Last Week, This Morning

December 8, 2025

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)¹" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

Service Provider for Auto Dealers Suffers Data Breach

On December 3, 700Credit, the largest provider of credit reports, soft pull credit data, identity verification, and fraud detection, among other credit-related services for auto dealers, released a statement announcing that it suffered a data breach, exposing personally identifiable information including names, addresses, and social security numbers of consumers. 700Credit stated that there is no indication of any identity theft, fraud, or other misuse of information in relation to the data breach. 700Credit has notified the Federal Trade Commission of the breach, and the FTC has approved 700Credit's proposal to file a single consolidated breach notice with the FTC on behalf of its dealer clients affected by the breach. This consolidated breach notice would satisfy any reporting obligation the dealer may have under the FTC's Safeguards Rule, which requires financial institutions, including dealers, to provide notice to the FTC as soon as possible and no later than 30 days after discovering a security breach incident involving the information of at least 500 consumers. In addition, 700Credit will be notifying state attorney general offices on behalf of dealers, as well as impacted consumers.

The National Automobile Dealers Association, which worked with 700Credit with respect to this matter, reminded dealers that "the full range of FTC Safeguards Rule requirements remains in effect" and that "every state has a breach notification requirement, and the FTC's acceptance of this proposal has no effect on state notification requirements. Therefore, it is important for dealers to consult with legal counsel to ensure they are in compliance with any applicable state breach notification requirements."

Amicus Brief(ly): The NADA made our job a little easier with its reminder about the right kinds of data breach protocols, including and especially awareness of the state data breach notification requirements. We hope that readers already couple appropriately restrictive data security measures with a robust data breach detection, response, and notification plan that they never have to use. But that plan is incomplete if it does not incorporate state notification laws. The arrangement that 700Credit made with the FTC makes perfect sense given the number of dealers in the company's orbit. Hopefully the states will see the sense in that arrangement, too, so the company can get those notifications out and alert consumers if the breach involved their non-public personal information.

State AGs Urge Congressional Leaders to Reject Proposals for Federal Ban on State AI Laws

On November 25, the attorneys general from 36 states sent a letter to congressional leaders urging them to oppose a federal moratorium on the enactment or enforcement of state laws addressing artificial intelligence. The AGs argue that broad federal preemption would inhibit states' ability to respond quickly and effectively to emerging AI technologies, suggesting instead collaboration with states on thoughtful federal regulation.

According to the AGs' letter, "[s]tates have already pioneered multiple laws that target specific harms associated with the use of AI. As a coalition of state attorneys general noted in a letter to [congressional leaders] in May, among these carefully considered and narrowly tailored laws are '[l]aws designed to protect against AI-generated explicit material, prohibit deep-fakes designed to mislead voters and consumers, protect renters when algorithms are used to set rent, prevent spam phone calls and texts, require basic disclosures when consumers are interacting with specific kinds of AI, and ensure identity protection for endorsements and other AI-generated content. Perhaps most notably, of the twenty states that have enacted comprehensive data privacy legislation, the overwhelming majority included provisions that give consumers the right to opt out of specific kinds of consequential, automated decision-making and require risk assessments before a business can use high-risk automated profiling.'"

The AGs' letter is seemingly in response to the Trump administration's draft executive order that was aimed at preempting state laws on AI through federal lawsuits and by withholding federal funds and that would have created an "AI Litigation Task Force," led by Attorney General Pam Bondi, to challenge state AI laws on constitutional grounds. The draft executive order has reportedly been put on hold.

Amicus Brief(ly): AI has been all the rage over the past couple of years. Regulators and legislators across the political spectrum have expressed concerns about leaving AI unregulated at some level, and the state AGs' letter reflects those concerns. It's not just financial services that interest the state AGs - it's the potential for AI to inadvertently or even intentionally (i.e., "deep-fakes") mislead people that the states really want to be able to regulate. As we await the issuance of the executive order that is evidently on hold, expect the states to stay active in monitoring AI developments and take regulatory action in some form when they identify issues of concern resulting from the use of AI to interact with their residents.

Maryland Office of Financial Regulation Designates "Innovation Contact" Within Agency

On December 4, in order to promote a regulatory environment that encourages responsible innovation, the Maryland Office of Financial Regulation issued an advisory recommending that industry participants communicate with the OFR's designated "innovation contact" about their potential new financial services products and services, technologies, and business models. The advisory states that the innovation contact can serve as a direct point of engagement for entrepreneurs, fintech firms, and existing licensees and can "[p]rovide insight into Maryland's financial regulatory framework and licensing requirements; [f]acilitate discussions on innovative business concepts, risk management, and compliance approaches; [o]ffer guidance to existing licensees evaluating new technologies or service models; and [c]onnect industry participants with the appropriate OFR teams for deeper collaboration or review."

Industry participants can request a meeting with the innovation contact here.

Amicus Brief(ly): This effort from Maryland stops short of a useful regulatory sandbox, but we'll take something over nothing. The designated innovation contact sounds like a helpful person to know - someone who can help companies that have business models that may put them in grey regulatory areas. Providers subject to state licensing requirements know that Maryland has several licensing regimes for financial services providers and that the OFR often takes a broad view about which providers should hold one or more of those licenses based on their business models. Engagement with the innovation contact will likely offer valuable insight into the OFR's position on new products and services before innovators receive a regulatory inquiry. Also, when a company has an argument for why its product or service should not be subject to a particular licensing requirement, a conversation with the innovation contact may allow an opportunity to share that informed licensing position with the contact and lobby for its interpretation.

Advertising and Marketing Firms Can Be Considered Data Brokers in California if They Collect and Sell Personal Information

On December 3, as part of its Data Broker Enforcement Strike Force, the California Privacy Protection Agency obtained a stipulated final order with a marketing firm that provides services to fitness and wellness brands, resolving allegations that the firm is a data broker subject to California's Delete Act and failed to register as such with the CPPA.

According to the order, the marketing firm uses billions of data points to build detailed consumer profiles and custom audience lists that its clients can use for targeted advertising. As part of its services, the firm discloses inferences about consumers. For example, if a consumer has expressed an interest in fitness activities, then the firm would place the consumer into an "audience" list related to fitness and help health clubs send targeted discounts and offers to that consumer. According to the order, the firm disclosed or made available personal information to clients as part of its marketing services, and these "disclosures are sales of personal information [to third parties], regardless of whether those sales are provided in a bundle with advertising and marketing services that [the firm] may provide to its clients. A sale is a sale. A business cannot bypass the CCPA's and the Delete Act's requirements by selling personal information as part of a larger suite of products and services it offers." The CPPA's announcement about the order states that the "decision underscores that advertising and marketing firms can operate as data brokers if they collect and sell Californians' personal information."

The order imposes a fine of $56,600.

Amicus Brief(ly): The $56,600 fine is not exorbitant, but the action and stipulated final order underscore California's recent prioritization of issues related to consumer data rights and protections. The CPPA takes a straightforward tact with this stipulated order, focusing on the allegation that the company gathered and sold consumer information without registering as a data broker. Now is as good a time as any for companies looking to make profitable use of consumer data to review California's data privacy laws and requirements to register as a data broker to ensure that they are not the subject of the next CPPA investigation.

State AGs Seek Information from Largest BNPL Providers

On December 1, the attorneys general from California, Colorado, Connecticut, Illinois, Minnesota, North Carolina, and Wisconsin sent a joint letter to the six largest buy now, pay later providers seeking detailed information about, among other things, pricing and repayment structure of the providers' products, procedures for addressing consumers' disputes over purchases or billing, customer service practices, assessment of consumers' ability to repay, procedures related to credit reporting, delinquencies and defaults by consumers, disclosures provided to consumers, relationships and contracts with merchants, and efforts to comply with the federal Truth in Lending Act.

The Consumer Financial Protection Bureau issued an interpretive rule in May 2024 that subjected BNPL products to provisions of Regulation Z applicable to credit cards. In May 2025, the Trump administration rescinded the interpretive rule.

Amicus Brief(ly): The states have taken a more active interest in consumer finance since the CFPB started to slow itself down earlier this year, including its rescission of the BNPL interpretive rule issued under Rohit Chopra and the last administration. This letter seeking information builds on prior efforts from these states and others to understand how the biggest BNPL providers offer BNPL products and what kinds of customer protections the providers offer. With a goal of ensuring that consumers had some kind of recourse against providers if the providers made billing mistakes, attorneys general from 21 states, including the six who issued these inquiry letters, supported the CFPB's idea to subject BNPL products to the billing rights protections the Truth in Lending Act offers to credit card borrowers. Interest in the products has not dimmed, and we'll see whether the states take the information they gather about BNPL as a result of this letter to engage in rulemaking or legislation, enforcement initiatives, or both. Providers offering BNPL products in California, Colorado, Connecticut, Illinois, Minnesota, North Carolina, and Wisconsin should watch for developments.

¹ For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.