To keep you informed of recent activities, below are several of the most significant federal events that have influenced the Consumer Financial Services industry over the past week.
Federal Activities:
On May 1, the Consumer Financial Protection Bureau (CFPB) released its final rule revising the 2023 small business lending data collection and reporting rule under the Equal Credit Opportunity Act (ECOA) and Regulation B, which implements Section 1071 of the Dodd-Frank Act (2026 Final Rule). The 2026 Final Rule will become effective 60 days after publication in the Federal Register, and the compliance date for initial data collection is January 1, 2028. In November 2025, the CFPB published a proposed rule, in which it abandoned the “maximalist” 2023 approach in favor of a “Phase One” regime focused on core products, higher‑volume lenders, and a leaner set of data collection points, with a single compliance date. The final rule largely adopts that narrowed architecture, while adding important implementation details and a few notable refinements. For more information, click here.
On May 1, lawmakers effectively resolved the months‑long impasse over the Clarity Act’s stablecoin yield provision, as Senators Thom Tillis ((R-N.C.) and Angela Alsobrooks( D-Md) finalized compromise text that bars digital asset service providers from paying U.S. customers interest or yield “economically or functionally equivalent” to a bank deposit on stablecoin holdings, while preserving activity‑based rewards tied to bona fide platform usage (such as payments, transfers, market‑making, staking, governance, and loyalty programs) that may still be calculated by reference to a user’s balance and tenure. The deal clears the way for a long‑delayed Senate Banking Committee markup and protects the exchange’s lucrative USD Coin‑related rewards model, even as covered parties face new restrictions on how stablecoins may be marketed, including prohibitions on implying investment status, U.S. government backing, or Federal Deposit Insurance Corporation (FDIC) insurance, with civil penalties up to $5 million per violation. The bill also directs the U.S. Securities and Exchange Commission (SEC), Commodity Futures Trading Commission (CFTC), and Department of the Treasury (Treasury) to issue implementing rules within a year, and requires the Federal Reserve (Fed) and other banking regulators to report to Congress within two years on the impact of dollar‑denominated stablecoins and related customer compensation on bank deposits — giving the banking sector an avenue to revisit concerns over deposit flight. The compromise must still move through Senate Banking, be reconciled with a competing Agriculture Committee draft and the House‑passed Digital Asset Market Clarity Act before reaching President Donald Trump’s desk, even as unresolved issues around ethics limits for senior officials, decentralized finance (DeFi), and illicit finance continue to loom over the broader market structure package. For more information, click here.
On May 1, the U.S. Department of Education published final “Reimagining and Improving Student Education” regulations implementing the Working Families Tax Cuts Act’s overhaul of the Title IV Federal student loan programs, including new annual, aggregate, and lifetime loan limits for graduate, professional, and parent borrowers, and a phase‑out of the Grad PLUS program, while simplifying repayment by sunsetting existing Income-Contingent Repayment plans and creating two streamlined options — the Tiered Standard plan and a new income-driven Repayment Assistance Plan (RAP), which also qualifies for Public Service Loan Forgiveness (PSLF) where other criteria are met. The rule revises Direct Loan rules on consolidation, deferment, forbearance, and alternative repayment, permits institutions to limit borrowing for specific programs and to reduce loan limits for less‑than‑full‑time enrollment, and allows borrowers in default under Perkins, Federal Family Education Loan, and Direct Loans a second opportunity to rehabilitate each loan (up from once). The Department also updates definitions (e.g., graduate and professional student, expected time to credential), clarifies eligibility for unemployment and economic hardship deferments and forbearances, restructures fixed repayment plan terms, and aligns disbursement rules with reduced enrollment, with an overall projected large reduction in net federal transfers over time and modest administrative and compliance costs. The final rule is effective July 1, 2026. For more information, click here.
On May 1, the CFTC’s Division of Market Oversight and Division of Clearing and Risk issued a supplemental no-action letter stating they will not recommend enforcement against Gemini Titan, LLC, a designated contract market, Gemini Olympus, LLC, a derivatives clearing organization, or their participants for failing to comply with certain swap-related recordkeeping requirements or for failing to report to swap data repositories data associated with contracts featuring binary and variable payout structures executed on or subject to Titan’s rules and cleared through Olympus, provided the parties comply with the conditions set forth in the no-action letter, which supplements CFTC Letter No. 25-44 to extend relief to transactions cleared through Olympus. For more information, click here.
On May 1, CFTC Chairman Michael S. Selig defended the CFTC’s exclusive authority over prediction markets under the Commodity Exchange Act, emphasizing that these markets operate as federally regulated exchanges with clearinghouses and investor protections comparable to other derivatives markets, that they provide important benefits to individuals, businesses, and the broader economy, and that overregulating them would drive activity offshore where it is more vulnerable to manipulation by foreign adversaries. Selig rejected as false the claim that insider trading is “rampant” or that CFTC insider trading rules are “fuzzier,” highlighting the agency’s strengthened enforcement strategies and actions during his first 100 days, and underscored the CFTC’s continuing commitment to vigorously policing misconduct while ensuring the integrity and growth of U.S. prediction markets. For more information, click here.
On May 1, Federal Reserve Vice Chair for Supervision Michelle W. Bowman used Financial Stability Oversight Council’s (FSOC) artificial intelligence (AI), cybersecurity, and risk-management roundtable to outline how rapidly evolving AI is transforming the banking system and how supervision must adapt, emphasizing a shift in Fed supervision toward identifying and remediating material financial risks while preserving room for responsible innovation. She described nearly a decade of supervisory engagement with banks on AI, stressing that guidance should not block smaller or larger institutions from adopting AI consistent with their business models, and highlighted the Fed, Office of the Comptroller of the Currency (OCC), and FDIC’s recent decision to narrow model risk management guidance so it no longer applies to generative or agentic AI, which will instead be governed by broader risk-management and governance frameworks. Bowman noted ongoing interagency efforts, including recent meetings convened by Treasury Secretary Scott Bessent and Fed Chair Jerome Powell with major banks, to understand and manage these risks. She also underscored the need for clear, future‑fit third‑party risk-management expectations for AI vendors, regular communication with supervised firms, and a “pro‑innovation” supervisory mindset, and, in her international role at the Financial Stability Board, previewed an upcoming consultation report on sound practices for AI adoption and the importance of consistent global expectations, particularly around cybersecurity and critical infrastructure. For more information, click here.
On April 30, the Federal Communications Commission (FCC) released a Further Notice of Proposed Rulemaking (FNPRM) that would significantly tighten “know-your-customer” (KYC) obligations for originating voice service providers. The Advanced Methods to Target and Eliminate Unlawful Robocalls (CG Docket No. 17‑59) is the latest step in the FCC’s effort to attack illegal calls “at every point in their lifecycle.” The FNPRM seeks to “close the gaps” in the existing KYC framework by clarifying expectations, tightening onboarding and renewal practices, and strengthening the enforcement tools available to the FCC. Against that backdrop, the FNPRM raises a range of detailed questions, including what specific identity attributes should be verified before service is enabled, how “affirmative, effective” KYC measures should be defined and calibrated, and how per‑call penalties should be structured to align with the harm caused by illegal calls. The FCC also asks how enhanced KYC requirements should coexist with existing caller ID authentication and blocking obligations. The FCC further seeks comment on whether reverification of customer information should be triggered by changes in traffic patterns or other red flags, whether different KYC standards are appropriate for prepaid and postpaid offerings, and whether collecting additional information from certain higher‑risk customers would materially improve deterrence and enforcement. For more information, click here.
On April 30, the SEC published a notice that New York Stock Exchange Texas, Inc. had filed, with immediate effectiveness, a rule change to adopt new Rule 7.39 and related amendments to permit trading of certain securities on the exchange in “tokenized” form during a three‑year pilot program operated by the Depository Trust Company under a December 11, 2025, staff no‑action letter. Under the proposal, eligible exchange members that are also eligible to participate in the Depository Trust Company pilot may designate, via a tokenization flag at order entry, that trades in eligible equity securities and exchange‑traded funds from the Russell 1000 Index and major index products be cleared and settled on a blockchain‑based tokenization platform, so long as the tokenized instruments remain fully fungible with their traditional counterparts (same CUSIP, ticker, and shareholder rights) and trade on the same order book under the same priority, order types, routing, fees, market data, surveillance, and T+1 settlement conventions as nontokenized shares. The rule text clarifies definitions, order‑ranking and routing behavior, and clearance and settlement procedures, but otherwise relies on the existing national market system framework, mirroring a recently approved Nasdaq approach, and the SEC states that the change does not significantly affect investor protection or competition, while reserving authority to temporarily suspend the rule within 60 days and inviting public comment on whether it is consistent with the Securities Exchange Act. For more information, click here.
On April 30, the United Kingdom Financial Conduct Authority (FCA) published guidance and related rules to support innovation in fund tokenization by explaining how asset managers can use distributed ledger technology (DLT) within the existing regulatory framework and by introducing an optional “Direct to Fund” (D2F) dealing model that allows investors to transact directly with both traditional and tokenized funds. The FCA describes tokenization as representing an asset or ownership interest using DLT, with potential to reduce costs and broaden access to investment opportunities, and emphasizes that the new framework is a clear, practical set of expectations designed in close collaboration with industry. Senior FCA and Investment Association officials highlighted that the policy gives firms confidence to use public blockchain models with appropriate controls and to deploy digital cash tools for operational purposes, while fitting into a broader roadmap for digital assets and wholesale market DLT in the UK. The FCA positions these steps as part of its strategy to foster growth and innovation in the United Kingdom’s large asset management sector, which comprises roughly 2,600 firms managing about £16.5 trillion for domestic and global clients. For more information, click here.
On April 28, the U.S. District Court for the Southern District of Texas dismissed with prejudice the CFPB and others’ lawsuit against Colony Ridge Development, LLC and related entities after the parties filed a joint stipulation of dismissal, but the court simultaneously placed on the record its serious concerns about the parties’ proposed settlement, which it found bore “little relationship” to the ECOA and Fair Housing Act claims in the complaint. The court emphasized that the complaint alleged Colony Ridge targeted Hispanic borrowers with Spanish‑language marketing, steered them into high‑cost loans without regard to ability to repay, and triggered a cycle of default and foreclosure, yet the settlement directed $68 million primarily to infrastructure projects and increased law enforcement, including immigration enforcement, rather than to compensating allegedly harmed borrowers or addressing the predatory credit practices pled. In the court’s view, remedies must be tailored to the injuries alleged, and this agreement would have required judicial supervision of obligations untethered to the pleaded violations, risked further marginalizing the very Hispanic consumers the statutes are meant to protect, conferred disproportionate benefits on Colony Ridge (especially through improvements that increase the value of its development), and provided only vague, contingent promises of foreclosure relief or credit repair, leading the judge to question how the Department of Justice (DOJ) could endorse a resolution so difficult to reconcile with the remedial purposes of the ECOA and the Fair Housing Act. For more information, click here.
On April 28, the U.S. Department of Housing and Urban Development and the U.S. Department of Agriculture announced a joint determination rescinding a 2024 Final Determination issued under President Joe Biden that made new homes ineligible for Federal Housing Administration (FHA)-insured or U.S. Department of Agriculture-backed mortgage loans unless they were built to the 2021 International Energy Conservation Code, a standard the agencies say added rough $20,000-$31,000 to construction costs, reduced housing supply, and complicated permitting and inspections. The agencies explained that, after delaying compliance dates, soliciting additional public comment in a 2025 request for information, and reviewing stakeholder feedback, they concluded the mandate was an unnecessary regulatory barrier that priced many first‑time and rural homebuyers out of the market and conflicted with a recent U.S. District Court for the Eastern District of Texas ruling that the Biden‑era determination would decrease housing availability. Secretaries Scott Turner and Brooke Rollins framed the rescission as part of the Trump administration’s broader effort — including the Rural Revival Agenda — to remove costly federal mandates, restore the prior energy efficiency standards for FHA and U.S. Department of Agriculture loan programs, and facilitate the development of new affordable housing. For more information, click here.
On April 28, Treasury published a notice under the Paperwork Reduction Act announcing that it will seek Office of Management and Budget approval for a new information collection titled “Survey of the Costs of Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) Compliance,” a voluntary survey aimed at financial institutions subject to the Bank Secrecy Act, with an initial pilot focused on money services businesses (MSBs) reached through their trade associations to gather detailed data on compliance costs. The notice explains that the Financial Crimes Enforcement Network (FinCEN) will use the survey to better understand the cumulative burden of AML/CFT requirements — particularly on non‑bank financial institutions — to inform potential adjustments to regulatory obligations and support deregulatory rulemakings or guidance consistent with Trump administration executive orders, without weakening the effectiveness of the existing AML/CFT framework, and emphasizes that responses will not be used for supervisory or enforcement purposes. Treasury invites public comments by May 28, 2026, through the reginfo.gov portal and provides access to the draft questionnaire on FinCEN’s website, noting that, depending on the quality and usefulness of responses from the pilot, the survey may later be expanded to additional categories of nonbank financial institutions. For more information, click here.
On April 27, Treasury hosted a Summit on AI, Energy, and Emerging Technologies, convening students, government officials, and industry leaders for four panels on frontier AI, energy and digital infrastructure, workforce productivity, and financial literacy to examine how emerging technologies can drive economic growth and transform public sector mission delivery. Participants from the AI, digital infrastructure, energy, and financial services sectors, alongside senior officials from Treasury, the White House, Commerce, and the Small Business Administration (SBA), emphasized the urgency of strengthening U.S. leadership in AI, scaling the infrastructure needed to support innovation, and democratizing access to capital and credit. Bessent highlighted the importance of student engagement in shaping the global future of AI, while Treasury Chief AI Officer Paras Malik underscored the summit’s role in building a shared understanding of how these technologies can be applied to deliver meaningful outcomes across public and private sectors. The event, livestreamed to Treasury staff including members of Treasury’s AI Council, forms part of Treasury’s broader efforts during Financial Literacy Month to foster innovation, bolster U.S. economic competitiveness, and engage the next generation of technology leaders. For more information, click here.
On April 27, Treasury announced that it has launched an ongoing review of certified Community Development Financial Institutions (CDFIs) to identify potential violations of law or CDFI requirements and to ensure that recipients of CDFI Fund assistance are proper stewards of taxpayer resources. Bessent emphasized that CDFIs engaging in predatory practices that exploit the underserved communities they are meant to serve will be scrutinized and, where appropriate, held accountable. As part of a broader effort to strengthen oversight of federal grant programs, promote accountability, and prevent abuse, Treasury is examining whether CDFIs are complying with applicable legal obligations and the terms of their CDFI Fund assistance agreements, and indicates it will take enforcement or remedial action consistent with governing statutes and program rules where warranted, while continuing to support the mission of responsible CDFIs that expand access to capital in underserved areas. For more information, click here.
On April 24, the SBA, working with the White House Task Force to Eliminate Fraud, announced that it had referred 562,000 borrowers with $22.2 billion in delinquent Paycheck Protection Program (PPP) and COVID Economic Injury Disaster Loan (EIDL) balances — previously flagged for suspected fraud but not pursued during the prior administration — to Treasury for collection and to the DOJ for potential investigation, in what the SBA described as its largest debt referral package on record. The Trump administration framed the move as ending what it called a de facto “amnesty” under Biden that had shielded these borrowers from collection and enforcement, and Treasury’s Bureau of the Fiscal Service will now begin collection efforts as required by law for significantly past-due debts. Citing SBA Office of Inspector General estimates that at least $200 billion of the roughly $1.2 trillion in pandemic-era PPP and EIDL lending may be fraudulent, SBA Administrator Kelly Loeffler highlighted new safeguards such as citizenship and birth date verification, a state-by-state investigative push, and earlier mass suspensions of suspected fraudulent borrowers in states including California and Minnesota, presenting the referrals as part of a broader, “historic” campaign led by Vice President J.D. Vance and Federal Trade Commission Chairman Andrew Ferguson to recover stolen taxpayer funds and strengthen oversight of federal benefits programs. For more information, click here.
On April 24, Ginnie Mae President Joseph M. Gormley issued APM 26-06 temporarily revising how issuer delinquency ratios are calculated by excluding loans in FHA Trial Payment Plans (TPPs) from the delinquent loan count for compliance purposes, effective with March 2026 data reported by April 2, 2026, in order to offset the temporary spike in reported delinquencies caused by FHA’s updated single-family loss mitigation “waterfall,” which now requires borrowers to complete a TPP before receiving certain relief options such as partial claims. Ginnie Mae explained that single-family loans in TPPs must still be reported in the Monthly Report of Pool and Loan Data via the Payment Default Status file in the Reporting and Feedback System using the specified default action codes, and that it will use this reporting to identify and exclude TPP loans from delinquency-rate calculations while continuing to monitor issuer compliance with delinquency thresholds and other risk parameters under the Mortgage-Backed Securities Guide. The agency will regularly review the impact of TPPs, provide at least 60 days’ notice before returning to the standard delinquency calculation, and indicated that it expects to reassess its delinquency threshold policy more broadly in light of current market conditions. For more information, click here.
On April 22, the FDIC published its 2026 Risk Review, outlining how slower economic growth, moderating but still elevated inflation, and a steepening yield curve in 2025 affected bank performance and risk, with overall industry earnings and asset quality remaining solid but key vulnerabilities persisting. The report notes that net interest income and noninterest income kept bank profitability strong, loan growth remained below pre‑pandemic levels, and problem-bank counts stayed within a normal historical range, even as unrealized losses on securities and interest rate risk remained elevated and funding pressures were managed through stable on-balance-sheet liquidity, steady deposit growth (especially uninsured deposits), and reduced reliance on Federal Home Loan Bank advances and brokered deposits. On credit risk, the FDIC highlights generally contained conditions but continued weakness and pockets of concentration in commercial real estate, rapid but mostly well-performing exposures to nondepository financial institutions, tepid business credit demand amid tighter underwriting and ongoing stress in leveraged lending, and mixed consumer credit performance with elevated delinquencies in auto and credit card portfolios. The review also flags higher mortgage rates and still-high home prices that have increased one-to-four-family residential real estate balances and concentrations (though supported by sound underwriting and higher homeowner equity) and weakening agricultural conditions, where lower crop receipts, high input costs, rising delinquencies, and strong loan demand are being offset in part by ample farmland equity that allows for restructuring, with particular attention to how these trends affect community banks, for which the FDIC is often the primary federal supervisor. For more information, click here.
On April 22, the U.S. House of Representatives Financial Services Committee and the Energy and Commerce Committee jointly unveiled a paired privacy package that, taken together, would substantially recast the federal obligations for the treatment of consumer data. The “Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act” would update and enhance Title V of the Gramm‑Leach‑Bliley Act (GLBA) for financial institutions. The “Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act” would create a national, cross‑sector privacy framework that would have applicability and features similar to the current patchwork of state comprehensive privacy laws, with strong entity-level and data-level exemptions for financial institutions and financial data subject to GLBA (and for HIPAA-covered entities and business associates, certain nonprofits, and institutions of higher education). These bills are already facing opposition, including from the California Privacy Protection Agency, and may undergo substantial revisions. Further consideration of issues such as preemption of state privacy laws and private rights of action is inevitable. Nevertheless, these two federal privacy bills, taken together, send a clear signal that Congress is seriously considering a federal privacy framework that could provide more certainty, efficiency, and uniformity to the privacy protections that will apply on a going forward basis to consumer data, including financial information. For more information, click here.
On April 21, the Federal Reserve’s Division of Supervision and Regulation issued an Updated Statement of Supervisory Operating Principles that significantly reorients Fed supervision toward early identification and prompt, proportionate remediation of material financial risks to the safety and soundness of Board‑supervised banking organizations and U.S. financial stability, while deemphasizing lower‑risk process and documentation issues. The guidance directs examiners to rely, to the fullest extent possible, on work performed by primary federal and state banking supervisors and on banks’ internal audit validations (rather than duplicative Fed testing) when terminating Matters Requiring Attention (MRAs), Matters Requiring Immediate Attention (MRIAs), and enforcement action requirements, and to use nonbinding “supervisory observations” for lesser shortcomings. It tightens the standards for issuing MRAs, MRIAs, and enforcement actions by requiring good‑faith determinations that a deficiency creates (or has caused) a significant or “abnormal” probability of significant or “abnormal” harm to the institution’s financial condition, limits horizontal reviews in Global Systemically Important Bank and Large and Foreign Banking Organization (LFBO) portfolios to cases where benefits clearly outweigh costs, and instructs staff to tailor supervisory intensity to a firm’s size, complexity, and systemic importance. The memo also emphasizes reliance on state partners in examining state member banks, warns against discouraging use of Federal Home Loan Bank or discount window liquidity absent legal requirements, requires supervisory criticism and ratings to be clearly aligned with actual financial condition and material risks, mandates that MRAs and MRIAs be written in plain, specific language with active dialogue and clarification for firms, encourages self‑identification and prompt remediation of issues (presumptively treated as supervisory observations), and calls for continuous development of forward‑looking tools to detect emerging threats. For more information, click here.
State Activities:
On June 1, the New York City Department of Consumer and Worker Protection will hold a remote public hearing (by phone and videoconference) on a proposed rule to amend and update its debt collection penalty schedule in Title 6 of the Rules of the City of New York to reflect new and revised debt collector requirements adopted on February 26, 2026, and effective September 1, 2026, ensuring all potential violations — such as failures related to location information, communications, harassment or abuse, misrepresentations, unfair practices, validation and verification of debts, public websites, time-barred debts, medical debts, and record retention — are captured with corresponding penalty amounts. Members of the public may submit comments online via the NYC Rules website, by email to Rulecomments@dcwp.nyc.gov, or by speaking for up to three minutes at the hearing and may later review posted comments online. For more information, click here.
On April 28, Maryland Governor Wes Moore signed SB94, a bill that overhauls Maryland’s earned wage access (EWA) framework by broadly prohibiting lenders and EWA providers from accepting or soliciting tips or offering consumers an option to tip, shortening the period for returning any received tips from 30 calendar days to seven days, and subjecting EWA providers and certain loan lenders to the state’s consumer loan licensing and compliance regime. The bill requires EWA providers that charge any fee to offer at least one reasonable no-cost option and clearly explain how to elect it, mandates robust disclosures (including that tips, gratuities, and donations are prohibited), and obligates providers to reimburse overdraft and nonsufficient fund fees caused by their repayment attempts. It further bars sharing consumer charges with employers, conditioning access on tipping, charging late fees, interest, or penalties for nonpayment of proceeds or fees, reporting nonpayment to consumer reporting agencies, using credit reports to qualify consumers, receiving interest, or using litigation, third-party collectors, or debt buyers to compel repayment. New sections also prohibit false, misleading, or deceptive advertising regarding EWA terms; authorize the commissioner to require clear fee disclosures and allow reference to state supervision; establish anti-discrimination protections in granting EWA based on protected characteristics (with a carve-out for denying minors); and create a good-faith safe harbor for providers relying on written opinions or approvals from the attorney general or commissioner (without shielding knowing or willful violations or limiting refund remedies). The act takes effect on October 1, 2026. For more information, click here.
On April 22, the New York State Department of Financial Services (DFS) issued an industry letter reminding all entities it regulates under the New York Banking Law of their existing obligations under New York Executive Law Section 296-a, the state’s fair lending statute, and emphasizing that credit decisions with a disparate impact on protected classes can constitute unlawful discrimination. DFS reiterated that § 296-a prohibits discrimination in any aspect of credit — such as granting, withholding, extending, renewing, or setting the rates, terms, or conditions — based on characteristics including race, creed, color, national origin, citizenship or immigration status, sexual orientation, gender identity or expression, military status, age, sex, marital status, status as a victim of domestic violence, disability, or familial status, and noted that the DFS is authorized to enforce state fair lending laws and impose penalties for violations of federal fair lending laws. The letter, which cites prior consent orders against several banks to underscore this point, clarifies that it does not create new obligations but restates that regulated entities must comply with all applicable New York fair lending requirements. For more information, click here.
On April 17, Alabama enacted House Bill 351, the Alabama Personal Data Protection Act, which establishes comprehensive privacy rights for state residents by allowing them to confirm whether a business (defined as a data controller) is processing their personal data, access that data, correct inaccuracies, direct its deletion, obtain a portable copy, and opt out of targeted advertising, the sale of their personal data, and certain automated profiling decisions, while also permitting the use of authorized agents and requiring clear, secure methods for exercising these rights. The law applies to entities doing business in Alabama or targeting Alabama residents that process personal data on at least 50,000 (excluding payment-only data) or on at least 25,000 consumers and derive more than 25% of gross revenue from selling personal data, and it exempts various entities and datasets already governed by sectoral laws such as those covering financial institutions, health information, education records, credit reporting, airlines, and small non‑selling businesses and nonprofits. Controllers must limit collection to what is reasonably necessary, maintain appropriate security safeguards, obtain consent for processing sensitive data and certain data about teenagers, provide detailed privacy notices, honor global opt‑out preference signals by 2027, and are barred from using contracts to waive consumer rights, while processors are subject to contract-based duties to follow controller instructions, maintain confidentiality, and assist with compliance. The act contains detailed rules for deidentified and pseudonymous data and broad exemptions for activities such as legal compliance, law enforcement cooperation, public health, scientific research, and internal operations, and it specifies that AI models are outside its scope so long as personally identifiable data is not present in or extractable from the model. Enforcement authority is vested exclusively in the Alabama attorney general, who must give a 45‑day opportunity to cure before seeking injunctions and civil penalties of up to $15,000 per violation, there is no private right of action, and the statute takes effect on October 1, 2026. For more information, click here.