Articles

May 6, 2025

State Watch: Consumer Protection Enforcement Update

States Spring into Action in April: A bipartisan array of states continues to pursue privacy enforcement, while New York AG James takes aim at earned wage access providers

Anastasia V. Caton

While uncertainty continued to loom over the CFPB, the states did not take a spring break. Instead, we saw an eye-popping settlement from NY DFS involving BSA/AML claims. And both republican and democratic AGs continued to prioritize consumer privacy enforcement.

Connecticut

Attorney General Tong released a report on the actions of his office to enforce the state's new Data Privacy Act in 2024. The report highlights the AG's investigations and inquiries into a variety of companies and practices, including manufacturers of connected cars, a genetic and family history company, a web service provider with palm recognition services, the provider of an anonymous peer messaging app marketed to teens, and retailers' use of facial recognition technology. The report also provides suggestions for how the legislature could strengthen or clarify Connecticut's Data Privacy Act.

Indiana

Attorney General Rokita sued an auto manufacturer and its subsidiary over allegedly "secretly collecting" and selling the personal data of Indiana drivers to third parties, including insurance companies, without the drivers' knowledge or consent. The AG claims that the defendants used vehicle telematics systems to "harvest detailed driving behavior and location data" and then sold that information to data brokers. According to the AG, the data brokers created risk profiles and driving scores and sold that information to insurers, which then increased driver premiums or canceled policies. The AG alleges that these practices violate Indiana's Deceptive Consumer Sales Act. The AG's complaint seeks injunctive relief, civile penalties, and consumer restitution.

New York

  • Attorney General James sued an online lender, claiming that its earned wage access product had interest rates exceeding New York's usury limit and that it engaged in deceptive marketing practices. Specifically, the AG alleges that the company advertised its earned wage access product as being fee-free and providing instant access to funds with a zero percent interest rate. However, the AG alleges that the company charged mandatory fees when the funds were instantly accessible, and the product had effective interest rates far in excess of New York's usury limit. The AG also claims that the company was "relentless in charging fees and pressuring users for tips" for its earned wage access product. The AG's lawsuit accuses the lender of engaging in illegal, deceptive, and abusive lending practices and violating New York's usury limit. The AG is seeking injunctive relief, consumer restitution, and civil penalties and costs.
  • AG James sued another earned wage access provider for, according to the AG, making paycheck advance loans to New Yorkers with interest rates exceeding the state usury limit. The AG claims that the company's marketing practices were deceptive because they offered interest-free advances, but collected fees on about 90% of their products. The AG also accuses the company of trapping consumers in a cycle of debt and "dependency." The AG's lawsuit claims that the company engaged in illegal, deceptive, and abusive lending practices and violated New York's usury limit and wage assignment laws. The AG is seeking injunctive relief, consumer restitution, and civil penalties and costs.
  • New York's Department of Financial Services settled with a peer-to-peer money transmission service over its allegedly inadequate BSA/AML compliance program, which, DFS claimed, violated DFS's money transmitter and virtual currency regulations. According to DFS, the company's program had inadequate customer due diligence, failed to implement sufficient risk-based controls to prevent money laundering and illicit activity, and failed to effectively and timely monitor transactions. The consent order requires the company to retain an independent monitor to evaluate its compliance with DFS's regulations. It also requires the company to pay a $40 million penalty. DFS's press release acknowledged the company's cooperation throughout the investigation and its commitment of significant financial and other resources to remediate the issues identified in the consent order.

Ohio

Attorney General Yost sued a wholesale mortgage lender, alleging that the company worked with a network of brokers that, the AG claims, "funneled" nearly all mortgages to the company. The AG alleges that the company misrepresented to consumers in its marketing that the brokers were independent of the company, and instead owed loyalty to the borrower. The AG also claims that the arrangement between the company and its network of brokers resulted in higher fees and rates for borrowers. The AG's lawsuit accuses the company of violating Ohio's Consumer Sales Practices Act, Residential Mortgage Lending Act, and Corrupt Practices Act. It seeks injunctive relief and restitution for affected consumers.

Pennsylvania

Attorney General Sunday settled with a debt settlement company and its affiliates over claims that the companies allegedly misled consumers into thinking they could reduce or settle their debts and allegedly demanded up-front payments in violation of Pennsylvania law. The settlement prohibits the companies from operating in Pennsylvania without the appropriate licenses and requires $500,000 in restitution to affected consumers.

MULTISTATE

  • Eight state regulators formed a bipartisan privacy consortium with the stated goal to "promote collaboration and information sharing in the bipartisan effort to safeguard the privacy rights of consumers." The group will be known as the Consortium of Privacy Regulators, and will include both the California AG and the California Privacy Protection Agency along with the attorneys general of Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon.
  • All 51 state attorneys general sent warning letters to nine companies that the AGs claim were responsible for transmitting robocall traffic. The effort is part of the Anti-Robocall Litigation Task Force, led by North Carolina Attorney General Jeff Jackson, Indiana Attorney General Todd Rokita, and Ohio Attorney General Dave Yost. According to AG Jackson, the Task Force "investigates and takes legal action against companies responsible for significant volumes of illegal and fraudulent robocall traffic routed into and across the United States."

Click here to learn more about Hudson Cook's State Enforcement Practice.

Hudson Cook, LLP provides articles, webinars and other content on its website from time to time provided both by attorneys with Hudson Cook, LLP, and by other outside authors, for information purposes only. Hudson Cook, LLP does not warrant the accuracy or completeness of the content, and has no duty to correct or update information contained on its website. The views and opinions contained in the content provided on the Hudson Cook, LLP website do not constitute the views and opinion of the firm. Such content does not constitute legal advice from such authors or from Hudson Cook, LLP. For legal advice on a matter, one should seek the advice of counsel.