CFPB Narrows State Enforcement Powers by Rescinding 2022 Interpretative Rule
On May 15, the CFPB rescinded its May 2022 interpretive rule that had expanded state enforcement authority under Section 1042 of the Consumer Financial Protection Act (CFPA). The Bureau now maintains that the previous guidance misread the statute and improperly extended state authority beyond what Congress intended.
According to the rescission, the CFPB identified three core issues with the 2022 interpretation that gave states unintended additional regulatory powers. Specifically, the CFPB stated that the rule:
Expanded the reach of Section 1042. The rule concluded that states could enforce any provision of the CFPA, including Section 1036’s UDAAP prohibition. The Bureau now asserts that Section 1042 only permits enforcement actions as specifically authorized within the CFPA and not any conduct touching on consumer protection.
Disregarded statutory limitations on enforcement. The rescinded rule stated that limitations on the CFPB’s authority—such as those in Sections 1027 and 1029 restricting jurisdiction over certain entities—did not constrain state action. The Bureau now maintains that those limits apply to states as well when they enforce the CFPA under Section 1042, in line with how the statute should be read as a whole.
Encouraged duplicative enforcement. The 2022 rule allowed states to bring actions independently even where the CFPB had already initiated proceedings. The Bureau now views Section 1042 as contemplating joint enforcement, requiring states to notify the Bureau and enabling the Bureau to intervene.
Putting It Into Practice: The CFPB remains focused on rolling back interpretations from prior leadership that expanded its regulatory and enforcement reach (previously discussed here and here). Although not binding on state attorneys general, the guidance reflects the Bureau’s shift toward a less aggressive approach in enforcement matters. We are also likely to see a decrease in joint federal-state enforcement actions.
Listen to this post
New York Enacts BNPL and Overdraft Fee Restrictions
On May 9, the NYDFS announced that Governor Kathy Hochul signed New York’s FY2026 Budget into law, enacting two major consumer financial protection measures. The budget establishes a licensing and supervision framework for Buy Now Pay Later (BNPL) lenders operating in New York and supports NYDFS’s January 2025 proposal to cap overdraft fees and prohibit certain high-cost practices (previously discussed here). Key provisions of the budget include:
Licensing requirements for BNPL providers. Companies offering BNPL products must obtain a license and submit to regulatory oversight.
Standardized disclosures and fee limitations. BNPL lenders must provide clear terms regarding repayment and fees, and may only charge fees that comply with newly established limits.
Caps on overdraft fees. NYDFS’s proposed regulations would limit the maximum amount banks may charge for overdrafts.
Ban on serial daily fees. State-chartered banks would be prohibited from assessing multiple overdraft fees in a single day.
Posting order requirements. Banks must adopt consistent transaction processing practices to prevent fee manipulation.
Putting It Into Practice: New York’s FY26 budget continues the state’s push toward stricter regulation of consumer financial services amid reduced federal oversight, through a combination of legislation, supervision and enforcement (previously discussed here, here, and here).
Listen to this post
We get Privacy for work: The Increasing Importance of Data Mapping [Video, Podcast]
To effectively and immediately respond to cybersecurity data breaches – and remain compliant with the constant bevy of new data privacy laws – you need to know what data your organization is collecting and from whom.
On this episode of We get Privacy for work, we discuss data mapping, the most efficient way to keep track of the information your organization is collecting and storing.
Today’s hosts are Damon Silver and Joe Lazzarotti, co-leaders of the firm’s Privacy, Data and Cybersecurity Group and principals, respectively, in the firm’s New York City and Tampa offices.
Damon and Joe, the question on everyone’s mind today is: What is data mapping, how do I implement it and how does that impact my organization?
FDIC Rescinds 2024 Merger Guidelines; House Votes to Repeal OCC Rule Under CRA
On May 20, federal merger policy took a sharp turn as the FDIC voted to rescind its 2024 merger guidelines, and the U.S. House passed a Congressional Review Act (CRA) resolution to repeal the OCC’s 2024 merger rule.
The FDIC’s now-rescinded guidelines emphasized heightened scrutiny of mergers involving banks with over $50 billion in assets, limited use of conditional approvals, and expectations for public input. With unanimous board approval, the FDIC reverted to its pre-2024 framework, pending a broader review of its merger oversight policies.
On the same day, the House passed S.J. Res. 13, a CRA resolution seeking to nullify the OCC’s 2024 rule that had eliminated expedited merger review procedures and proposed a new policy framework for assessing potential supervisory or competitive concerns. The CRA resolution must still be passed by the Senate and signed by the President to take effect.
Key provisions in the FDIC and OCC’s 2024 merger framework:
Heightened scrutiny for large transactions. The rescinded policies required detailed analysis of financial stability risks and community impact for mergers resulting in banks over $50B or $100B in assets.
Restrictions on conditional approvals. The 2024 FDIC policy stated that statutory deficiencies could not be resolved solely through conditions, prompting industry concerns about deal uncertainty.
End of expedited reviews. The OCC’s 2024 rule eliminated fast-track review pathways, increasing timelines for smaller and low-risk mergers.
Expanded public input. Both agencies had encouraged greater use of public hearings and comment processes, particularly for mergers involving significant asset growth or community impact.
Putting It Into Practice: The rollback of the FDIC’s 2024 merger guidelines and the potential repeal of OCC’s 2024 merger rule signal a decisive shift in federal oversight of bank consolidation, particularly for community and mid-sized institutions. Additional reversals of agency rulemakings under the CRA framework are likely to follow (previously discussed here).
Listen to this post
This Week in 340B: May 13 – 19, 2025
Find this week’s updates on 340B litigation to help you stay in the know on how 340B cases are developing across the country. Each week we comb through the dockets of more than 50 340B cases to provide you with a quick summary of relevant updates from the prior week in this industry-shaping body of litigation.
Issues at Stake: Rebate Model, Other, Contract Pharmacy
In consolidated cases against the government related to rebate models, the court issued multiple rulings denying and granting, in whole or in part, the cross motions for summary judgment filed by all parties.
In one case against the government related to rebate models, the court granted the intervenors’ motion to intervene.
In one case against the government related to rebate models, the court found that plaintiff has standing to challenge the government.
In a case by a covered entity against the government, the covered entity filed an opposition to proposed intervenors’ motion for leave to submit an amicus brief.
In a case by a drug manufacturer against the government, the drug manufacturer filed an opposition to the government’s partial motion to dismiss.
In two cases challenging a Utah state law governing contract pharmacy arrangements, the defendants filed a memorandum in opposition to the plaintiff’s motion for preliminary injunction. In the same case, the defendants filed a motion to dismiss.
In an appealed case challenging a Louisiana law governing contract pharmacy arrangements, the plaintiff filed a motion in opposition to intervenor-defendant’s motion for leave to file a sur-reply to appellant’s reply brief.
In a case against the government challenging its certification of a group of entities as 340B-eligible, plaintiffs filed an opposition to the government’s partial motion to dismiss. (Other)
In a case challenging a South Dakota law governing contract pharmacy arrangements, a group of amici filed an amicus brief in support of defendants’ motion to dismiss. (contract pharmacy)
In a case brought by a 340B covered entity alleging breach of contract by an insurance company, the insurance company filed a notice of removal to remove the case from state court to federal court.
In a case challenging Missouri law governing contract pharmacy arrangements, plaintiff-appellant filed an opening brief.
Nadine Tejadilla also contributed to this article.
NOT SO RAD: Repeat TCPA Litigator Ethan Radvansky Looks To Make His Mark With Three New Class Action Filings This Week
We see a ton of repeat TCPA litigators in TCPAWorld.
Indeed, somewhere between 60-80% of all TCPA filings are brought by individuals who have filed suit at least once before by my estimate.
Still it is pretty unusual to see a TCPA plaintiff go on a barrage and sue three different companies in a TCPA class action in a single week–especially in different verticals.
Meet Ethan Radvansky.
He’s been filing since at least 2023– I didn’t spend time going back deeper than that. And he’s filed against Maelys Cosmetics Ltd., Kendo Holdings, Inc., Embodied Inc., Sourcis, Inc., and Health Tech Academy LLC over the last few years.
For the most part he was using a guy named Steven H. Koval as his counsel, although it looks like at least one of his suits was brought by Avi Kaufman–a real TCPA hitter.
So five cases over the last couple of years makes him a repeat litigator but not that out of the norm.
But this week Ethan has really swung for the fences and filed three new TCPA class actions, one each against: Destination Xl Group, Inc., Comfortwear Collections International Inc.. and 1- 800- Flowers.com Inc. (I’ll be honest, I didn’t know 1800Flowers was still a thing. haha) All three cases were filed in federal court in the N.D. Georgia.
Interestingly, Ethan looks to have changed counsel as these three suits were brought by the Wolf of TCPAWorld– Anthony Paronich. Eesh.
I pulled the complaints and all three are essentially cookie cutter and nearly identical. All three allege unwanted text messages apparently sent to the wrong number in violation of Plaintiff’s DNC rights. All three appear to be texts that were part of a retail text club of some kind, and I suspect the number at issue changed hands (which is why you need to be scrubbing with the Reassigned Numbers Database!)
All three suits seek to represent a class of individuals who received similar texts despite having not provided their numbers to the Defendants (not certifiable for a number of reasons, but that is the pleaded definition.)
Seems to me that all three of these suits ought to be defended by one law firm to save money… just saying. Hint hint.
You can check out the complaints here:
1800 Flowers Complaint
Comforcare Complaint
Destination XL Complaint
Either way we will keep an eye on this.
Just another reminder to folks in retail or those relying on text clubs there is real risk of texting wrong phone numbers. Critically important that you use the Reassigned Numbers Database!
FTC Delays Enforcement of Click-to-Cancel Rule
Last November, the Federal Trade Commission (FTC or Commission) published its final click-to-cancel rule (the Rule), which requires sellers to make it as easy for consumers to cancel their enrollment into a service or goods plan as it was to sign up. As we discussed previously, the Rule prohibits sellers from misrepresenting any material facts and requires them to provide clear and conspicuous disclosures of material terms before obtaining billing information and charging consumers. Sellers must also obtain informed consent to a negative option feature (i.e., consumer silence or inaction construed as continuing acceptance) prior to charging consumers. The three sitting FTC commissioners – all Republicans – have now voted to extend the compliance deadline to July 14, 2025.
To review, prior to the end of the Biden Administration, the FTC commissioners voted 3-2, along party lines, to finalize the Rule, with Democrats – former FTC Chair Lina Khan, and former Commissioners Alvaro Bedoya and Rebecca Kelly Slaughter – supporting the Rule, and Republican Commissioners Andrew Ferguson and Melissa Holyoak opposing it. The Rule became effective in January, but regulated companies were given until May 14, 2025, to comply.
In a statement issued on May 9, 2025, the FTC delayed enforcement of the Rule by sixty days, citing concerns expressed during the rulemaking that the Rule’s complexities would take a “substantial amount of time to come into compliance.” The statement also noted that while “[t]he previous administration did not explain why [the earlier] deferment period was chosen … the Commission’s decision to defer enforcement necessarily acknowledged that compliance involved some level of difficulty.” The FTC also left the door open “to amending the Rule” to address any problems that the “enforcement experience exposes.”
Much has happened at the Commission since the Rule’s publication last year. With former Chair Khan’s resignation in January and the firing of the two Democratic commissioners in March, all commissioners who voted in favor of the Rule are now gone (two are suing the Administration), allowing Ferguson (now Chair), Commissioner Holyoak, and recently appointed Republican Commissioner Mark Meador, to approve extending the compliance timeframe.
Executive Orders and statements by the current Administration questioning the autonomy of independent agencies such as the FTC, and legal challenges to such efforts, make agency enforcement priorities, existing and proposed rules and regulations, and indeed the structure and organization of independent agencies, uncertain. The uncertainty is not limited to the FTC. As we wrote here, less than two weeks after the Consumer Product Safety Commission (CPSC) voted 3-2 to advance a safety standard for lithium-ion batteries, the three Democratic commissioners who voted for the proposed rule were terminated, and CPSC withdrew the proposal before it could be published in the Federal Register. Plans to fold the CPSC into the Department of Health and Human Services have also been reported.
The FTC and CPSC are two key agencies with authority over legal issues important to consumers and consumer brands. Advocates and companies are watching closely to see how government oversight of consumer and product safety regulation may change.
FDA Advances Post-Market Chemical Review Program
On May 15, 2025, the U.S. Food and Drug Administration (FDA) announced the launch of “a stronger, more systematic review process for food chemicals already on the market — especially those that concern consumers most.” Over the coming months, FDA will roll out the following key actions:
A modernized, evidence-based prioritization scheme for reviewing existing chemicals. According to FDA, it will soon release a draft for public comment;
A final, systematic post-market review process shaped by stakeholder input. More information on FDA’s 2024 Discussion Paper Development of an Enhanced Systematic Process for the FDA’s Post-Market Assessment of Chemicals in Food is available in our August 22, 2024, blog item; and
An updated list of chemicals under review, including butylated hydroxytoluene (BHT); butylated hydroxyanisole (BHA); and azodicarbonamide (ADA). FDA states that it will also take steps to expedite its review of chemicals currently under review like phthalates, propylparaben, and titanium dioxide. FDA notes that it will continue to share information about the status of its work on its public website as part of its push for greater transparency.
FDA notes that until now, it has conducted post-market reviews “on a case-by-case basis, often in response to citizen petitions or new scientific evidence.” FDA states that the new framework “will be proactive, science-based, and built for long-term impact.”
GeTtin’ SALTy Episode 53 | GeTtin’ SALTy & Beyond: Exploring Extended Producer Responsibility Laws [Podcast]
In this episode of GeTtin’ SALTy & Beyond, Nikki Dobay is joined by GT attorney Madeline Orlando for a conversation about the emerging landscape of Extended Producer Responsibility (EPR) laws.
EPR laws are State and Local Tax (SALT)-adjacent, as new fees are being imposed on producers of packaging that act a lot like taxes.
Madeline provides an overview of EPR laws, which shift waste management costs from municipalities to producers, focusing on single-use packaging.
The conversation explores the mechanics of these laws, their implications for businesses, and how they intersect with state tax principles.
With five states already adopting EPR laws and others on the brink, Nikki and Madeline discuss the challenges of compliance, fee structures, and potential consumer cost impacts.
They also highlight the broader trend of states adopting progressive environmental policies and the absence of federal intervention.
The episode concludes on a lighter note with a non-tax question about first music formats, revealing nostalgic memories of cassette tapes, 8-tracks, and CDs.
AT IT AGAIN: Repeat TCPA Litigator Joseph Friel Sues ETN America and CEO Shlomi Cohen Individually in TCPA Class Action
Another day, another TCPA class action naming a company’s CEO individually along with the company filed by a repeat TCPA litigator.
Today’s case involves a suit against ETN America–operator of contractors99.com–along with CEO Shlomi Cohen.
The suit is brought in federal court out in Pennsylvania– although it looks like Cohen lives in California.
Regardless the suit claims ETN sent messages posing as “Install America” to promote window repairs. Apparently Friel claims he received both text messages and prerecorded calls without his consent.
He sue not only ETN but also CEO Cohen claiming:
Mr. Cohen personally participated in the actions complained of by: (a) selecting the script that was going to be used on the calling; (b) personally approving in the call center operations and (d) personally authorizing any other telemarketing conduct of ETN America.
Hmmm. I wonder what “(c)” was.
Sloppy sloppy.
Regardless as Cohen is alleged to be the “primary operator” of the home improvements and windows company Friel is looking to hold him personally liable for the conduct at issue.
The complaint seeks to certify the following classes:
Robocall Class: All persons in the United States who, (1) within four years prior to the commencement of this litigation until the class is certified (2) received one or more calls on their cellular telephone or any other protected telephone service (3) from or on behalf of Defendants, (4) sent using the same, or substantially similar, pre-recorded message used to contact the Plaintiff.
National Do Not Call Registry Class: All persons within the United States: (1) whose residential telephone numbers were on the National Do Not Call Registry for at least 31 days; (2) but who received more than one telephone solicitation call from Defendants or a third party acting on Defendants’ behalf; (3) within a 12- month period; (4) within the four years prior to the filing of the Complaint.
These class definitions are plainly overly broad since they do not exclude individuals that consented to receive calls, but we will see what the court has to say about that.
Plaintiff’s lawyer is the Wolf– Anthony Paronich. So we will see where this goes.
Defendants have not made an appearance and I don’t know who their counsel will be.
Will keep an eye on this one to see if any of these allegations are true.
Full complaint here: Complaint Friel
A few take aways:
PERSONAL LIABILITY is a big risk in TCPAWorld folks. The corporate form will not protect you from being sued!
Seeing an uptick in TCPA suits in home improvement–be careful! If you’re in this vertical be sure to head out LCOC III to stay up to date on all tips and tricks to stay out of trouble!
I’m going to guess this case arose out of third-party lead generation. Cannot emphasize enough how important it is to work with quality lead gen partners folks. With the recent explosion in marketing robocalls it is clear the bad guys are on the loose again– don’t feed the wolf!
European Commission Proposes Expansion to Records of Processing Derogation
On May 21, 2025, the European Commission published a proposal for a new regulation simplifying certain regulatory requirements for “small mid-cap enterprises” (the “Simplification Regulation Proposal”). Small mid-caps will be companies with fewer than 750 employees and either up to €150 million in turnover or up to €129 million in balance sheet.
As part of its simplification efforts, the European Commission proposes amending the EU General Data Protection Regulation (“GDPR”) by extending the derogation from the obligation to maintain records of processing activities (Article 30(5) of the GDPR) to small mid-caps. The current version of the derogation is only applicable to companies employing fewer than 250 persons.
The amended derogation would apply unless an organization carries out processing activities that are likely to result in a high risk to the rights and freedoms of individuals, expanding the current formulation. In this context, the European Commission proposes clarifying that the processing of special categories of personal data which is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the individual in the field of employment and social security and social protection law will not impact the derogation under Article 30(5) of the GDPR.
In addition, the Simplification Regulation Proposal also proposes amending the GDPR to require that the needs of small mid-caps be specifically considered when drafting GDPR codes of conduct, certification mechanisms, seals, and marks.
The Simplification Regulation Proposal will now be subject to the EU’s legislative procedure and may be further amended by the European Parliament or the Council.
Read the Simplification Regulation Proposal.
OCR Reaches Settlement with Small Radiology Provider Over HIPAA Violations Stemming from Breach
On May 15, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced a settlement with Vision Upright MRI, a small California-based radiology provider, over alleged violations of the HIPAA Security and Breach Notification Rules. The enforcement action stems from a breach involving unauthorized access to a medical imaging server that exposed the protected health information (“PHI”) of over 21,000 individuals.
OCR initiated its investigation after receiving notification that Vision Upright MRI had experienced a breach involving its Picture Archiving and Communication System (“PACS”) server. The server, which stored and managed radiology images, had been accessed by an unauthorized third party.
OCR’s investigation revealed several key compliance failures:
Vision Upright MRI had had not conducted a HIPAA risk analysis, as required by the Security Rule.
Vision Upright MRI also failed to provide timely breach notifications to affected individuals, HHS, and the media, violating the Breach Notification Rule.
To resolve the investigation, Vision Upright MRI agreed to:
Pay a $5,000 monetary settlement to OCR.
Implement a corrective action plan that includes two years of OCR monitoring.
Take remedial steps to improve its HIPAA compliance posture.
Under the corrective action plan, Vision Upright MRI must:
Provide the required breach notifications to affected individuals, HHS, and the media.
Submit a comprehensive risk analysis covering all systems and locations containing ePHI.
Develop and implement a risk management plan to mitigate identified security vulnerabilities.
Create and maintain updated written HIPAA policies and procedures.
Provide HIPAA training to all workforce members with access to ePHI.
OCR Acting Director Anthony Archeval emphasized that HIPAA compliance obligations extend to entities of all sizes, and noted that small providers must conduct “accurate and thorough risk analyses to identify potential risks and vulnerabilities to protected health information and secure them.”
This latest settlement reinforces OCR’s continued focus on cybersecurity risks in healthcare and the need for all regulated entities, regardless of size, to maintain robust privacy and security programs.