Montana’s Consumer Data Privacy Act lost its right-to-cure provision on April 1, 2026 — meaning the Montana Attorney General can now go straight to enforcement on cookie banner and tag-firing violations without giving WooCommerce stores a 60-day window to fix the problem first. Montana joins California, Texas, Oregon, Connecticut and Maryland as states where AG enforcement requires no cure period (VeraSafe / Secure Privacy, 2026). The architectural reality this creates is brutal: WooCommerce stores running tag-fires-before-consent patterns on woocommerce_thankyou are now structurally exposed in any state where the AG can move from finding a violation to penalty in a single step.

What “Right to Cure” Was, and What It Did

A right-to-cure provision in a state privacy law gives a business a fixed window — usually 30 or 60 days — to fix a violation after the AG sends a notice of non-compliance. If the business cures the issue inside that window, no penalty. If they don’t, the AG can pursue civil penalties, injunctions, and (in some states) consumer restitution.

Until April 1, Montana had a 60-day cure window. Cookie banner fires before consent? You’d get a notice, you’d have time to fix the wiring, and as long as you fixed it, the case closed without a penalty. That safety net is gone for Montana cases filed after April 1.

The broader picture matters here. By January 2026, 19 states enforce comprehensive privacy laws covering nearly 50% of US consumers (Secure Privacy / IAPP, 2026). The cure-period sunset isn’t a one-state quirk — it’s the pattern. As states get further from enactment, they remove the on-ramp grace periods and shift toward direct enforcement. Sourcepoint’s Julie Rubash put it directly in the firm’s 2026 State of Privacy report: this will be the year that US regulatory enforcement really gets into the weeds, and surface-level compliance isn’t going to cut it anymore.

Montana’s Threshold and Why It Matters for WooCommerce

Montana’s CDPA applies at 50,000 Montana residents whose personal data is processed in a year, or 25,000 if the business derives more than 25% of revenue from selling personal data. Montana has roughly 1.1 million residents — that 50,000 threshold represents about 4.5% of the state population, lower than most other state laws.

For a typical WooCommerce store running ads through Google and Meta, hitting 50,000 Montana residents through pixel data collection is more reachable than the threshold suggests. Every visitor who lands on your store from a Montana IP and triggers a Meta Pixel page view counts toward processing the personal data of a Montana resident — not just buyers. Pixel-based tracking turns visitor counts into compliance liability counts.

The enforcement context is sharpening fast. France’s CNIL fined Google €325M and Shein €150M for invalid cookie consent in 2025-2026 (TrustArc Privacy Enforcement Report, 2026). Cumulative GDPR fines reached €5.88 billion, and 75% of websites fail basic consent requirements (GDPR Enforcement Tracker, 2025). That same enforcement model is the template US AGs are copying from — and Montana just removed the gentlest part of it.

You may be interested in: California, Colorado, and Connecticut Are Sharing Privacy Enforcement Intelligence

The Architectural Reality: Tags Fire Before Consent on woocommerce_thankyou

Most WooCommerce stores have a structural problem nobody mentions in the privacy-plugin marketing pages. The woocommerce_thankyou hook fires the moment the order completes. The Meta Pixel Purchase event, the Google Ads conversion event, the Klaviyo Order Placed event — they all fire on or near that hook, in the browser, in the same second the page loads. The CMP banner loads alongside, but on the thank-you page the user has nothing left to consent to — they’ve already paid.

Even on landing and product pages, the timing is fragile. If the Meta Pixel script is injected by the theme or by a non-CMP plugin, it fires the moment its <script> tag is parsed — typically before the CMP has loaded its decision engine, and definitely before the visitor has clicked anything. By the time the consent banner appears, requests have already left for Facebook’s servers carrying URL, referrer, IP, and any URL parameters in scope.

This is the pattern automated regulator audits are now testing for. By end of 2025, twelve states legally require websites to honor Global Privacy Control opt-out signals (VeraSafe US Privacy preparation, 2026), which means automated tools can scan a WooCommerce store, send a GPC header, and observe whether tracking pixels fire anyway. They almost always do. With Montana’s cure period gone, that scan-result becomes evidence the AG can act on directly.

What Automated Regulator Audits Look For

The mechanics are simple enough that the same script runs across hundreds of stores in an afternoon:

• GPC signal sent in the request header. A compliant store should treat the GPC header as a deemed opt-out from sale and sharing of personal data.
• Network requests captured. Every outbound request from the page to Meta, Google, TikTok, Klaviyo, etc., logged with timing.
• Cookie writes captured. Every cookie set or read from the user’s device, especially advertising cookies.
• Decision evidence checked. Did the consent decision fire before the tracking requests? Or after? Or never?

If the answer is “after” or “never” — which it is on most default WooCommerce stacks — the audit produces an evidence file. Pre-April 1 in Montana, that file triggered a notice and a 60-day window. Post-April 1, it triggers an enforcement decision.

California’s CPPA already operates this way. The CPPA has hundreds of privacy investigations in progress as of early 2026 with target businesses often unaware (Secure Privacy 2026 tracker). State AGs talk to each other; methodology that works in one state shows up in the next.

You may be interested in: California’s CCPA Risk Assessment Requirements Activated on January 1, 2026

The Fix: Consent Enforcement at the Server Layer

The browser-side architecture is the source of the problem because the consent decision and the tag firing live on the same fragile timeline. A new tag added by an agency intern next week, a theme update that re-orders script loading, a CMP plugin that misses an update — any of these can break compliance overnight. There’s no engineering review, because tagging changes look like marketing changes.

Server-side consent enforcement removes the timing problem entirely. Events from woocommerce_thankyou and other hooks flow into a single first-party server. The consent state is checked once at ingress, the per-destination payload is filtered once, and only allowed events leave the building. A deployment change can’t “temporarily” let a pixel fire before consent because the pixel doesn’t fire from the browser at all.

Transmute Engine™ is a first-party Node.js server that runs on your subdomain (e.g., data.yourstore.com). The inPIPE WordPress plugin captures events from WooCommerce hooks and customer interactions, applies the consent gate at ingress, and routes only allowed events to GA4, Google Ads, Meta CAPI, BigQuery, and Klaviyo. One ingress, one gate, one log line per event — the audit-friendly architecture that survives no-cure-period enforcement.

Key Takeaways

• Montana’s cure period expired April 1, 2026: the AG can now move from violation to enforcement without a 60-day grace window.
• Six states now lack cure periods: California, Texas, Oregon, Connecticut, Maryland, and Montana — the trajectory of the rest is to follow.
• Browser-side consent is structurally fragile: tags fire before banners load, and any deployment change can silently break compliance.
• Automated GPC audits produce evidence directly: a single scan can produce the violation file an AG needs to enforce.
• Server-side enforcement is the architectural fix: consent applied once at ingress, no browser-side race conditions to lose.

Frequently Asked Questions

The cure period is gone in Montana and the model is spreading. Visit seresa.io to see what server-side consent enforcement looks like on a WooCommerce stack.