Last Week, This Morning

September 8, 2025

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)1" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

FTC Sets Its Sights on COPPA Compliance

Last week, the Federal Trade Commission entered into two proposed orders for permanent injunctions, civil penalties, and other relief against companies that allegedly violated the Children's Online Privacy Protection Act Rule. Under the COPPA Rule, operators of websites, mobile apps, and other online services that are directed at children under the age of 13 are required to notify parents about what personal information they collect and obtain verifiable parental consent before collecting, using, and/or disclosing such personal information from children.

The first proposed order settled COPPA allegations against a major entertainment company. According to the FTC's complaint, the company uploaded videos to YouTube that were not properly labeled as "Made for Kids." YouTube requires content creators to designate videos they upload as either "Made for Kids" or "Not Made for Kids." This designation ensures that some features on videos classified as "Made for Kids" are disabled in order for YouTube to comply with the COPPA Rule. For example, YouTube does not collect personal information from, or serve personalized advertisements to, viewers of videos marked as "Made for Kids" and does not allow comments to be posted on those videos. The company's alleged mislabeling of its videos allowed the company, through YouTube, to collect personal information from children under 13 who viewed the mislabeled videos and to use that data for targeted advertising to children without notifying parents or obtaining parental consent. In the FTC's news release, FTC Chairman Andrew Ferguson states that "[t]his case underscores the FTC's commitment to enforcing COPPA, which was enacted by Congress to ensure that parents ... make decisions about the collection and use of their children's personal information." The proposed order imposes a $10 million civil penalty against the company, among other requirements that will ensure compliance with the COPPA Rule.

The second proposed order obtained by the FTC settled allegations against a company that develops, markets, and distributes programmable robot toys designed for children ages 6 to 14. According to the FTC's complaint, the company sells its robot toys through online retailers like Amazon, and users must download the company's mobile app to program the toys to make them move. Users are required to enable location sharing to use the app and connect their toy. The company integrated software developed by a third party into its app, which allowed the software developer to collect location data and use it for any purpose, including advertising, without the knowledge of users or their parents. The FTC alleged that, through its app, the company collected, or caused a third party to collect, the precise geolocation data of children under the age of 13 using its product, in violation of the COPPA Rule's parental notice and consent requirements. The proposed order imposes a $500,000 civil penalty, which will be suspended because of the company's inability to pay, among other requirements that will ensure compliance with the COPPA Rule.

Amicus Brief(ly): These actions by the FTC illustrate some of the "why" behind the COPPA Rule and other privacy and data protection laws. We have written many times about how focused state and federal regulators have been on transparency about data harvesting and sharing, whether the party collecting the data is a vehicle manufacturer, online seller, data broker, creditor, or otherwise. Consumers' consent is paramount when it comes to their data, as important in the context of protecting children as it is in any other context. The more frequently companies fail to obtain that consent and clearly disclose what, if any, data they will collect and what they plan to do with that data if they are allowed to collect it, the more active we should expect states and the federal government to be in regulation and enforcement.

Debt Collector's FCRA-Required Communication in Response to Consumer's Debt Dispute Was Not Valid Basis for Claim Under FDCPA's Cease Communication Provision

The U.S. Court of Appeals for the Eighth Circuit recently concluded that a debt collector did not violate the Fair Debt Collection Practices Act's cease communication provision when it sent a single collection letter in response to a consumer's fax disputing the debt on her credit report and requesting no contact about the debt, where the debt collector was obligated to respond to the fax under the Fair Credit Reporting Act. The appellate court also concluded that receipt of the collection letter after the consumer requested no contact did not constitute a concrete injury sufficient to establish Article III standing to sue under the FDCPA in federal court.

In June 2017, a debt collector attempted to collect a medical debt from a consumer by sending an initial collection letter. In March 2021, almost four years later, the consumer sent a fax to the debt collector stating: "I reviewed my credit report and discovered that you are reporting that I owe you $300 for a debt to Rockhill Orthopedic Specialists, Inc. I dispute this debt. Please do not contact me about this debt." In May 2021, the debt collector sent the consumer a letter verifying the debt, stating that it would resume collection activities on her account, and offering assistance to resolve the matter.

The consumer sued the debt collector, alleging that her receipt of the May 2021 letter from the debt collector violated Section 1692c(c) of the FDCPA. Section 1692c(c) prohibits debt collectors from communicating with consumers after receiving written notice that the consumer wishes the debt collector to cease further communication. The trial court granted summary judgment in favor of the consumer, concluding that she had standing and that the debt collector's May 2021 letter violated Section 1692c(c). The debt collector appealed.

The Eighth Circuit reversed. The court found that the consumer's March 2021 fax was a timely notice disputing information in her credit report, thereby triggering the debt collector's obligations under the FCRA to investigate and respond to her dispute. Therefore, the court concluded that the March 2021 fax was not a valid basis for a Section 1692c(c) claim. The court acknowledged that the consumer's fax - which disputed her debt and also asked not to be contacted - created a "paradox" where the debt collector faced conflicting statutory obligations: requiring a response under the FCRA confirming the debt while simultaneously demanding the opposite under the FDCPA.

Even if the Section 1692c(c) claim was not invalid, the court concluded that the consumer lacked Article III standing because she did not suffer a concrete injury. It noted that, in order to have Article III standing to sue in federal court, plaintiffs must demonstrate, among other things, a concrete injury. Intangible harms can be concrete if they have a close relationship to a harm traditionally recognized as providing a basis for a lawsuit in American courts, such as intrusion upon seclusion. The elements of intrusion upon seclusion are set forth in the Restatement (Second) of Torts § 652B: "One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person."

According to the appellate court, "[the debt collector] did precisely what the FCRA required - it promptly investigated [the consumer's] complaint that it had inaccurately reported an invalid debt to a CRA and responded directly to [the consumer] that the debt was valid, providing the same documents verifying the debt that it would have provided under § 1692g(b) had [the consumer] timely disputed the debt in response to [the debt collector's] initial debt collection letter under the FDCPA." "[The debt collector's] letter is not only beneficial, ... but it is mandated by the FCRA for the protection of consumers. [The consumer's] fax invited, indeed commanded this response. Where is the 'intrusion' upon her solitude or seclusion? '[T]here is nothing inherently bothersome, intrusive, or invasive about a collection letter delivered via U.S. Mail,' particularly when the letter was mandated by the FCRA for [the consumer's] benefit. Even if unwanted, how could a reasonable jury find that this single, invited response 'would be highly offensive to a reasonable person' who had not paid a valid debt for many years? '[R]eceipt of a letter alone may not be an intrusion that "would be highly offensive to a reasonable person."'" The court also found no evidence of intentional intrusion.

Amicus Brief(ly): The dance a debt collector has to do when responding to disputes is a complicated waltz if the debt collector furnishes information to consumer reporting agencies (it is more straightforward when the debt collector only has to comply with the FDCPA rules on handling disputes or cease communication requests). A dispute coupled with a clear cease communication request presents a compliance conundrum, as the Eighth Circuit identified. But the FDCPA specifically allows debt collectors to respond to a cease communication request in writing with some limited information about what steps the debt collector can or will take while honoring the cease communication request - giving the debt collector a chance to carefully respond to the dispute while acknowledging the cease communication request. The Eighth Circuit followed other recent court decisions with respect to the standing issue, looking for the consumer to articulate some form of actual harm resulting from the alleged statutory violation. This case was a win for the debt collector and a reminder to review policies and procedures for handling disputes when both the FCRA and the FDCPA apply.
Texas Clarifies Attorneys Who Qualify for Exemption from Money Transmission Licensing Requirement

Effective September 4, the Finance Commission of Texas, on behalf of the Department of Banking, added new 7 TAC § 33.55 to the Texas Administrative Code concerning the exemption from money transmission licensing under Finance Code § 152.004(9). Section 152.004(9), in relevant part, exempts "an attorney ... that in connection with a real property transaction receives and disburses domestic currency or issues an escrow or trust fund check only on behalf of a party to the transaction" from licensing under Chapter 152. The Finance Commission determined that the term "attorney" was ambiguous. The new rule clarifies that "[f]or an attorney to qualify for the exemption under Texas Finance Code § 152.004(9), the attorney must be licensed to practice law and a member of the State Bar of Texas, or a Texas professional corporation organized to provide professional legal services, and must be performing legal services in connection with the real property transaction."

Amicus Brief(ly): It is not clear how often out-of-state lawyers not admitted in Texas are involved in Texas loan closings (Texas is not an attorney-close state for real estate and mortgage transactions; title companies can and often conduct closings in Texas). But this clarification is useful because it eliminates doubt. Only attorneys admitted in Texas are exempt from the money transmitter license requirement, likely because they are already regulated by the state because of their admission to the Bar. Now we know.

Hawaii Supreme Court Clarifies 20-Year Statute of Limitations for Mortgage Foreclosure Actions

The Hawaii Supreme Court recently held in Deutsche Bank Trust Company v. Szymanski that the statute of limitations for mortgage foreclosure actions is 20 years, noting that the court has not opined on the issue since the early 1900s.

In 2005, an individual obtained a mortgage from a mortgage lender but defaulted on the loan in 2008. The initial assignee of the mortgage tried to foreclose in 2010, but the action was dismissed for want of prosecution. The mortgage was assigned again, and this assignee sent the borrower a notice of default stating that he would need to cure his default and, if he did not, acceleration and foreclosure may result. The borrower did not cure. In 2015, the trustee for a mortgage-backed securities trust became the assignee of the mortgage. This assignee filed a foreclosure action in January 2018. The borrower responded to the foreclosure action by arguing, among other things, that the statute of limitations had run, contending that the 6-year statute of limitations for debt recovery actions based on a contract applied. The assignee argued that the 20-year statute of limitations for actions to recover possession of land applied. The trial court granted summary judgment in favor of the assignee, finding that the foreclosure action was subject to the 20-year statute of limitations and was not time-barred. The borrower moved for reconsideration and to vacate the judgment, but the trial court denied the motions.

The intermediate appellate court consolidated the borrower's appeals. Relevant to this appeal, the intermediate appellate court affirmed the trial court's determination that the mortgage foreclosure action was not time-barred.

The Hawaii high court affirmed the intermediate appellate court's decision with respect to the statute of limitations issue, holding that, based on its decision in Bank of New York Mellon v. White, the statute of limitations for mortgage foreclosure actions in Hawaii is 20 years per Hawaii Revised Statutes § 657-31, not six years under HRS § 657-1.

Amicus Brief(ly): As complaints (and negative press) about "zombie" mortgages continue to turn up, this Hawaii case provides a helpful reminder that an action to enforce a mortgage and an action for a money judgment on the credit agreement are not the same thing. A creditor's lien on real property, evidenced by a mortgage, deed of trust, or other security instrument, in many cases survives past the stated maturity date in the security instrument. And state statutes of limitations are often longer - sometimes materially longer - than the statutes of limitations that apply to written contracts generally or contracts for the payment of money more specifically. The distinction is meaningful, though creditors holding aged mortgages should exercise care when enforcing those older security instruments and be prepared to explain the difference to potentially confused consumers.

NCUA and FDIC Remove Disparate Impact from Fair Lending Examination Materials

On September 4, the National Credit Union Administration announced that it has removed all references to disparate impact from its Fair Lending Guide and related examination materials. This action follows Executive Order 14281, which directed federal agencies to eliminate reliance on disparate impact analysis. Examiners will no longer assess credit unions for disparate impact risk, and fair lending reviews will now focus solely on disparate treatment and other intentional violations. While this announcement reduces supervisory pressure, credit unions must recognize that disparate impact remains a viable theory under state laws and in private litigation.

On August 29, the Federal Deposit Insurance Corporation issued FIL-41-2025 updating its Consumer Compliance Examination Manual. The revisions remove all references to disparate impact analysis in the manual's fair lending and unfair or deceptive acts or practices sections. Examiners will now assess discrimination only through evidence of disparate treatment. Like the NCUA update, this change stems from Executive Order 14281. The FDIC provided redlined materials to show the changes. Banks may face a reduced burden in preparing a disparate impact analysis for exams, but they still face potential legal exposure from private lawsuits and state enforcement actions that assert disparate impact liability.

Amicus Brief(ly): These two actions round out the official removal of references to disparate impact from the federal regulators' exam manuals, as required by the executive order issued in April, with the Office of the Comptroller of the Currency having already made the changes to its materials. We understand that the regulators have signaled this pull-back to regulated banks and credit unions in the context of pending and imminent exams. Fair lending is still on the menu, but examiners will not be looking for indicia of disparate impact while conducting their exams.

1 For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.