States Continue to Expand Privacy and Debt Collection Laws

State legislatures across the United States are advancing new privacy requirements and consumer protection laws at a pace the accounts receivable management (ARM) industry has not seen in years. 

Industry leaders say the result is a rapidly changing compliance landscape for agencies operating across multiple jurisdictions.

Throughout 2025 and into 2026, state legislatures accelerated their focus on consumer data and collection practices. More than 800 privacy-related bills were introduced nationwide, many of which resulted in new or expanded requirements affecting how agencies manage data, communicate with consumers, and pursue accounts.

These state initiatives have evolved a more static landscape into a fragmented compliance environment that varies significantly by jurisdiction.

In this landscape, understanding state law developments is no longer a periodic exercise but a central component of operational risk management for agencies operating across state lines.

Privacy Laws Expand Rapidly Across Multiple States

One of the most significant developments has been the expansion of state-level privacy laws. These statutes increasingly regulate how companies collect, store, process, and share consumer data.

Several recent measures illustrate how quickly requirements are evolving.

Connecticut SB 1295

Connecticut enacted one of the most consequential privacy reforms of the year. Key features include:

  • A narrowed GLBA exemption that now applies only to data directly regulated by GLBA, bringing many ARM data assets into state privacy scope.
  • Expanded definitions of sensitive data, including a broader range of financial, biometric, and health-related information.
  • New restrictions on profiling and stronger consumer rights covering access, correction, deletion, and transparency.
  • Heightened compliance expectations for any organization that processes non-GLBA consumer data.

California AB 566

California advanced its leadership in privacy regulation with the “Opt Me Out Act,” which requires browsers to support automated privacy signals. Key features include:

  • Mandatory, built-in global opt-out signals for California residents.
  • Required recognition of these signals by businesses that collect consumer information.
  • Practical effects on consumer portals, payment sites, and analytics tools used by ARM organizations.
  • A shift toward default privacy controls that reduce reliance on individual website consent forms.

Oregon HB 2008

Oregon expanded protections for minors and for precise geolocation data. Key features include:

  • A prohibition on targeted advertising and data sales involving minors or highly precise location data.
  • Restrictions affecting third-party data vendors, especially those offering location-based enrichment or modeling.
  • New compliance barriers for agencies that use geolocation-supported skip tracing or outreach strategies.

Indiana Consumer Data Protection Act

Indiana’s comprehensive privacy law took effect on January 1, 2026, adding another jurisdiction to the growing list of states regulating consumer data practices. Key provisions include:

  • Consumer rights to access, correct, delete, and right to portability of personal data.
  • The ability to opt out of targeted advertising, data sales, and certain profiling activities.
  • Requirements for businesses to conduct data protection assessments when engaging in high-risk processing activities.
  • Enforcement authority granted to the Indiana Attorney General with penalties that can reach $7,500 per violation.

Kentucky Consumer Data Protection Act

Kentucky also implemented a comprehensive consumer privacy law beginning January 1, 2026. The statute largely follows the structure used in earlier laws like Virginia’s but still introduces important compliance obligations.

Key provisions include:

  • Consumer rights to access, delete, and correct personal data held by businesses.
  • Mandatory privacy notices explaining how data is collected and processed.
  • Opt-out rights for targeted advertising and the sale of personal data.
  • A 30-day cure period allowing companies to address alleged violations before enforcement action proceeds.

Rhode Island Data Transparency and Privacy Protection Act

Rhode Island joined the privacy law landscape in 2026 with the Data Transparency and Privacy Protection Act. The statute establishes new obligations for organizations that process personal data and provides enhanced consumer rights.

Key provisions include:

  • Expanded rights for consumers to access, delete, and obtain copies of personal information.
  • Opt-out rights related to targeted advertising and profiling.
  • Requirements for companies to provide clear privacy disclosures and implement appropriate safeguards for sensitive data.
  • Enforcement by the state Attorney General with penalties that may reach $10,000 per violation.

Together, these privacy laws demonstrate a clear movement toward tighter controls on data collection and usage. Debt collectors must now navigate state-by-state definitions of sensitive data, new opt-out requirements, and expanding consumer rights that affect routine account management.

States Also Expand Direct Debt Collection Regulations

Alongside privacy legislation, states are also advancing new rules governing collection practices themselves. Many of these laws focus on medical debt, credit reporting, interest limitations, and litigation procedures.

Virginia HB 1725

Virginia enacted the Medical Debt Protection Act, one of the most comprehensive medical debt laws in the nation. The Medical Debt Protection Act (MDPA) is effective July 1, 2026. The enforcement mechanism under the VCPA was effective in 2025. Key features of this bill include:

  • A 3 percent annual interest cap on medical debt.
  • A 90-day grace period following the final invoice before interest or late fees can accrue.
  • Prohibitions on extraordinary collection actions, except in the case of wage garnishment.
  • Enforcement under the Virginia Consumer Protection Act.

Rhode Island S 0169 and S 0172

Rhode Island adopted two coordinated medical debt statutes that significantly restrict the tools available to collectors. Key features include:

  • An expansion of restrictions and additional clarifications related to the credit reporting of medical debt.
  • A ban on wage garnishment and the use of liens on primary residences for medical debt judgments.
  • Treasury-indexed caps on interest rates for medical debt.

Maryland HB 1020 and companion bills

Maryland advanced a comprehensive medical debt reform package. Key features include:

  • A statewide ban on reporting medical debt to credit bureaus.
  • Strict limits on lawsuits, liens, and interest for medical accounts.
  • New obligations for providers and third-party collectors to update disclosures and reporting practices.
  • Enforcement mechanisms that apply to both collection agencies and CRAs.

Maine SP 237

Effective October 23, 2025, SP 237 is an act intended to strengthen consumer protections by prohibiting the reporting of medical debt on consumer reports. Key features include:

  • Defines the terms Debt Buyer, Debt Collector, Medical Creditor, and Medical Debt.
  • Prohibits a consumer reporting agency from reporting medical debt on a consumer’s credit report.
  • Prohibits medical creditors, debt collectors, and debt buyers from reporting a consumer’s medical debt to a consumer reporting agency.

This wave of medical debt and consumer protection laws reflects the growing concern among states that federal action may no longer be sufficient to address consumer harm. As a result, collection agencies are adjusting their policies, updating systems, and reevaluating vendor practices to meet evolving state requirements.

Compliance Complexity Continues to Grow

For agencies operating across state lines, the rapid expansion of legislation has made regulatory monitoring a central operational challenge. As requirements continue to evolve across jurisdictions, staying current is no longer a periodic task but an ongoing operational priority.

To help address this complexity, ACA International maintains the Guide to State Collection Laws and Practices, supported through its State Guide monthly online meeting. Industry leaders say centralized resources have become essential as state laws continue to evolve.

“The increasing complexity of state-level regulation makes it essential for agencies to have access to reliable, up-to-date compliance resources. The State Guide is designed to help members navigate that complexity with confidence,” said Scott Purcell, CEO of ACA International.

That perspective is echoed by agency leaders who rely on the guide for day-to-day compliance decisions.

“The ACA State Guide has become our team’s regulatory Bible,” said Pam Kirchner, CEO of BCA Financial Services. “It helps us make informed decisions quickly and respond to regulatory changes without having to track dozens of separate state rulebooks.”

Kirchner noted that tools providing centralized legal updates allow compliance teams to interpret new regulations more efficiently and reduce the risk of costly compliance errors.

Compliance professionals also point to the guide’s structure as a key advantage in navigating complex requirements.

“The new process for the State Guide is hands down amazing in terms of ease of use and quickly finding information,” said Sara Disher Ratliff, compliance officer at Meridian Financial Services. “You can immediately look up licensing requirements, exceptions for out-of-state agencies, bonding, and other rules. The information is broken down not only by state, but also by topic, which makes it incredibly useful.”

Together, these perspectives highlight how centralized compliance resources are becoming integral to managing regulatory risk in an increasingly fragmented legislative environment.

The guide compiles collection laws across all states and is updated regularly to reflect legislative changes, court rulings, and regulatory developments affecting the ARM industry.

A Rapidly Evolving Legislative Landscape

The expansion of privacy laws and debt collection regulations reflects a broader shift in how consumer protection policy is being developed in the United States.

As federal oversight evolves, states are increasingly taking a more pronounced role in shaping rules related to financial services, healthcare billing, and personal data use.

For collection agencies, that means compliance strategies must account for a growing set of jurisdiction-specific requirements.

Industry observers expect legislative activity to remain high throughout 2026, making ongoing monitoring and regulatory interpretation an essential part of operational risk management for organizations working across state lines.

Published On: April 10th, 2026|By |Categories: Debt Collection Operations|Tags: , |

Related Posts

AI in Digital Debt Collection: How 2025 Became a Turning Point for Receivables Management

AI in Digital Debt Collection: How 2025 Became a Turning Point for Receivables Management

March 19th, 2026
The Strategic Framework for Efficiency in Legal Network Management

The Strategic Framework for Efficiency in Legal Network Management

March 3rd, 2026
Building Sustainable Advantage Through Disciplined Data Testing

Building Sustainable Advantage Through Disciplined Data Testing

February 27th, 2026

News

Latest News

Regulatory News