States Accelerate Privacy and Debt Collection Laws as Federal Oversight Recedes

“With the regulatory environment changing every month, the ACA State Guide Cohort has become essential for our team. It keeps us accurate, compliant, and informed with less effort. Instead of trying to track 50 different rulebooks, we rely on the ACA State Guide Cohort to make sure nothing slips through the cracks.”

That perspective comes from Pam Kirchner, CEO of BCA Financial Services, and it reflects a broader reality across the accounts receivable management industry as 2025 came to a close. The past year marked a clear shift in state-level regulatory activity, particularly around privacy, data use, and consumer protections, and highlighted the growing complexity agencies now face.

Throughout 2025 and leading into 2026, state legislatures accelerated their focus on consumer data and collection practices. More than 800 privacy-related bills were introduced nationwide, many of which resulted in new or expanded requirements affecting how agencies manage data, communicate with consumers, and pursue accounts. What once relied on a relatively stable federal baseline has evolved into a fragmented compliance environment that varies significantly by jurisdiction.

In this landscape, understanding state law developments is no longer a periodic exercise. It has become a central component of operational risk management for agencies operating across state lines.

States Move Quickly on Consumer Data Privacy

The most notable trend as of late, was the rapid expansion of state-level data privacy laws. These statutes are influencing how collection agencies handle consumer information, classify sensitive data, and implement consent requirements. 

Several of the year’s most significant updates include:

Connecticut SB 1295

Connecticut enacted one of the most consequential privacy reforms of the year. Key features include:

  • A narrowed GLBA exemption that now applies only to data directly regulated by GLBA, bringing many ARM data assets into state privacy scope.
  • Expanded definitions of sensitive data, including a broader range of financial, biometric, and health-related information.
  • New restrictions on profiling and stronger consumer rights covering access, correction, deletion, and transparency.
  • Heightened compliance expectations for any organization that processes non-GLBA consumer data.

California AB 566

California advanced its leadership in privacy regulation with the “Opt Me Out Act,” which requires browsers to support automated privacy signals. Key features include:

  • Mandatory, built-in global opt-out signals for California residents.
  • Required recognition of these signals by businesses that collect consumer information.
  • Practical effects on consumer portals, payment sites, and analytics tools used by ARM organizations.
  • A shift toward default privacy controls that reduce reliance on individual website consent forms.

Oregon HB 2008

Oregon expanded protections for minors and for precise geolocation data. Key features include:

  • A prohibition on targeted advertising and data sales involving minors or highly precise location data.
  • Restrictions affecting third-party data vendors, especially those offering location-based enrichment or modeling.
  • New compliance barriers for agencies that use geolocation-supported skip tracing or outreach strategies.

Together, these privacy laws demonstrate a clear movement toward tighter controls on data collection and usage. Debt collectors must now navigate state-by-state definitions of sensitive data, new opt-out requirements, and expanding consumer rights that affect routine account management.

States Also Expand Direct Debt Collection Regulations

In addition to privacy legislation, there are significant new state-level rules governing debt collection practices. These statutes often focus on medical debt, interest rates, credit reporting, and the use of litigation. The following laws reflect a broader effort by states to fill enforcement gaps as federal oversight recedes.

Virginia HB 1725

Virginia enacted the Medical Debt Protection Act, one of the most comprehensive medical debt laws in the nation. The Medical Debt Protection Act (MDPA) is effective July 1, 2026. The enforcement mechanism under the VCPA was effective in 2025. Key features of this bill include:

  • A 3 percent annual interest cap on medical debt.
  • A 90-day grace period following the final invoice before interest or late fees can accrue.
  • Prohibitions on extraordinary collection actions, except in the case of wage garnishment.
  • Enforcement under the Virginia Consumer Protection Act.

Rhode Island S 0169 and S 0172

Rhode Island adopted two coordinated medical debt statutes that significantly restrict the tools available to collectors. Key features include:

  • An expansion of restrictions and additional clarifications related to the credit reporting of medical debt.
  • A ban on wage garnishment and the use of liens on primary residences for medical debt judgments.
  • Treasury-indexed caps on interest rates for medical debt.

Maryland HB 1020 and companion bills

Maryland advanced a comprehensive medical debt reform package. Key features include:

  • A statewide ban on reporting medical debt to credit bureaus.
  • Strict limits on lawsuits, liens, and interest for medical accounts.
  • New obligations for providers and third-party collectors to update disclosures and reporting practices.
  • Enforcement mechanisms that apply to both collection agencies and CRAs.

This wave of medical debt and consumer protection laws reflects the growing concern among states that federal action may no longer be sufficient to address consumer harm. As a result, collection agencies are adjusting their policies, updating systems, and reevaluating vendor practices to meet evolving state requirements.

Maine SP 237

Effective October 23, 2025, SP 237 is an act intended to strengthen consumer protections by prohibiting the reporting of medical debt on consumer reports. Key features include:

  • Defines the terms Debt Buyer, Debt Collector, Medical Creditor, and Medical Debt.
  • Prohibits a consumer reporting agency from reporting medical debt on a consumer’s credit report.
  • Prohibits medical creditors, debt collectors, and debt buyers from reporting a consumer’s medical debt to a consumer reporting agency.

A More Challenging Compliance Landscape

Pam Kirchner’s assessment underscores where the industry now stands. Compliance is no longer defined by annual updates or static reference materials. It requires continuous awareness of state-level change and the ability to interpret new requirements as they emerge. ACA International offers a structured way to manage this complexity through Guide to State Collection Laws and Practices.

The expansion of the Guide, including the addition of a dedicated privacy chapter, reflects the significant work of the ACA Compliance Team to capture, organize, and maintain an increasingly complex body of state-level regulation. By centralizing requirements across jurisdictions and updating them on an ongoing basis, the ACA State Guide Cohort provides agencies with a practical, sustainable approach to managing compliance risk as legislative activity continues to accelerate into 2026 and beyond.

Published On: February 9th, 2026|By |Categories: Debt Collection Operations|Tags: , , , , , , , |

Related Posts

Creating a Cohesive Data Strategy for Collections Through Strategic Alignment

Creating a Cohesive Data Strategy for Collections Through Strategic Alignment

January 19th, 2026
DECISION SYSTEM DESIGN
Scaling Collection Operations Through Engineered Decision Frameworks

Scaling Collection Operations Through Engineered Decision Frameworks

January 19th, 2026
Why It’s Important to Share Your Creditor’s Rights Law Firm Story

Why It’s Important to Share Your Creditor’s Rights Law Firm Story

December 2nd, 2025

News

Latest News

Regulatory News