Cure Periods and the Private Right of Action
Cure periods split: California's expired; Colorado and Connecticut's sunset Dec 31, 2024; Utah and Virginia have a 30-day cure with no end date. No state has a traditional private right of action; California has only a limited one tied to data breaches.
| State | Cure period status |
|---|---|
| California | Initially had one; expired before this writing |
| Colorado | Has a cure period; sunsets Dec 31, 2024 |
| Connecticut | Has a cure period; sunsets Dec 31, 2024 |
| Utah | 30-day cure; no statutory end date |
| Virginia | 30-day cure; no statutory end date |
None of the five laws has a traditional private right of action. Colorado, Connecticut, Utah, and Virginia provide none at all. California has only a limited private right of action (California) tied to security breaches of personal information (as defined in its breach-notification law) and to usernames/passwords - not to the general consumer rights in this chapter.
Don't overstate California's private right of action. It is limited to data breaches (and account credentials), not to the access/deletion/opt-out rights. The other four states give consumers no private right of action at all.