Key Trends of 2025 in State Legislation Impacting Consumer Financial Services

Now that 2025 is in the books, it is clear it was one of the busiest years ever for state legislative and regulatory efforts related to consumer financial products. Federal supervisory and enforcement activity in this space in 2025 was massively pared back from prior years and, as we predicted in our “Consumer Financial Services: 2024 Year in Review,” in the absence of robust federal enforcement, states proposed, passed, or enacted scores of statutes and rules seeking to enhance consumer financial protection. States also adopted nonlegislative measures, such as Pennsylvania’s new consumer protection hotline, New Jersey’s guidance on the application of existing state law to AI systems, and New York’s hiring of several former Consumer Financial Protection Bureau (CFPB) employees at its Department of Financial Services (DFS) and Attorney General’s Office.

In advance of our 2025 Year in Review, we have compiled below all of the most relevant state developments impacting the consumer financial services industry from 2025. Across the year, hot topics included unfair and deceptive acts or practices (including “junk fees”), earned wage access services, mortgage consumer protection, data security and privacy, and artificial intelligence. At least 18 different states have passed new laws in these spaces, and at least 13 have proposed legislation under review. New York leads the pack, having passed or introduced eight new laws targeting a range of issues, from zombie mortgages and foreclosure practices to reporting requirements for large AI developers.

 

Unfair, Deceptive, or Abusive Acts or Practices (UDAAP)

In 2025, at least seven states advanced new legislation aimed at enhancing protections for consumers against unfair, deceptive, and, in some cases, abusive practices.

Colorado, Illinois, Maine, Massachusetts, New York, North Carolina, and Virginia all targeted “junk fees” by proposing or passing laws or regulations requiring upfront price disclosures. New York also enacted the Algorithmic Pricing Disclosure Act, which requires companies disclose if they use dynamic pricing set by algorithms using personal data, and the Fostering Affordability and Integrity through Reasonable Businesses Practices (FAIR) Act, which expands New York’s existing deceptive practices law to also protect New Yorkers from unfair and abusive business activities. And in Michigan, proposed legislation would remove the Michigan Consumer Protection Act’s exemption for industries that are already regulated and provide more resources to the Attorney General’s Office to enforce the Act through a new consumer protection fund.

Below, we have compiled details on each new pending or enacted law:

• California
  • In October, California enacted Senate Bill (SB) 825, which amends the California Consumer Financial Protection Law to expand the Department of Financial Protection and Innovation’s authority to enforce the law’s provisions regarding deceptive or abusive acts or practices against licensed finance lenders, escrow agents, residential mortgage lenders, broker-dealers, and investment advisers, among other licensed entities, which were previously exempted. The statute took effect January 1, 2026.
• Colorado
  • In April, Colorado enacted House Bill (HB) 25-1090, which requires clear and conspicuous disclosure of the total upfront cost of goods, services, and property, in an effort to combat “junk fees.” The statute also provides that a person is compliant if they can demonstrate they are governed by certain federal laws regarding price transparency (such as the Truth in Lending Act (TILA)) or if they can demonstrate that any fees charged in addition to the total price were associated with settlement services as defined by the Real Estate Settlement Procedures Act (RESPA). Violations of the law constitute a deceptive, unfair, and unconscionable act or practice subject to penalties. The statute took effect on January 1, 2026.
• Illinois (introduced)
  • In May, the Illinois Senate passed SB 1486 (the Junk Fee Ban Act), which would regulate “junk fees” by requiring upfront and prominent total pricing disclosure for merchandise and prohibit deceptive fees and refund policies. The proposed law provides certain exemptions for entities and transactions regulated by federal and state laws. The bill is currently under review by the Illinois House.
• Maryland
  • In April, Maryland enacted HB 431, which prohibits consumer contracts from providing a shorter time period to bring an action than that allowed by the law of the state where the consumer contract is issued or delivered. The statute does not apply to certain contracts, including contracts entered into with businesses operating under a state license or involving services regulated by the Federal Communications Commission. The original House Bill designated that a contract provision prohibited by the statute would be an unfair or deceptive trade practice under Maryland law, but that provision was cut from the final version. The statute will take effect on June 1, 2026.
• Massachusetts
  • In March, Massachusetts adopted 940 CMR 38.00, a consumer protection regulation designed to eliminate “junk fees” and to provide protections surrounding subscriptions and trial offers. The regulation requires upfront pricing disclosures in advertising and requires the total price of a product to be displayed before collecting a consumer’s billing information. The regulation also requires clear and conspicuous disclosures for negative option features, including how to cancel, and a simple mechanism for cancellation. Violations of the regulation are unfair and deceptive acts under Massachusetts law. The regulation took effect on September 2, 2025.
• Michigan (introduced)
  • In March, Michigan introduced SB 134, which would strengthen Michigan’s consumer protection laws by repealing its exemption for transactions or conduct regulated by other laws and instead limiting the exemption to specific acts or practices expressly authorized by other laws. The current law — as interpreted by the Michigan Supreme Court — exempts individuals or businesses operating under their licensed authority from the Act entirely. The bill would remove those exemptions, give greater enforcement powers to the Michigan Department of Attorney General, and establish a new fund, which would support enforcement and education efforts to assist residents and reduce scams. The Senate passed the bill in June, and it is currently under committee review in the Michigan House.
• Montana
  • In April, Montana enacted SB 488, which amends the Montana Unfair Trade Practices and Consumer Protection Act by defining unlawful practices to include providing false, misleading, or deceptive consumer reviews and testimonials. This amendment mirrors the 2024 Federal Trade Commission rule doing the same, and generally aligns Montana law with FTC interpretations of consumer protection. The statute became effective immediately upon enactment.
• New York
  • In January, the New York legislature introduced SB S363A, which would target “junk fees” by requiring upfront pricing disclosure for most goods and services. The bill contains several exemptions including for financial institutions that are required to provide disclosures in compliance with TILA, Electronic Fund Transfer Act, and RESPA. The bill would create a private right of action. It passed the Senate and is with the State Assembly for review.
  • In May, Governor Kathy Hochul signed into law SB S3008C, a budget bill that also included the Algorithmic Pricing Disclosure Act. The statute requires that entities domiciled in or doing business in New York (with certain exceptions) disclose personalized algorithmic pricing to customers. Specifically, the entity must state in any applicable advertisement or label “THIS PRICE WAS SET BY AN ALGORITHM USING YOUR PERSONAL DATA.” That same budget bill also includes a requirement that “buy-now-pay-later lenders” be licensed by the state. The law took effect on November 10, 2025.
  • In December, Governor Hochul signed the FAIR Act (SB S8416) into law, which bolsters New York’s existing consumer protection law, General Business Law § 349. The prior law covered only deceptive practices, and the FAIR Act adds protections against unfair and abusive practices. The FAIR Act is designed to protect consumers from deed theft, artificial intelligence-based schemes, online phishing scams, hard-to-cancel subscriptions, “junk fees,” data breaches, and high-interest loans.
• Oregon
  • In July, Oregon enacted HB 3865, amending its Unlawful Trade Practices Act to include text messages as “telephone solicitations,” prohibit telephone solicitations from 8 pm to 8 am (one hour longer than the federal Telephone Consumer Protection Act quiet hours), and limit telephone solicitations to three calls a day. The new statute includes exemptions from these prohibitions for callers with an “established business relationship” with the person called or who are a “debt buyer” under the Fair Debt Collection Practices Act. The statute took effect on January 1, 2026.
• Virginia
  • In May, Virginia enacted HB 2515, which amends the Virginia Consumer Protection Act to combat “junk fees” by requiring sellers to clearly and conspicuously display the total price for goods and services, including all mandatory fees or surcharges. The statute took effect on July 1, 2025.

Earned Wage Access

Earned wage access (EWA), also known as on-demand pay, allows workers to access their wages ahead of scheduled paydays. In December 2025, the CFPB published an Advisory Opinion affirming that qualifying EWA services are not “credit” under TILA and Regulation Z. With the CFPB effectively declining to regulate EWA products, at least 14 states proposed legislation to fill the gap in 2025. Arkansas, Connecticut, Indiana, Louisiana, Maryland, and Utah passed their bills into law. Although these new laws vary, many require EWA providers to obtain licenses from the state, and most require providers to make fees transparent.

• Arkansas
  • In March, Arkansas enacted HB 1517, the Earned Wage Access Services Act, creating a new regulatory scheme for EWA services. The statute prohibits providers from using credit scores to determine eligibility and prohibits false, misleading, or deceptive advertising for EWA services. The statute exempts EWA providers from being classified as lenders or debt collectors if they follow specific requirements, including offering no-cost options for accessing wages and fully disclosing all fees. The statute took effect on August 4, 2025.
• Connecticut
  • In July, Connecticut enacted SB 1396, setting fee caps for each paycheck advance and caps for monthly fees. The law also limits interest accrual and late fees and bars providers from asking for repayment prior to the user’s next scheduled paycheck. The statute became effective on October 1, 2025.
• Indiana
  • In May, Indiana enacted HB 1125, which requires most EWA providers to obtain a license from the Indiana Department of Financial Institutions and to comply with requirements for operations, fee and tip disclosures, and consumer protection. The statute took effect on January 1, 2026.
• Louisiana
  • In July, Louisiana enacted HB 368. The statute prohibits cancellation fees, requires clear disclosure of fees and tips, and imposes limits on debt collection practices. The statute took effect on August 1, 2025.
• Maryland
  • In May, Maryland enacted HB 1294, which regulates EWA services by requiring both employer-integrated and consumer-directed EWA providers to be licensed and by establishing consumer protection requirements, such as tip and fee disclosures. The statute took effect on October 1, 2025.
• Utah
  • In March, Utah enacted HB 279. The statute regulates the EWA industry by creating a provider registration and renewal process, prohibiting the use of a consumer’s credit score to determine eligibility, limiting options for debt collection, and requiring fee and tip disclosures. The statute took effect on May 7, 2025.

Mortgage Loan Consumer Protection

Multiple states have proposed and enacted consumer protection laws in 2025 related to mortgage loans, including regulations over so-called “zombie mortgages” — subordinate mortgages that homeowners may mistakenly think are discharged or settled. The CFPB previously expressed interest in regulating zombie mortgages but has not proceeded with any regulation. In the absence of federal movement, states such as New York and Connecticut have moved forward to regulate this space. States have also stepped up their regulation of mortgage trigger leads — mortgage loan solicitations based on personal information purchased from a consumer reporting agency — with Arkansas, Georgia, Idaho, Iowa, and Utah imposing disclosure and compliance requirements aimed at preventing harassment and consumer confusion about the source of such solicitations.

• Arkansas
  • In March, Arkansas enacted HB 1184, which amends the Arkansas Fair Mortgage Lending Act by prohibiting the deceptive use of mortgage trigger leads. The statute mandates that initial contacts with consumers include specific disclosures, including about how the information was obtained and the solicitor’s lack of affiliation with the original lender, requires that the solicitations comply with Fair Credit Reporting Act (FCRA) requirements, and prohibits contacting consumers on the federal Do Not Call Registry or who have opted out of prescreened offers under FCRA. The statute took effect on August 7, 2025.
• California
  • In June, California enacted Assembly Bill (AB) 130, which states that, in connection with a subordinate mortgage, it is unlawful practice for a mortgage servicer to fail to communicate with a homeowner about the loan for at least three years, provide a transfer of loan servicing notice, provide a transfer of loan ownership notice, and provide a periodic account statement. The statute also allows borrowers to assert these unlawful practices as affirmative defenses in a judicial foreclosure proceeding. The statute took effect upon enactment.
• Connecticut
  • In June, Connecticut enacted SB 1336, placing a ten-year statute of limitations on foreclosing a mortgage loan that runs from the date of last payment. The statute took effect on January 1, 2026.
• Georgia
  • In May, Georgia enacted HB 240, regulating mortgage trigger leads by requiring the solicitor to disclose their lack of affiliation with the original lender, comply with Georgia law and FCRA, not use information of consumers who have opted out of prescreened credit offers under FCRA or who are on the federal Do Not Call Registry, and not use mortgage trigger leads to make deceptive bait-and-switch offers. The statute took effect upon enactment.
• Idaho
  • In March, Idaho enacted HB 149, which adds a new section to the Idaho Residential Mortgage Practices Act to protect consumer privacy in mortgage trigger lead solicitations. The statute requires solicitors to disclose that they are not affiliated with the original lender or mortgage broker and to notify consumers that their data was obtained through a credit bureau not via consent or past relationship. It also prohibits solicitors from contacting individuals on the state and federal Do Not Call Registry or who have opted out of prescreened offers under FCRA and designates violations as breaches of the Idaho Consumer Protection Act. The statute took effect on July 1, 2025.
• Iowa
  • In April, Iowa enacted House File 857, which regulates mortgage trigger lead solicitations by requiring that the solicitor disclose their lack of affiliation with the original lender, prohibiting the use of mortgage trigger leads to make deceptive bait-and-switch offers, prohibiting contacting individuals on the federal Do Not Call Registry or who have opted out of prescreened offers under FCRA, and designating a violation of the Act as an unlawful practice under Iowa law. The statute became effective on July 1, 2025.
• Maine (introduced)
  • In April, Maine’s legislature introduced Legislative Document 1444, which would reinstate Maine’s overturned common law strict compliance rule regarding notice of foreclosures on primary residential properties. Under the bill, a lender’s failure to strictly comply with notice requirements would effectively prevent any future foreclosure actions on the property. The strict compliance rule would apply retroactively to foreclosure actions that did not comply with notice requirements, providing relief to homeowners already in foreclosure.
• New York (introduced)
  • In March, New York introduced SB S6971, which would strengthen New York’s existing foreclosure laws against mortgage debt speculators bringing foreclosure actions on zombie mortgages. The bill would cap the amount a debt purchaser can recover in a foreclosure action to the amount they paid for the defaulted loan plus interest. Beginning January 1, 2027, there would also be a shorter statute of limitations to bring an action on a subordinate mortgage purchased when in default (at most, three years from purchase.)
  • In December, the New York legislature introduced SB S8595, which would impose consistent standards for calculating the amount due in foreclosure auctions. The bill would require the foreclosure sale referees to detail interest and other foreclosure calculations in a single, uniform way in all actions across the state.
• Utah
  • In March, Utah enacted HB 99, regulating mortgage trigger leads by requiring the solicitor to disclose their lack of affiliation with the original lender, comply with Utah law and FCRA, and not use mortgage trigger leads to make deceptive bait-and-switch offers. The statute became effective on May 7, 2025.

Data Security and Privacy

In the absence of a comprehensive federal regime, data security and privacy continue to be top priorities for state legislators. In 2025, California, Connecticut, and Texas strengthened their data privacy laws, while Pennsylvania proposed a comprehensive data privacy law that would impose limitations on data collection, safeguards for consumer information, and opt-out options. North Dakota also enacted data security legislation, establishing data security and breach notification obligations for nonbank financial institutions.

• California
  • In September, California’s Privacy Protection Agency adopted updates to its regulations, which added requirements for regulated businesses to compete annual cybersecurity audits as well as to conduct risk assessments for certain data processing activities, including targeted advertising and processing sensitive personal information. The updated regulations also grant consumers new rights affecting businesses’ use of automated decisionmaking technology to make certain “significant” decisions affecting a consumer – including rights to receive pre-use notices, opt-out options, and explanations of the logic of decisions. Automated decisionmaking technology includes any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking. The portions of the updated regulations addressing risk assessments came into force on January 1, 2026, with the remaining updates coming into force on various dates in 2027 and 2028.
  • In October, California enacted SB 361, requiring data brokers to report additional information under the California Consumer Privacy Act of 2018 about whether the broker collects certain personal information about consumers, such as biometric data, citizenship data, and gender and sexual orientation data. The statute took effect on January 1, 2026.
• Connecticut
  • In June, Connecticut enacted SB 1295, amending the Connecticut Data Privacy Act. The statute expands the Act’s application to entities that control or process the personal data of not fewer than 35,000 consumers (significantly less than the 100,000 person threshold in place previously), excluding personal data controlled or processed solely for the purpose of completing a payment transaction; control or process consumers’ sensitive data, excluding such data controlled or processed solely for the purposes of completing a payment transaction; or offer consumers’ personal data for sale in trade or commerce. It also imposes new requirements and restrictions on targeted advertising, particularly to minors. The statute takes effect on July 1, 2026.
• New York
  • In February, New York enacted SB S804, amending its data breach notification law to clarify that only entities under the jurisdiction of DFS must provide notice of data breaches to DFS. This statute clarifies a December 2024 amendment of the law, which added a requirement for all businesses to notify DFS of data breaches and that was applied more broadly than the legislature intended. The statute took effect immediately.
• North Dakota
  • In April, North Dakota enacted HB 1127, which creates new standards for safeguarding customer information by requiring financial corporations to develop, implement, and maintain a comprehensive information security program. These security programs must ensure the security and confidentiality of customer information, protect against any anticipated threats or hazards, and protect against unauthorized access. The statute took effect on August 1, 2025.
• Pennsylvania (pending before Senate committee)
  • In January, the Pennsylvania legislature introduced HB 78, the Consumer Data Privacy Act, which would grant certain Pennsylvania residents the right to confirm, correct, delete, and obtain copies of their personal data, as well as opt out of targeted advertising, data sales, and certain automated profiling. The bill would impose duties on data processors and data controllers doing business in Pennsylvania with annual gross revenues exceeding $10 million, those that process personal information of at least 50,000 consumers, households, or devices, or those that derive at least 50% of annual revenues from selling consumers’ personal information. The bill has passed the Pennsylvania House of Representatives and is pending before the Pennsylvania Senate Consumer Protection & Professional Licensure Committee.
• Texas
  • In June, Texas passed the Texas Data Broker Act into law (SB 2121 and SB 1343), expanding the definition of “data broker” to include any business entity that “collects, processes, or transfers personal data that the business entity did not collect directly from the individual linked or linkable to the data.” Previously, the Texas law regulated only entities whose principal source of revenue came from data broker activities. The statute requires data brokers to provide disclosures on how consumers can exercise their privacy rights under the Texas Data Privacy and Security Act. The statute became effective on September 1, 2025.

Artificial Intelligence (AI)

Several states introduced or enacted AI-related legislation in 2025. Some of these laws target “high risk” AI systems that, when deployed, make consequential decisions related to employment, housing, healthcare, insurance coverage, or other areas with a significant risk of discrimination. Utah and Texas enacted consumer protection laws related to the use of personal information by AI models. Other laws seek to comprehensively regulate large AI developers, such as the Transparency in Frontier Artificial Intelligence Act enacted by California and New York’s recently amended Responsible AI Safety & Education (RAISE) Act. But there has also been pushback to state regulation from the AI industry and the federal government; in response, Colorado has delayed implementation of its 2024 law regulating high-risk AI systems, which was the first state law of its kind, and California has delayed implementation of the California AI Transparency Act. In December 2025, following Congress’ decision not to federally preempt state AI laws in the annual National Defense Authorization Act, President Trump signed an Executive Order that, in part, instructs the federal government to challenge state AI laws that unconstitutionally regulate interstate commerce, are preempted by existing federal regulations, or are otherwise unlawful — such as those that violate the First Amendment. The order also directs the federal government to establish a comprehensive national framework for AI regulation. As we wait to see the impact of the Executive Order, these state AI laws are set to take effect and potentially alter the AI landscape.

• California
  • In February, California introduced AB 1018, which would supplement the existing law that regulates high-risk automated decision systems. The bill would require automated decision system developers to conduct performance evaluations, include certain disclosures of risks, provide an assessment of risk within 30 days of request by the attorney general, and authorize civil action for noncompliance.
  • In September, California passed SB 53, the Transparency in Frontier Artificial Intelligence Act, which regulates large frontier AI developers by requiring them to publish frontier AI frameworks, assess and report catastrophic risks, implement whistleblower protections for covered employees, and report critical safety incidents to the Office of Emergency Services. The law became effective on January 1, 2026.
  • In October, California passed AB 853, which delays the California AI Transparency Act’s implementation from January 1, 2026, to August 2, 2026. When it goes into effect, the California AI Transparency Act will require creators of generative AI systems with more than one million monthly users to provide free AI detection tools. AB 853 also introduces new requirements for detecting provenance data (the origin or history of digital content) in large online platforms’ content and prohibits generative AI system hosting platforms from providing systems that do not include required disclosures. Some of the statute’s requirements will go into effect January 1, 2027, and others January 1, 2028.
• Colorado
  • In August, Colorado passed SB 25B-004, delaying the implementation of Colorado’s landmark 2024 AI law until the end of June 2026. The 2024 law, titled the Consumer Protections for Artificial Intelligence Act, places greater consumer protections on high-risk AI systems. The Act requires a developer of AI systems to use reasonable care to protect consumers from known or reasonably foreseeable risks of algorithmic discrimination in a high-risk system by disclosing the associated risks to users, drafting a publicly available statement about the risks, and disclosing the associated risks to the attorney general within 90 days of discovery. The law also imposes other specific requirements for developers of high-risk systems. The Consumer Protections for Artificial Intelligence Act will now take effect on June 30, 2026.
• Florida (introduced)
  • In December, Florida Governor Ron DeSantis proposed an AI Bill of Rights to, among other things, ensure data privacy in AI systems, require notice that a consumer is interacting with an AI chatbot, prohibit the sale of certain personal identifying information by AI companies, and limit the use of AI to make high-risk insurance determinations.
• New Jersey
  • In January, the New Jersey Office of the Attorney General and the Division on Civil Rights issued guidance on the use of high-risk AI systems by employers, housing providers, places of public accommodation, and other entities covered by New Jersey discrimination law. The guidance clarified that algorithmic discrimination by AI tools is prohibited under the New Jersey Law Against Discrimination.
  • In December, the Division of Civil Rights adopted new rules targeting AI in housing, public accommodation, and financial lending, clarifying how the agency analyzes disparate impact claims under the New Jersey Law Against Discrimination.
• New York
  • In January, New York introduced SB S1169A, which would regulate the development and use of certain AI systems to prevent algorithmic discrimination and require independent audits of high-risk AI systems. The bill also provides for attorney general enforcement and a private right of action for violations. The bill passed the Senate in June and is under review with the New York Assembly.
  • In December, New York Governor Hochul signed amendments to SB S6953B, the RAISE Act, establishing safeguards and reporting requirements for large developers of AI models. The law also provides for attorney general enforcement for failure to submit required reporting or for making false statements, with penalties of up to $1 million for the first violation and up to $3 million for subsequent violations.
• Texas
  • In June, Texas enacted HB 149, the Texas Responsible Artificial Intelligence Governance Act. The law includes provisions aimed at consumer protection, disclosure guidelines, and safe harbors for entities that comply with risk management frameworks. It also allocates exclusive enforcement authority to the Texas attorney general and allows for civil penalties that range from $10,000 to $200,000 per violation. The statute took effect on January 1, 2026.
• Utah
  • In March, Utah enacted SB 226, which regulates the use of generative AI in consumer transactions and financial, legal, and medical services, requiring certain disclosures when generative AI is used to interact with consumers and establishing that it is not a defense to consumer protection violations that AI was used in a transaction. The statute took effect on May 7, 2025.
  • In March, Utah also enacted SB 271, prohibiting the use of a person’s identity to present a false endorsement or advertisement, including through the use of AI technology, and providing a private right of action for persons whose identities are used without consent in advertising. The statute took effect on May 7, 2025.

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.