Key point: Regulations proposed in June 2025 to implement the New Jersey Data Privacy Law expired on June 2, 2026, when the regulations were not adopted within a year of the proposal. The path forward for future rulemaking to implement the law is uncertain.
In this episode of The Consumer Finance Podcast, Chris Willis and Kim Phan unpack Colorado’s brand-new Automated Decision-Making Technology (ADMT) Act, which repeals and replaces the state’s much-criticized 2024 AI law. They explain the shift from “high-risk AI systems” to the broader ADMT framework, what it means for consequential decisions in lending and financial services, and how the statute’s “material influence” standard can sweep in tools that do far more than make final credit determinations.
Key Point: With the June 3, 2026, compliance deadline fast approaching, small firms subject to amended Regulation S‑P under the Gramm-Leach-Bliley Act (GLBA) should be in the final stages of updating their privacy and safeguards programs. In January 2026, the Securities and Exchange Commission (SEC) held an outreach event to help small firms comply with the amendments to Regulation S-P. This webinar was geared toward small firms in advance of the June 3, 2026, compliance deadline. The SEC highlighted new Regulation S-P compliance obligations, SEC exam team approaches moving forward, and held an examination workshop, which included an incident response tabletop discussion, review of a sample document request list, and a mock examination session.
On April 22, the U.S. House of Representatives Financial Services Committee and the Energy and Commerce Committee jointly unveiled a paired privacy package that, taken together, would substantially recast the federal obligations for the treatment of consumer data. The “Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act” (the GUARD Financial Data Act) would update and enhance Title V of the Gramm‑Leach‑Bliley Act (GLBA) for financial institutions. The “Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act” (the SECURE Data Act) would create a national, cross‑sector privacy framework that would have applicability and features similar to the current patchwork of state comprehensive privacy laws, with strong entity-level and data-level exemptions for financial institutions and financial data subject to GLBA (and for HIPAA-covered entities and business associates, certain nonprofits, and institutions of higher education).
A new discussion draft from Representative Bill Huizenga (R-MI) would significantly update Title V of the Gramm‑Leach‑Bliley Act (GLBA) to reflect how financial data is collected, shared, and monetized in today’s market. Released in connection with the March 17, 2026 House Financial Services Committee (Committee) hearing, “Updating America’s Financial Privacy Framework for the 21st Century,” the draft purports to give consumers greater control over their financial data, impose new limits on financial institutions and data aggregators, and create a more uniform national privacy regime for consumer financial information.
In this special joint episode of The Consumer Finance Podcast and Payments Pros, Taylor Gess and Kim Phan discuss key privacy and data security risks in point-of-sale finance. They dive into regulators’ growing view that every player in the payments chain shares responsibility for protecting data, highlighting best practices for vendor management, PCI DSS oversight, and incident response planning. The episode also touches on the shifting patchwork of state privacy and breach notification laws, GLBA exemptions, and the risks of data monetization, including when packaging and selling transaction data can trigger Fair Credit Reporting Act obligations.
Key point: All businesses struggle with cybersecurity risks presented by their service providers. New guidance from the NY DFS applies to all DFS regulated entities, but the guidance would assist any business in any industry in addressing these risks.
On October 21, 2025, the New York Department of Financial Services (the “DFS”) issued important guidance for covered entities (including all DFS licensees) for managing their cybersecurity risk related to third-party service providers (“TPSPs”). Industry Letter – October 21, 2025: Guidance on Managing Risks Related to Third-Party Service Providers | Department of Financial Services specifically includes the covered entity’s use of cloud, file transfer, AI and fintech providers (“Guidance”). According to the DFS, the “Guidance does not impose new requirements or obligations . . ..” Rather, “it is intended to clarify regulatory requirements, recommend industry best practices . . ., and promote compliance . . ..” The Guidance highlights that managing the cybersecurity risk presented by TPSPs “remains a crucial element of a Covered Entity’s cybersecurity program,” and notes that it applies to all covered entities, regardless of size.
Key point: Plaintiffs’ attorneys have started sending a wave of letters asserting opt-out and access rights under California’s Shine the Light law.
Over the last three months, businesses have been receiving requests from California residents seeking to exercise their rights under California’s Shine the Light law, Cal. Civ. Code § 1798.83. These requests are sent by attorneys who purport to represent a California resident who is a “customer” of, and has an “established business relationship” with, the business receiving the request. The requests seek an accounting of the customer’s personal information disclosed to third parties for direct marketing purposes within the past year.
On June 2, the New Jersey Division of Consumer Affairs announced the publication of new proposed regulations to implement the New Jersey Data Privacy Act (NJDPA), N.J. Stat. §§ 56:8-166.4 et seq., which went into effect on January 15. (Please see our prior article on the NJDPA for more details.) Although many of these proposed regulations appear familiar – similar to the finalized regulations under the California Consumer Privacy Act (CCPA) and the Colorado Privacy Act (CPA) – New Jersey introduced several new requirements worth noting.