Articles

January 26, 2026

CFS Bites of the Month - 2025 Annual Review - Privacy and Data Security

Megan Nicholls, Webb McArthur, Eric L. Johnson, Justin B. Hosie and Kristen Yarows

In this article, we share a timeline of monthly "bites" for the past year applicable to privacy and data security. Despite the shift of regulatory activity and attention to the states in recent years, federal regulators have continued both rulemaking and enforcement activity in the areas of privacy and data security. Both topics have proven to be of continued bipartisan interest, and we expect that federal regulators will remain committed to enforcing their expectations in the areas. Regulators appear to be concerned most with protecting sensitive consumer data, such as data about or from children, and inaccurate claims about privacy or data security controls.

CFPB Solicits Comments on Digital Payment Privacy

On January 10, 2025, the CFPB issued a Request for Information and a Proposed Interpretive Rule on digital payment privacy. The CFPB claimed it requested comments in order to better understand how companies collect, use, share, and protect consumer financial data, including data from consumer payments. The Request for Information ("RFI") sought comments about the effectiveness of current regulations, including the existing model form, privacy notices, and opt-out mechanisms. Comments on the RFI were due by April 11, 2025.

CFPB Withdraws Sixty-Seven Guidance Documents

On April 11, 2025, CFPB Acting Director Vought wrote a memo that directed CFPB staff to cease issuing guidance documents and to review past guidance documents and flag only those that conform to his principles set forth in the memo. He instructed that any guidance that had not been flagged for retention would be reviewed and rescinded. On May 9, 2025, the CFPB published its withdrawal of sixty-seven guidance documents in the Federal Register. Those guidance documents date way back to 2011, when the CFPB was in its infancy. This included: (a) eight Policy Statements such as the 2023 Statement of Policy regarding Abusive Acts or Practices and others; (b) seven Interpretive Rules such as the 2024 Truth in Lending Buy Now Pay Later Interpretation, the 2022 Authority of States to Enforce the CFPA Interpretation, 2021 Equal Credit Opportunity Act Interpretation on Discrimination on the Bases of Sexual Orientation and Gender Identity, and others; (c) thirteen Advisory Opinions including a couple on earned wage access, one on collection of medical debt, one on pay-to-pay fees, one on background screening, one on private education loans, and others; and (d) thirty-nine other guidance documents addressing everything from data security, whistleblower protections, unenforceable contract terms and conditions, steering by digital intermediaries, proper use of adverse action model forms, FCRA accuracy expectations, negative option marketing, and others. The CFPB statement withdrawing the sixty-seven guidance documents indicated that the CFPB was withdrawing guidance documents to afford staff an opportunity to review and consider (1) "whether the guidance is statutorily prescribed," (2) whether the interpretation "is consistent with the relevant statute or regulation," and (3) whether it "imposes or decreases compliance burdens."

CFPB Terminates Several Consent Orders Early

In May 2025, the CFPB started its practice of terminating consent orders early by terminating four consent orders. In addition, the CFPB amended a consent order with an international money remittance company, reducing its $2.02 million fine to just $45,000. Throughout the year, the CFPB continued to terminate consent orders early by terminating fourteen other consent orders. With two exceptions for consent orders, one with a mortgage servicer over RESPA violations and another with a bank over HMDA data, the rest of the terminated consent orders were entered into during the last administration. The CFPB terminated the consent orders pursuant to its authority under 12 U.S.C. § 5563(b)(3), typically when the entity had fulfilled most or all of its obligations under the consent order. Many of the consent orders have ongoing recordkeeping requirements that were terminated early.

House Subcommittee Holds Hearing on Data Privacy

On June 5, 2025, the House Subcommittee on Financial Institutions held a hearing entitled, "Framework for the Future: Reviewing Data Privacy in Today's Financial System." As described by the Committee Majority Staff, the hearing was intended to explore consumer data privacy laws across both Federal and state jurisdictions, and to examine consumer financial data privacy law under the Gramm-Leach-Bliley Act. The hearing included testimony from the Executive Vice President for Electronic Transactions Associations, the Director of Innovation and Technology at America's Credit Unions, a fellow in technology privacy at the Cato Institute, a senior fellow for the Future of Privacy Forum, and Hudson Cook's partner, Becki Kuehn. Kuehn testified about privacy laws, including: the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Right to Financial Privacy Act, and state privacy laws. Her testimony included how these laws collectively provide meaningful protections to consumers, which are essential to maintaining consumer trust in the financial system and preventing misuse of sensitive financial data.

FTC Provides Guidance on Safeguards Rule

On June 16, 2025, the FTC released FAQs that discuss application of the Safeguards Rule to motor vehicle dealers, providing specific examples. The FTC amended the Rule in 2021 to provide more specific guidelines addressing new technology. The FTC amended the Rule again in 2023 to require financial institutions to report certain data security incidents to the FTC. The FAQs clarify which records the Safeguards Rule covers, including: (1) applications approved for financing and leasing; (2) spreadsheets of the names and addresses of customers who financed or leased cars; and (3) financial information related to individual consumers who financed or leased cars. The FAQs address the topics that an information security program should cover, discuss the ten different elements that should be included in the dealer's programs, and inform dealers that their Safeguards Rule obligations are distinct from their obligations under the Privacy Rule.

FTC Takes Action Against Webhosting Provider over Data Security

On May 21, 2025, the FTC finalized an order against a webhosting provider who allegedly failed to implement standard data security tools and practices despite advertising "award-winning security." Earlier in the year, the FTC had alleged that the company failed to use multi-factor authentication, monitor for security threats, and secure connections to its consumer data. The FTC alleged that these failures caused several data breaches that allowed hackers to gain unauthorized access to customers' websites and data. The order prohibits the company from making misrepresentations regarding its security and compliance with any privacy or security program sponsored by a government, self-regulatory, or standard-setting organization. The order also requires the company to establish and implement a comprehensive information-security program that protects the security, confidentiality, and integrity of its website-hosting services. Additionally, the order requires the company to hire an independent third-party assessor to conduct reviews of its information-security program.

CFPB Moves to Vacate Section 1033 Data Sharing Rule

On May 30, 2025, the CFPB filed a motion for summary judgment in a lawsuit challenging the Section 1033 Rule. In the motion, the CFPB wrote that the rule exceeds the agency's statutory authority and is arbitrary and capricious. The plaintiffs also asked the U.S. District Court for the Eastern District of Kentucky to vacate the rule. The CFPB wrote in its filing, that in light of the President's directive to review existing regulations, the CFPB's "new leadership has considered the rule and the arguments set forth in plaintiffs' complaint and amended complaint and has concluded that the rule exceeds the bureau's statutory authority and is arbitrary and capricious." In late March, the judge stayed the lawsuit for 60 days to allow the CPFB to review its position on the matter. On August 21, the CFPB issued an Advance Notice of Proposed Rulemaking requesting comments on the Rule, signaling its intent to revise the Rule.

FDIC Updates Approach to Pre-Filled Information for CIP Rule

On August 5, 2025, the FDIC released a Financial Institution Letter that updates the agency's supervisory approach regarding whether an FDIC-supervised institution can use pre-populated consumer information for the purpose of opening an account to satisfy Customer Identification Program ("CIP") requirements. The CIP rule, among other things, requires financial institutions to implement reasonable procedures for verifying the identity of a person seeking to open an account, to the extent reasonable and practicable, and maintain records of the information used to verify a person's identity. The CIP rule also requires an institution to collect certain information from a customer opening an account. The FDIC indicated that its position is that the requirement to collect identifying information "from the customer" under the CIP rule does not preclude the use of pre-filled information. FDIC examiners will consider the pre-filled information as from the customer provided that (1) the customer has opportunity and the ability to review and correct the accuracy of the information, and (2) the institution's processes for opening an account that involves pre-populated information allow the institution to form a reasonable belief as to the identity of its customer and are based on the institution's assessment of the relevant risks, including the risk of fraudulent account opening or takeover.

FTC Takes Action Against Online Video Platform Operator

On September 2, 2025, the FTC announced an action against an online video platform operator, alleging that an operator failed to designate videos as "made for kids." The large entertainment company operates online video channels and uploads child-directed videos to a video sharing platform. The FTC alleged that the company violated the FTC Act and the Children's Online Privacy Protection Act ("COPPA") Rule. The FTC alleged that the company failed to properly mark certain videos as child-directed, and collected children's personal information without parental notice or consent, contrary to COPPA requirements. The FTC alleged that in some cases, children received targeted advertisements. The proposed stipulated order requires the company to implement a robust audience designation program to ensure videos are correctly identified as "made for kids," provide direct notice to parents, and obtain verifiable parental consent before collecting, using, or disclosing children's personal information. The proposed stipulated order also includes a permanent injunction and a $10 million civil penalty.

FTC Takes Action Against Robot Toy Maker

On September 2, 2025, the FTC filed a complaint and proposed stipulated order against a technology company that develops programmable toy robots marketed to children ages 6 to 14. The company required the use of a companion mobile app to control and program the toy, and the FTC alleged that the company's Android app collected precise geolocation data from children without parental notice or consent. The FTC alleged violations of Section 5 of the FTC Act and the COPPA Rule. The proposed stipulated order requires the company to delete unlawfully collected data, implement clear and conspicuous parental notice practices, obtain verifiable parental consent before collecting children's personal information, and comply with recordkeeping and reporting obligations for 10 years. The proposed stipulated order also includes a permanent injunction and civil penalty of $500,000.

FTC Launches Inquiry into AI Chatbots as Companions

On September 11, 2025, the FTC issued orders to seven companies that provide consumer-facing AI chatbots. The FTC issued these orders under its 6(b) authority, which is an investigative tool that allows the FTC to request answers to specific questions about organization, business, conduct, practices, and management. The AI chatbots may use generative AI technology to simulate human-like communication and interpersonal relationships with users including mimicking human characteristics, emotions, and intentions. The FTC indicated that it sought to understand what steps, if any, companies have taken to evaluate the safety of their chatbots when acting as companions, to limit the products' use by and potential negative effects on children and teens, and to tell users and parents of the risks associated with the products. The FTC indicated that it is particularly interested in the impact of the chatbots on children, including what actions the companies are taking to mitigate potential negative impacts and compliance with the COPPA Rule. The FTC is asking how companies monetize user engagement; develop and approve characters; monitor compliance with company rules and terms of service, including community guidelines and age restrictions; and use or share personal information obtained in conversations.

CFPB Dismisses Numerous Lawsuits

Since the change in administration, the CFPB has dismissed numerous lawsuits that were filed under the Biden administration. From February into early March, the CFPB quickly filed dismissals in seven lawsuits, including a lawsuit against a large national bank, a student loan servicer, two mortgage lenders, a peer-to-peer lender, and an installment lender. Throughout the year, the CFPB continued to withdraw from several other lawsuits, including litigation against a lease-to-own company, a money transfer company, and an indirect auto company. It is estimated that the CFPB has dropped at least twenty-two cases throughout the year. Some of the litigation that the CFPB has dropped has been revived by state attorneys general.

View all of the 2025 CFS Bites of the Month year-end recaps by topic on the 2025 Year-End Recap page.

Still hungry? Please join us for our next CFS Bites of the Month. Here is our lineup for 2026. If you missed any of our prior Bites, request a replay on our website.

Hudson Cook, LLP provides articles, webinars and other content on its website from time to time provided both by attorneys with Hudson Cook, LLP, and by other outside authors, for information purposes only. Hudson Cook, LLP does not warrant the accuracy or completeness of the content, and has no duty to correct or update information contained on its website. The views and opinions contained in the content provided on the Hudson Cook, LLP website do not constitute the views and opinion of the firm. Such content does not constitute legal advice from such authors or from Hudson Cook, LLP. For legal advice on a matter, one should seek the advice of counsel.