New Guidelines Establishing the Requirements and Procedures That Must Be Observed to Obtain Permission to Advertise Prepackaged Food and Non-Alcoholic Beverages

Following our newsletter dated March 31, 2020 “The new Mexican Official Standard for the labelling of pre-packaged food and non-alcoholic beverages” and other newsletters regarding labelling of products, after five years of the publication of this Mexican Official Standard, on March 11, 2025, the Guidelines regarding advertising of prepackaged food and non-alcoholic beverages were published in the Official Gazette and entered into force on March 12, 2025.
These Guidelines appear to now restrict the advertising of these types of products, imposing advertisers, advertising agencies and media, the obligation to obtain a permit/approval for advertising the products on open television, restricted television, movie theaters, internet and other digital platforms.
Any product is subject to approval by the Federal Comision Against Sanitary Risks (COFEPRIS) when their label includes one or more warning seals of the front labeling system.
The main restrictions, among others, are the following:

It is forbidden to use animated characters, pets or interactive games directed at children to promote the consumption of the products.
To compare the products with natural ones.
To compare with similar products regarding their composition or nutritional contents.
To suggest physical or intellectual abilities from its consumption.
To promote excessive consumption of the product.
To suggest that the products may modify body proportions.

The requirements for obtaining the permit/approval to advertise the products are to fill in a format, pay government fees and attach the “operation notice” (authorization) of the product.
Once submitted the application, COFEPRIS has a term of 20 working days to approve the advertisement and/or 10 days to issue a requirement. Applicant has a term of 5 days to reply or else, the approval will be dismissed.
Although, we consider all these requirements to be an unnecessary burden to the industry, this Guidelines provide definitions of terms such as, “pets”, “celebrities”, “children’s characters”, “digital downloads”, “cartoons” and “indirect advertising”, that were missing in the Mexican Official Standard for the labelling of pre-packaged food and non-alcoholic beverages.

Tick-Tock, Don’t Get Caught: Navigating TCPA’s Quiet Hours

In recent months, businesses across various industries have been hit with a wave of lawsuits targeting alleged violations of the Telephone Consumer Protection Act’s (“TCPA”) call time rules. Plaintiffs are increasingly claiming that text messages, often sent just minutes outside the allowable hours, violate the Federal Communication Commission’s (“FCC”) rules and entitle them to substantial compensation. These lawsuits are creating challenges for businesses that rely on telemarketing and short message service (“SMS”) programs, even when they have received prior consent from their customers.
Understanding the TCPA’s Statutory and Regulatory Framework
The TCPA, enacted in 1991, was designed to protect consumers from unwanted telemarketing calls. Over time, its reach has expanded to cover text messages, making businesses that engage in text message marketing campaigns subject to compliance. One key area of regulation is the TCPA’s call time rules, found in the Do-Not-Call (“DNC”) regulations issued by the FCC. These rules prohibit telephone solicitations to residential subscribers before 8:00 AM or after 9:00 PM local time at the called party’s location.
Under the TCPA, a “telephone solicitation” is defined as a call or message made for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services. Importantly, the statute and regulations carve out several exceptions, including for calls or messages made to individuals who have given prior express consent to be contacted.
The penalties for violating the TCPA can be severe. Violations can result in statutory damages ranging from $500 to $1,500 per call or message, depending on whether the violation was willful. These potential damages create significant exposure for businesses that rely on telemarketing or SMS outreach, particularly when multiple calls or messages are at issue.
Recent Wave of Lawsuits and Why the Claims Are Unmeritorious
Despite the FCC’s long-standing guidance and the clear statutory language regarding consent, plaintiffs have increasingly filed lawsuits alleging that text messages sent outside the 8:00 AM – 9:00 PM window violate the TCPA’s call time restrictions. Many of these lawsuits focus on minor deviations from the permissible time window, such as texts sent just minutes before 8:00 AM or shortly after 9:00 PM.
What makes these lawsuits particularly problematic is that in many cases, the plaintiffs had previously opted into the SMS programs and expressly consented to receive marketing messages. Under the plain language of the TCPA and FCC regulations, such consent removes the text message from the definition of a “telephone solicitation” and, by extension, exempts it from the call time restrictions. This means that businesses with valid consent should not be subject to these lawsuits.
However, plaintiffs are exploiting the uncertainty created by the lack of clear FCC guidance on whether the call time rules apply to text messages where consent has been provided. They argue that, regardless of consent, any text message sent outside the permissible hours violates the TCPA, leaving businesses vulnerable to litigation and potential class action exposure.
The FCC Petition for Declaratory Ruling
In response to this growing litigation trend, an industry group recently filed a petition with the FCC, seeking a declaratory ruling that the TCPA’s call time restrictions do not apply to text messages sent to individuals who have given prior express consent. The petition highlights the plain language of the statute and regulations, arguing that consent should exempt businesses from the call time rules and shield them from the growing number of predatory lawsuits.
The petition also requests clarification or waiver of the rule requiring knowledge of the recipient’s location for compliance, arguing that current standards are unworkable and lead to abusive litigation practices. The petitioners emphasize that the TCPA’s unique combination of strict liability, statutory damages, and private right of action make it ripe for lawsuit abuse, with opportunistic litigators targeting legitimate businesses.
While this petition represents a positive step towards clarifying the law, the FCC’s rulemaking process can be lengthy. In the meantime, businesses must continue to operate in a landscape where uncertainty about the applicability of the call time rules remains. It could be months, if not longer, before the FCC issues a ruling, and during this time, we expect plaintiffs’ attorneys to continue targeting businesses with TCPA lawsuits.
Recommendations for Reducing Risk
Until the FCC provides clear guidance on the issue, businesses should take proactive steps to mitigate the risk of being targeted by TCPA quiet hour lawsuits. Here are several recommendations to help ensure compliance and reduce exposure:

Observe Call Time Windows: Despite the legal uncertainties surrounding the applicability of the call time rules to text messages, businesses should err on the side of caution and adhere to the 8:00 AM – 9:00 PM window for sending marketing messages. This simple step can help reduce the likelihood of being sued.
Review and Update Consent Mechanisms: Businesses should review their SMS consent processes to ensure that they are obtaining clear and unambiguous consent from consumers. This includes updating terms and conditions to include disclosures about the potential timing of messages and ensuring that consumers understand the nature of the messages they will receive.
Implement Robust Compliance Procedures: Businesses should implement internal procedures to monitor the timing of their telemarketing and SMS campaigns. Consider using software that can automate the scheduling of messages.
Document Consent Thoroughly: If a lawsuit arises, being able to produce clear documentation that demonstrates a consumer’s consent to receive text messages will be critical in defending against the claim. Businesses should maintain detailed records of when and how consent was obtained.

Conclusion
The recent surge in TCPA lawsuits alleging violations of the call time restrictions highlights the need for businesses to stay informed and proactive in their compliance efforts. While we believe that many of these lawsuits are unmeritorious, businesses should still remain cautious. By observing the 8:00 AM – 9:00 PM call time window, reviewing consent mechanisms, and implementing strong compliance procedures, businesses can reduce their risk of being targeted by predatory lawsuits.
We will continue to monitor litigation in the courts and the FCC’s response to the pending petition, and provide updates as new developments arise. In the meantime, please reach out if you have any questions or need assistance in reviewing your telemarketing and SMS programs to ensure compliance with the TCPA.

MAKING SMART TCPA MOVES: Rocket Mortgage Follows Up Its Redfin Purchase With STUNNING $9.4BB Take Over of Mr. Cooper

So multiple outlets are reporting that Rocket is set to absorb the nation’s largest mortgage servicer Mr. Cooper.
With Rocket having just recently acquired Redfin it looks like the company is poised to be an absolute behemoth in the mortgage industry.
Just like with Redfin, however, the TCPA is likely driving this initiative.
Yes, mortgage servicing can be profitable in its own right but it is MASSIVELY valuable to an originator to have a large servicing pool.
Why?
Who is more likely to NEED mortgage or refinance than folks who already have a mortgage product? And with trigger leads now widely available (probably illegal under FCRA but don’t tell the CRAs that) having a massive servicing book means you can LEGALLY call folks who just submitted an application elsewhere and convince them to stay.
This is because the DNC rules will soon allow Rocket to call all of the MILLIONS of Mr. Cooper customers it just acquired WITHOUT CONSENT.
Pretty slick, eh?
So with Redfin providing consent on the front end and with access to a massive pool of mortgage customers now bolted on to the backend Rocket can make ready use of the phones to bring customers into its ecosystem–and keep them there.
Pretty clever. And it was all brought to you by the TCPA.
People think of the statute as a profit killer. But leveraged correctly it can actually drive profits by building a moat around your customers and a barrier-to-entry for others in your vertical.
Smart money uses the law as a competitive advantage. Nicely done Rocket.

Virginia Governor Recommends Amendments to Strengthen Children’s Social Media Bill

On March 24, 2025, Virginia Governor Glenn Youngkin asked the Virginia state legislature to strengthen the protections provided in a bill (S.B. 854) passed by the legislature earlier this month that imposes significant restrictions on minors’ social media use.
The bill would amend the Virginia Consumer Data Protection Act (“VCDPA”) to require social media platform operators to (1) use commercially reasonable methods (such as a neutral age screen) to determine whether a user is a minor under the age of 16; and (2) limit a minor’s use of the social media platform to one hour per day, unless a parent consents to increase the limit. The bill would prohibit social media platform operators from altering the quality or price of any social media service due to the law’s time use restrictions.
The Governor declined to sign the bill and recommended that the legislature make the following amendments to enhance the protections in the bill: (1) raise the covered user age from 16 to 18; and (2) require social media platform operators to, in addition to the time use limitations, also disable (a) infinite scroll features (other than music or video the user has prompted to play) and (b) auto-playing videos (i.e., where videos automatically begin playing when a user navigates to or scrolls through a social media platform), absent verifiable parental consent.

Privacy and Data Security in Community Associations: Navigating Risks and Compliance

Privacy and data security laws govern how organizations collect, handle, and protect personally identifiable information (PII) to ensure it is properly processed and protected.
For community associations, this is especially important as these organizations often manage large amounts of PII of homeowners and residents (e.g., name, address, phone number, etc.), including certain categories of sensitive PII, such as financial details. With identity theft and various cyber scams on the rise, cybercriminals frequently target this type of data. Once this data is accessed, a threat actor can do anything it wants with the data. For instance: the threat actor can sell the PII to the highest bidder; encrypt the data and hold it for ransom, meaning that a community association can no longer access the information and potentially must pay large sums in order to get it back; or make a copy of the PII and then extort the community association to return or delete the data instead of releasing it publicly, among other malicious acts. 
With these risks in mind, data security breaches have become a widespread concern, prompting legislative action. All fifty states now have laws requiring organizations to notify individuals if unauthorized access to PII occurs. These laws apply to community associations in North Carolina under North Carolina General Statute § 75-65. In order to avoid being involved in a data security breach, North Carolina community associations should prioritize taking steps to protect PII of their residents and homeowners.
While North Carolina does not offer specific statutory guidance for community associations regarding personal data handling, federal frameworks can help. The National Institute of Standards and Technology (NIST) has developed comprehensive privacy and cybersecurity guidelines. To view their resource and overview guide, visit this link. The NIST’s frameworks assist organizations in identifying the data they possess, protecting it, managing and governing it with clear internal rules, and responding to and recovering from data security incidents. To summarize some of the key steps necessary for a community association to protect its data, please see the list below.
Key Steps for Strengthening Privacy and Data Security

Keep Technology Updated. Community associations should prioritize keeping their systems, networks, and software up to date. Oftentimes, software updates include patches for security vulnerabilities that threat actors can exploit. As technology evolves, new threats emerge, and these software updates are designed to address these risks by closing security gaps. In addition, community associations should change passwords periodically and be sure that passwords are not universal among all systems and websites. If presented with the option, it is recommended to use multi-factor authentication on various log-in platforms. By using multi-factor authentication, there is an extra layer of security beyond a password that can be guessed, stolen, or compromised.
Manage Access. Ensure that only necessary employees have access to residents’ and homeowners’ PII. For those who have access, be sure to adequately train those employees to confirm they are apprised of the community associations’ cybersecurity policies and procedures. Additionally, be sure these employees can recognize common attack methods of threat actors and are able to avoid and report any suspicious activity. One of the basic ways to manage access is to ensure the community association is only collecting information that it absolutely needs to carry out its operations. If less data is in the possession of the community association, less data can be accessed by a threat actor.
Regularly Review Vendor Contracts. It’s crucial for community associations to audit contracts with vendors, at least annually, to ensure they align with the association’s risk tolerance. Many breaches stem from third-party service providers who have access to PII and sensitive PII. Without clear contractual safeguards, a breach could result in significant remediation costs, with limited legal recourse against the responsible vendor. Always be sure that your contracts address data protection and breach response obligations.
Consider Cyber Insurance. Cyber insurance has become an essential risk management tool for community associations. However, it’s important to understand that cyber insurance is not a catch-all solution. Insurers are increasingly raising premiums and limiting coverage for organizations that fail to implement strong data protection practices. Cyber insurance should be seen as a safety net, not a substitute for a comprehensive privacy and security strategy. Community associations should also periodically review their cyber insurance policies to confirm they are providing coverage for any new or emerging threats that may arise.
Engage the Community. Transparency, especially regarding the categories of data collected and how they are used, is key in building trust with residents and homeowners. Community Associations should seek input from their stakeholders on privacy and data security policies. While legal obligations will not change based on community sentiment, understanding residents’ concerns can help guide decision-making and foster a sense of accountability. Discussing data security efforts and proactively addressing cybersecurity challenges at an annual meeting provides an opportunity to clarify expectations and show the association’s commitment to protecting personal information.

For guidance on strengthening a community association’s privacy and data security efforts, contact us to learn more about best practices and compliance strategies.

NLRB Firing Decision Stayed; Board to Stay Without a Quorum

On March 28, 2025, the United States District Court of Appeals for the D.C. Circuit stayed the District Court’s order reinstating former National Labor Relations Board (“NLRB” or “Board”) Member Gwynne A. Wilcox.  The Board is again left without a quorum, which, under the National Labor Relations Act (“NLRA” or the “Act”), requires at least three members. See New Process Steel, L.P. v. NLRB, 560 U.S. 674 (2010).
As reported here, on March 6, 2025, a D.C. federal judge had reinstated Member Wilcox, finding that President Trump’s unprecedented firing violated Section 3(a) of the NLRA, which states that, “[a]ny member of the Board may be removed by the President, upon notice and hearing, for neglect of duty or malfeasance in office, but for no other cause.” 29 U.S.C. 153(a).
The D.C. Circuit did not include a majority opinion with its order, which simply indicated that “the emergency motions for stay be granted.”  Instead, the Court attached two concurring opinions (by Judge Justin Walker and Judge Karen Henderson, respectively) and one dissenting opinion (by Judge Patricia Millett).
The opinions focused on the constitutionality of Section 3(a)’s removal protections, grappling with Seila Law LLC v. Consumer Financial Protection Bureau, 591 U.S. 197 (2020), Collins v. Yellen, 594 U.S. 220 (2021), and Humphrey’s Executor v. United States, 295 U.S. 602 (1935), to determine whether the NLRB exercises sufficient “executive power,” such that it might not be covered by the Humphrey’s Executor exception to presidential removal.  As referenced here, that decision affirmed Congress’ power to limit the president’s ability to remove officers of independent administrative agencies created by legislation.
As Judge Henderson indicated in her concurrence, the “continuing vitality” of Humphrey’s Executor might be in doubt after Seila and Collins, and the Trump administration will likely seek to overturn the decision through the Wilcox appeal.  In the interim, and possibly until the Supreme Court rules on this issue, the Board will remain without a quorum.  As reported here, while the NLRB indicated that it will function to the extent possible absent a quorum, employers can expect Board processes to move slowly and resolution of matters pending to be delayed.
We will continue to track the Wilcox litigation and its impact upon the NLRB.

Nondelegation and Environmental Law

Earlier this week, the Supreme Court held oral argument in Federal Communications Commission v. Consumers’ Research.1 The case addresses the Federal Communications Commission’s Universal Service Fund programs aimed at providing funding to connect certain customers with telecommunications services. The challengers contend that Congress ran afoul of the nondelegation doctrine in authorizing the FCC to setup the Universal Service Fund programs and that these programs are therefore unlawful.
Although that issue might appear far removed from issues of environmental law, the case could have significant ramifications and could curtail Congress’s ability to authorize federal administrative agencies to issue binding regulations. That curtailment could reach to congressional enactments that authorize the Environmental Protection Agency to promulgate regulations in a variety of areas, including several major environmental statutes like the Clean Air Act, the Clean Water Act, and the Safe Drinking Water Act, to name a few.
What is the Nondelegation Doctrine and Why is it Important?
The nondelegation doctrine holds that Congress may not delegate lawmaking (i.e., legislative) authority to executive branch agencies. As some observers have put it, however, the nondelegation doctrine had only one good year, in 1935, when the Supreme Court struck down two federal laws authorizing the executive to take certain actions that were considered legislative in nature. The cases were A.L.A. Schechter Poultry Corp. and Panama Refining Co.
Besides those two cases, the Supreme Court has not struck down any other federal laws on nondelegation grounds. This is because, after 1935, the Supreme Court adopted a relatively permissive test of whether a statute runs afoul of the nondelegation doctrine. The test, referred to as the “intelligible-principle” test, looks to whether Congress has provided the administrative agency with some “intelligible principle” to follow in promulgating regulations pursuant to a congressional enactment.
Applying the intelligible-principle test, the Supreme Court has repeatedly, and over approximately eight decades, upheld congressional delegations of rulemaking power to administrative agencies.
However, in 2019, a dissenting opinion written by Justice Gorsuch in Gundy v. United States, called on the Court to abandon the intelligible-principle test and instead move toward a test where the Agency is not able to make policy decisions and instead is left to a role where it only “fills up the details” or makes factual determinations. Notably, the Gundy dissent was joined by Justices Roberts and Thomas, and Justices Alito and Kavanaugh elsewhere expressed support for the Gundy dissent’s approach. Gundy was also decided before Justice Barrett joined the Court. This has Supreme Court watchers asking whether the Supreme Court might inject more stringency in the nondelegation test in an appropriate case.
Enter Consumers Research. This is the first Supreme Court case to squarely raise nondelegation issues since Gundy. The challengers to the Universal Service Fund program argue that Congress gave the FCC unchecked authority to raise funds to be directed toward the goal of providing universal service from telecommunications services providers. The FCC (and intervenors) respond that the program “passes . . . with flying colors” and fits comfortably within past nondelegation cases because of the numerous restrictions that the statute places on the FCC. If the Supreme Court were to shift course by establishing a more stringent nondelegation test, that could significantly constrain Congress’s ability to delegate rulemaking powers to administrative agencies. Importantly, a more stringent test for nondelegation challenges could also impact numerous existing federal laws. We discuss just a sample of environmental laws that could be affected in the following section.
What Could it Mean for Environmental Law, and You?
One of the most obvious areas where a more stringent delegation test could impact environmental law is in the setting of air and water quality standards.
For example, the Clean Air Act directs the EPA to set air quality standards that apply nationwide. The Clean Air Act provides relatively loose guidance on how the EPA should go about that task, directing the EPA to promulgate standards “requisite to protect the public health” while “allowing an adequate margin of safety.” The Supreme Court upheld that delegation in Whitman v. American Trucking Associations, Inc., but if the Supreme Court were to take a more stringent approach to nondelegation like that in the Gundy dissent, the EPA may not be able to make the decision of what air standard is “requisite to protect the public health” because that could be viewed as a key policy determination and more than “fill[ing] up the details.”
Likewise, in the Clean Water Act, the EPA is also directed to review water quality standards set by individual states, again taking into account a relatively broad instruction from Congress “to protect the public health or welfare, enhance the quality of water and serve the purposes of this chapter” while also considering the waters’ “use and value for public water supplies, propagation of fish and wildlife, recreational purposes, and agricultural, industrial, and other purposes, and . . . their use and value for navigation.” Again, a more stringent nondelegation test could find that these instructions leave the EPA with too much of a policy-making role.
Finally, in the Safe Drinking Water Act, the EPA is directed to set maximum contaminant level goals “at the level at which no known or anticipated adverse effects on the health of persons occur and which allows an adequate margin of safety.” This direction to set a standard is potentially less at risk because it requires more fact finding (i.e., determining “known or anticipated adverse effects on” health), but the requirement to determine an “adequate” safety margin might be deemed to be too close to policymaking.
Although nondelegation challenges to these types of environmental regulations have been raised in the past, they have failed at least in part because of the relaxed intelligible-principle test. The outcome in Consumers’ Research could change that. The Environmental Team at Womble Bond Dickinson are well-suited to evaluate these specific questions of law with you.
Counting Noses in Consumers’ Research
For now, it appears that the current nondelegation test will live to see another day. Only Justices Thomas, Alito, and Gorsuch seemed readily willing to make the test more stringent. The Justices appointed by Democratic presidents (Sotomayor, Kagan, and Jackson) are sure “no” votes. As for the three Justices typically left in the middle, Chief Justice Roberts was unusually quiet during argument, while both Justices Kavanaugh and Barrett pushed back on counsel for Consumers’ Research in numerous instances. Given that the Universal Service Fund program enjoys continuing and broad bipartisan support, this may not be the case where any of the middle three Justices are willing to take on the nondelegation issue, especially after the Court has already issued decisions that reign in administrative agency authority through the major-questions doctrine and by overruling the Chevron deference regime.
Regardless, the Supreme Court’s opinion, which should issue by July 2025, will likely reveal where the Court is headed on nondelegation issues and could signal that a more searching nondelegation test is on the horizon. 

1 Brief disclaimer: Michael Miller worked on this case in the earlier stages of litigation before it was brought before the Supreme Court. This update does not share any views on the merits of the case.

CFPB to Withdraw BNPL Interpretive Rule Amid Broader Agency Rollback

The CFPB has announced plans to withdraw its May 2024 interpretive rule that subjected buy-now, pay-later (BNPL) products to regulations applicable to credit cards under the Truth in Lending Act (TILA). The move was revealed in court filing in the CFPB’s ongoing litigation with a fintech-focused trade organization which challenged the rule as procedurally improper and ill-suited to short-term, interest-free BNPL loans.
The interpretive rule, issued under former Director Rohit Chopra, would have extended traditional credit card protections—such as dispute rights and refund guarantees—to BNPL offerings (previously discussed here). The parties jointly requested to stay the case pending revocation of the rule.
This shift comes as part of a broader reorientation of the CFPB under President Trump. Under the current administration, the Bureau has moved to pause or roll back a slew of enforcement and rulemaking efforts initiated during the Biden administration (previously discussed here, here, and here).
Putting It Into Practice: The CFPB’s withdrawal of the BNPL interpretive rule signals a lighter regulatory touch on emerging consumer credit products. While welcomed by BNPL providers, the move may prompt increased scrutiny from state regulators and consumer advocates concerned about potential protection gaps. Industry participants should prepare for a patchwork of regulatory expectations in the near term.
Listen to this post

FHFA Rescinds UDAP Oversight Bulletin and SPCP-Based Renter Protections

The Federal Housing Finance Agency (FHFA) has taken two significant deregulatory steps affecting its oversight of the government-sponsored enterprises, Fannie Mae and Freddie Mac (GSEs). The agency rescinded a 2024 advisory bulletin asserting its authority to regulate unfair or deceptive acts or practices (UDAP) by Fannie Mae and Freddie Mac. Additionally, the FHFA withdrew renter protection requirements—previously scheduled to take effect on May 31—for multifamily loans made through Special Purpose Credit Programs (SPCPs) backed by the GSEs.
UDAP Advisory Bulletin Rescinded
FHFA stated that enforcement of unfair or deceptive acts or practices should remain with the FTC, which is the primary administrator of Section 5 of the FTC Act. The agency emphasized its focus on the safety and soundness of the GSEs, rather than duplicating existing consumer protection authority.
The rescinded bulletin had stated that FHFA would evaluate whether the GSE’s actions or inactions could be considered unfair or deceptive under established standards, and would hold the enterprises accountable if they facilitated or failed to prevent such conduct. It also emphasized UDAP concerns could arise in connection with third-party servicers or counterparties acting on behalf of GSEs. By revoking the bulletin, FHFA clarified that it does not intend to impose separate or parallel UDAP obligations on the enterprises beyond those enforced by the FTC or CFPB.
SPCP-Based Tenant Protections Withdrawn
FHFA has formally reversed course on renter protections that were previously tied to multifamily loans issued through SPCPs backed by GSEs. These conditions, which had been scheduled to take effect on May 31, would have required landlords to implement a five-day grace period before charging late fees and to provide at least thirty days’ notice before modifying lease terms.
The protections were introduced as part of the GSEs’ Equitable Housing Finance Plans and were aimed at improving housing stability for very low-, low-, and moderate-income renters. FHFA’s current leadership characterized the requirements as exceeding the agency’s role and stated that lease-related protections should be governed by state and local law.
Putting It Into Practice: The FHFA’s recission of its UDAP bulletin and SPCP-based renter protections reflects a shift toward a narrower role for the agency, centered on institutional supervision and market stability. Financial institutions should continue look to the FTC, CFPB, and state regulators for UDAP enforcement, tenant protection standards, and other consumer-facing compliance obligations.
Listen to this post

Virginia Enacts Law Protecting Reproductive and Sexual Health Data

On March 24, 2025, Virginia Governor Youngkin signed into law S.B. 754, which amends the Virginia Consumer Protection Data Act (“VCDPA”) to prohibit the collection, disclosure, sale or dissemination of consumers’ reproductive or sexual health data without consent.
The law defines “reproductive or sexual health information” as “information relating to the past, present, or future reproductive or sexual health” of a Virginia consumer, including:

Efforts to research or obtain reproductive or sexual health information services or supplies, including location information that may indicate an attempt to acquire such services or supplies;
Reproductive or sexual health conditions, status, diseases, or diagnoses, including pregnancy, menstruation, ovulation, ability to conceive a pregnancy, whether an individual is sexually active, and whether an individual is engaging in unprotected sex;
Reproductive and sexual health-related surgeries and procedures, including termination of a pregnancy;
Use or purchase of contraceptives, birth control, or other medication related to reproductive health, including abortifacients;
Bodily functions, vital signs, measurements, or symptoms related to menstruation or pregnancy, including basal temperature, cramps, bodily discharge, or hormone levels;
Any information about diagnoses or diagnostic testing, treatment, or medications, or the use of any product or service relating to the matters described above; and
Any information described above that is derived or extrapolated from non-health-related information such as proxy, derivative, inferred, emergent, or algorithmic data.

“Reproductive or sexual health information” does not include protected health information under HIPAA, health records for the purposes of Title 32.1, or patient-identifying records for the purposes of 42 U.S.C. § 290dd-2.
These amendments to the VCDPA will take effect on July 1, 2025.

Pennsylvania AG Alleges Mortgage Brokers Engaged in Illegal Referral Scheme

On January 17, the Pennsylvania Attorney General filed a civil enforcement action in the U.S. District Court for the Eastern District of Pennsylvania against a group of mortgage brokers and their manager, alleging that they operated an unlawful referral scheme in violation of the Real Estate Settlement Procedures Act (RESPA), the Consumer Financial Protection Act (CFPA), and Pennsylvania’s Unfair Trade Practices and Consumer Protection Law.
According to the complaint, the defendants offered real estate professionals a mix of financial incentives—such as discounted shares in a joint venture mortgage company, event tickets, and luxury meals—in exchange for directing clients to affiliated mortgage brokerages. These referral arrangements were not disclosed to homebuyers.
The Attorney General alleges that the defendants:

Improperly transferred ownerships interests. Real estate agents were offered discounted, nonvoting shares in affiliated mortgage companies to incentivize referrals, in violation of RESPA and state consumer protection law kickback prohibitions.
Provided high-value entertainment. Agents allegedly received event tickets and luxury dinners in exchange for steering homebuyers, conduct the Attorney General contends violates RESPA and constitutes unfair and deceptive acts under the CFPA.
Disguised payments as legitimate business deals. The scheme was structured to appear as stock sales and profit distributions to conceal kickbacks, allegedly violating RESPA and both federal and state consumer protection statutes.
Failed to meet disclosure requirements. The defendants allegedly did not comply with the legal standards for affiliated business arrangements under RESPA, depriving consumers of material information and transparency.

The lawsuit seeks injunctive relief, restitution, civil penalties, and recovery of attorneys’ fees.
Putting It Into Practice: This state enforcement continues the trend of states ramping up regulation and enforcement of financial services companies (previously discussed here and here). As certain states continue to align themselves with the CFPB’s January recommendations encouraging states to adopt and apply the “abusive” standard under the CFPA (previously discussed here), we expect to see more states ramp up their consumer financial protection efforts.
Listen to this post

RIP Overdraft Rule?

Last month, bills were introduced in the House and Senate to overturn the much-maligned CFPB overdraft rule. You can find our previous write-up on the rule here. The rule would redefine “finance charge” under Regulation Z to sweep up overdraft fees charged by “Very Large Financial Institutions” (total assets exceeding $10 billion). Unless covered entities charged a “breakeven” fee (calculated through a head-spinning formula) or a “benchmark” fee ($5), they would have to treat overdraft fees as an extension of credit under the Truth in Lending Act (i.e., issue a bunch of onerous disclosures).
The rule was questioned when it came out in January 2024—an issue we previously addressed. Several banks ran to court as soon as the final rule was promulgated in December 2024. As we explained, the rule carried potentially drastic consequences that would create exposure beyond overdraft fees and beyond Very Large Financial Institutions.
When former CFPB Director Rohit Chopra unveiled this rule at the beginning of an election year, he probably didn’t anticipate a Republican sweep of Congress and the White House. But, given November’s results, yesterday’s outcome shouldn’t be a surprise: The Senate voted 52-48 to eliminate the overdraft rule pursuant to the Congressional Review Act (5 U.S.C. § 801). If the companion measure passes the House, the matter will go to President Trump’s desk for his signature. If both of those things happen, the overdraft rule cannot be resurrected again except by an act of Congress.
That’s what we expect to happen. But it’s not certain. Overdraft fees may draw the ire of populist elements within the Republican Party. Note that Sen. Josh Hawley broke rank to vote against the measure.
Stay tuned. We’ll keep track of this issue.