On July 8, 2025, Connecticut Attorney General William Tong announced a settlement with TicketNetwork for alleged violations of the Connecticut Data Privacy Act (“CTDPA”). According to the Attorney General’s press release, the Office of the Attorney General (“OAG”) first sent a “cure notice” to TicketNetwork on November 9, 2023. In that notice the OAG alleged that the company’s privacy notice was deficient under the CTDPA and provided the company with an opportunity to cure the alleged violation. In particular, the OAG alleged that the company’s privacy notice was largely unreadable, missing key data rights and contained rights mechanisms that were misconfigured or inoperable.
Today, in the Consumer Financial Protection Bureau’s (CFPB) November 12, 2021 lawsuit against FirstCash, Inc., and nineteen subsidiaries alleging violations of the Military Lending Act (MLA), the parties reached a settlement and jointly filed a stipulated final judgment and proposed order, which if entered by the court, would resolve the lawsuit. The MLA puts in place protections for active duty servicemembers and certain dependents in connection with extensions of consumer credit. These protections include a maximum allowable annual percentage rate of 36%, a prohibition against required arbitration, and certain mandatory loan disclosures.
The compliance landscape is shifting. Recent regulatory changes suggest a retreat from strict federal oversight—especially in digital financial services. For collections teams, this can look like an opening: fewer constraints, faster experimentation.
But deregulation doesn’t erase risk. It redistributes it.
When guardrails recede, accountability doesn’t disappear—it moves inward. And in a landscape where digital outreach is high-volume, multi-channeled, and vendor-dependent, the need for internal infrastructure is more urgent than ever.
The US “comprehensive” law landscape continues to expand, with two more states—Tennessee (July 1) and Minnesota (July 31) —joining the “comprehensive” privacy law club. Five of these -Delaware, Iowa, Nebraska, New Hampshire, and New Jersey- took effect in January. As the patchwork of state-level “comprehensive” privacy laws expands, what should business keep in mind? As outlined below, perhaps the biggest takeaway is that the laws add to a patchwork, one which consists of many overlapping requirements.
On July 8, a panel for the U.S. Court of Appeals for the Eighth Circuit issued a significant decision in the case of Custom Communications, Inc. v. Federal Trade Commission (FTC). The panel vacated the FTC’s amended Negative Option Rule aka the “click-to cancel” rule, citing procedural deficiencies in the rulemaking process. Specifically, the panel found that the FTC failed to conduct a required preliminary regulatory analysis, which deprived stakeholders of the opportunity to comment on alternatives and engage with the FTC’s cost-benefit analysis.
.jpg)
.jpg)