, and they become harder to address once a complaint, a request, or a diligence review has already arrived. 

This is not about building a heavyweight privacy program 

The goal is not to stand up an enterprise privacy office before the company needs one. 

The goal is to know which laws actually apply, based on where the company’s customers are and how much data it handles, and to address the gaps that matter most. A company does not need to comply with all twenty laws. It needs to know which ones it triggers, and what those specific laws require. 

That is a focused exercise, and it tells the company exactly where to spend effort and where it can reasonably wait. 

What companies should review 

Before assuming the question is settled, a company should be able to confirm the following: 

  • The states where it has customers or collects consumer data 
  • Whether its data volume crosses the applicable state thresholds 
  • Whether the privacy policy reflects current, actual data practices 
  • Whether there is a working process for consumer rights requests 
  • Whether sensitive data is handled with the required consent 
  • Whether vendor and data processing agreements are consistent and current 
  • Who owns privacy compliance inside the company 

These are manageable questions when addressed in advance. They become more disruptive when they arise after a request or complaint has already been made. 

The practical advantage 

Privacy compliance is easier to handle before it becomes reactive. 

Companies that scope their obligations early can focus their effort, avoid unnecessary work on laws that do not apply, and respond with confidence if a customer, partner, or regulator asks. The expanding map of state laws is a reason to get clear, not a reason to panic. 

The laws have changed. The grace periods are closing. The companies that take a short, focused look now are the ones least likely to be caught off guard later. 

How CGL can help 

CGL helps companies figure out which privacy laws actually apply to them and what to address first, before the question becomes urgent. 

A focused privacy review can identify which state laws a company likely triggers, whether its policies match its practices, and which gaps are worth closing now versus later. If you are not sure where your company stands, replying with the states where you have customers is enough for us to point you in the right direction. 

Disclaimer

The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

The 2018 Farm Bill Explained
CBD Brands: 3 Tips for Navigating FDA Law
External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you

    Tell Us About Your Legal Needs and Our Team Will Be in Touch