Regulatory Report: May 2026

Below is a recap of the essential regulatory updates for contact compliance professionals for May. 

This is a marketing blog and is not intended, nor should it be interpreted, as legal advice. Please seek legal counsel for full interpretations of all rules and laws outlined in this blog.

Important Reminders:

Tennessee HB 2408 Is Now Law: 36 Days to Comply 

Governor Bill Lee signed Tennessee HB 2408 on May 19, 2026. Effective July 1, 2026, any business placing automated telephone solicitations using an Automated Telephone Dialing System (ATDS) to deliver artificial or prerecorded voice messages to Tennessee consumers faces new recordkeeping, reporting, and volume-limit obligations. The bill passed both chambers without a single dissenting vote (94-0 in the House and 33-0 in the Senate) a signal of how seriously state legislatures are treating automated outreach compliance. 

Three provisions demand immediate operational attention: 

• Volume cap: The law caps covered solicitors at 10,000 automated calls per month. If your outbound prerecorded call volume into Tennessee exceeds that threshold, you are in scope and potentially out of compliance starting July 1. Companies need to know their numbers now, not after the effective date. 
• Recordkeeping and reporting: Companies subject to the law must maintain monthly records of call volume beginning July 1. The Tennessee Public Utility Commission (TPUC) is required to submit an annual compliance report to the legislature, with the first reporting deadline on October 1. That means the window between go-live and first look-back is exceptionally short. Compliance infrastructure must be in place on day one. 
• “Entity” is undefined, and that matters: The bill does not define what constitutes an “entity” for purposes of the volume limits and reporting obligations. For large organizations with multiple business units, subsidiaries, or affiliate structures each placing calls into Tennessee, this ambiguity is not academic. The volume cap could be interpreted to apply at the enterprise level rather than the business unit level, which is a significant operational difference. Legal counsel should be engaged now to determine how the limits apply across your organization’s structure before July 1 arrives. 

Two additional scope clarifications confirmed via legal opinion:  

• Automated Calling/PRM: the law only applies to solicitations using automation to deliver artificial or prerecorded voice messages (PRM), not all automated marketing calls. 
• Voice Only: the law does not apply to text messages. 

Civil penalties under Tennessee’s existing framework run up to $2,000 per violation under T.C.A. § 65-4-405, and up to $1,000 per violation under T.C.A. § 47-18-1526. The affirmative defense of “reasonable practices and procedures” remains available, but only to companies that have invested in documented compliance infrastructure before a violation occurs. 

July 1 is 36 days away. October 1 is 128 days away. That’s basically tomorrow. No time to waste! 

What We Heard at NAAG Spring 2026 and Why the FTC’s “Never Ever” Program Matters 

Gryphon AI had the privilege of attending the National Association of Attorneys General 2026 Spring Consumer Protection Conference in Kansas City this week, an event that proved exceptionally valuable for understanding the enforcement priorities shaping the consumer protection landscape. Sessions made clear that as fraud and impersonation schemes increasingly exploit the channels businesses use to reach consumers, regulators are intensifying scrutiny around how businesses contact consumers, whether preferences are being honored, and whether compliance can be proven when it matters most. From panel discussions on state monitoring programs to the expanding use of Civil Investigative Demands (CIDs) as a primary enforcement tool, the message from attorneys general and federal regulators was consistent: contact compliance is an active enforcement priority, and the bar for demonstrable, defensible governance has never been higher. 

A highlight of the conference was a panel session featuring Lois Greisman, Associate Director of the FTC’s Division of Marketing Practices and one of the principal architects of the National Do Not Call Registry, who drew particular attention to the FTC’s “Never Ever” program, launching in June. Targeting government and business impersonation fraud, Never Ever represents a significant new federal initiative to protect consumers from one of the most pervasive and damaging scam categories in circulation today. The dedicated program hub is now live at ejcc.acl.gov/imposters, where consumers and businesses can access guidance on spotting and avoiding imposter scams, with additional toolkits and resources expected as the full program rolls out.

Follow #StopGovImposters on social media to stay current as new materials become available. Gryphon AI is proud to help shine a light on this important initiative at launch. 

Collections Corner  

Updates on evolving debt collection and contact compliance rules: 

• NYC Debt Collection Rules Face New Amendments; Public Hearing Set for June 1 
• Collector Sued After Texting Consumer Who Refused to Pay 
• One Call Triggers TCPA Class Action Against Comenity Capital Bank 
• Wrong-Number Robocalls Spawn Class Action Against Debt Collector (Plemons v. North American Credit Services) 
• Third-Party Risk: Vendor Failure to Honor Opt-Outs Sinks Collector (Chamberlain v. NRA Group) 
• Former CFPB Director Chopra Tapped to Lead California’s New Consumer Agency 
• Trump Administration Appeals CFPB Funding Order to Ninth Circuit 
• Illinois Launches Unified Online Consumer Complaint Portal 

NYC Debt Collection Rules Face New Amendments; Public Hearing Set for June 1  

New York City’s Department of Consumer and Worker Protection (DCWP) adopted the SHIELD debt collection rules in February, effective September 1, 2026, and is now proposing an updated penalty schedule (§6-62) to match. A public hearing is set for June 1. 

Key compliance obligations taking effect September 1: 

• Communication frequency cap: No more than 3 contact attempts per account per 7-day period, across all channels combined. 
• Electronic consent: Texting or emailing requires written consent; a “STOP” or opt-out response revokes it per channel, and each violation is penalized independently. 
• Validation timeline: Notice required within 5 days of initial contact; disputed debt must be verified within 60 days. 
• Record retention: Failure to document compliant behavior is itself a violation under §5-77(k). 
• Penalty exposure: Each individual contact or transaction is a separate violation; ranging from $525 up to $3,500 each for repeat offense. 

Collector Sued After Texting Consumer Who Refused to Pay  

A Florida federal lawsuit (Saunders v. Jefferson Capital Systems, Case No. 8:26-cv-00973, filed April 5, 2026) alleges an FDCPA violation after a debt collector sent a follow-up text two days after the consumer replied: “You will never get a dime from me.” The FDCPA’s §1692c(c) prohibits further contact once a consumer provides written refusal to pay, and courts have recognized electronic messages as satisfying that written notice requirement.   

One Call Triggers TCPA Class Action Against Comenity Capital Bank  

Comenity Capital Bank is facing a proposed TCPA class action arising from an automated collection call allegedly placed without consent. The suit underscores that a single non-consensual autodialed or prerecorded call to a cell phone can be sufficient to trigger TCPA liability, and class treatment, when made to consumers without a prior business relationship or documented consent.  

Wrong-Number Robocalls Spawn Class Action Against Debt Collector  

North American Credit Services is facing a TCPA class action (Plemons v. NACS, Case No. 8:26-cv-00822, M.D. Fla., filed March 26, 2026) after sending multiple prerecorded voice messages to a Florida consumer who never provided consent. The complaint documents five robocalls between November 2025 and January 2026 and seeks $500 per call in statutory damages for all similarly situated class members. 

Third-Party Risk: Vendor Failure to Honor Opt-Outs Sinks Collector  

A Pennsylvania federal court granted summary judgment against a debt collector whose texting vendor continued sending collection messages after consumers replied “STOP;” affecting nearly 5,000 unique phone numbers. The court rejected the collector’s “bona fide error” defense because the company never established procedures to ensure its vendor honored opt-out requests. 

Former CFPB Director Chopra Tapped to Lead California’s New Consumer Agency 

California Governor Gavin Newsom appointed former Consumer Financial Protection Bureau (CFPB) Director Rohit Chopra as inaugural Secretary of the state’s new Business and Consumer Services Agency (BCSA), widely referred to in the industry as a “California CFPB,” set to launch July 1, 2026. The agency will consolidate oversight of the Department of Financial Protection and Innovation (DFPI), Department of Real Estate (DRE), and other departments, functioning as a state-level enforcement super-agency as the federal consumer protection landscape continues to shift. 

Trump Administration Appeals CFPB Funding Order to Ninth Circuit  

The DOJ filed notice on May 12, 2026 to appeal a Northern California federal court ruling ordering Acting CFPB Director Russell Vought to continue drawing funds from the Federal Reserve. Judge Davila found Vought had “acted arbitrarily, capriciously and contrary to law” by refusing to request agency funding – his second court loss on the issue. The case now heads to the Ninth Circuit.  

Illinois Launches Unified Online Consumer Complaint Portal  

The Illinois Department of Financial and Professional Regulation (IDFPR) launched a new online complaint portal on May 11, 2026, unifying submissions for both the Division of Banking and Division of Financial Institutions, including complaints against debt collectors, for the first time. The launch comes as Illinois consumers filed 244,000 complaints with the federal CFPB in 2025, up more than 120,000 from the prior year, while the CFPB’s own mediation success rate dropped from 49% to under 5%.  

The FCC Is Reshaping the Rules of the Call 

The Federal Communications Commission is advancing a coordinated, multi-front effort to combat illegal robocalls, and businesses that place, route, or receive calls need to be paying attention to these consumer protection priorities. The initiatives highlighted here are among the most immediately actionable, but the full KYC landscape is considerably broader: 

• Know-Your-Customer (KYC) FNPRM (FCC 26-27) (Adopted April 30, 3-0 vote): Requires originating voice service providers to collect and verify customer identity before provisioning service, with ongoing monitoring obligations and proposed per-call penalties of $2,500 per illegal call. Comments due 30 days after Federal Register publication. 
• Know-Your-Upstream-Provider (KYUP) FNPRM (Adopted May 20): Tightens how providers vet and monitor the upstream providers from which they receive traffic, raises STIR/SHAKEN attestation standards, and closes implementation loopholes that have allowed illegal calls to move through the network without reliable authentication. Comments due 30 days after Federal Register publication. 
• Numbering Policies / KYC for Number Access (FCC 26-17) (Active): Proposes that entities with access to numbering resources (including resellers and VoIP providers) implement KYC obligations tied specifically to number provisioning, directly related to phone number recycling risks. Comments due June 8. 
• Offshore Call Center NPRM (FCC 26-16) (Active): Proposes transparency, data security, and consumer transfer-right requirements for calls handled outside the U.S. Comments due May 26. 
• 9th Robocall FNPRM: Caller ID / International Traffic (Oct. 2025, comment period closed): Proposed requiring foreign-originated calls to be labeled as international and limiting offshore use of U.S. numbers. Now percolating toward a Report and Order. 

Taken together, these proceedings reflect a clear and deliberate FCC strategy: attack illegal calls at every point in the lifecycle, from customer onboarding to upstream vetting to offshore origination. Rather than flexible, policy-based compliance, the FCC now wants verified customer identities, documented due diligence, and a willingness to refuse service to bad actors. 

Industry pushback has been consistent and is coming from multiple directions:  

• The National Retail Federation called the offshore NPRM unnecessary regulatory overreach, arguing it imposes operational mandates well beyond legitimate consumer protection goals.  
• The Cloud Communications Alliance filed ex parte comments supporting strong KYC rules in principle but urging the FCC to keep requirements practical and proportionate for legitimate providers.  
• CommLaw Group has noted that providers offering consumer-facing, app-based, prepaid, or other lower-friction services face meaningful operational changes, and that broadly written rules risk burdening lawful providers without meaningfully targeting bad actors.  
• Notably, not all industry voices are pushing back: The American Bankers Association wrote directly to Chairman Carr in support of the KYC proposal, citing ABA analysis that tracked a single fraudulent originating provider that scaled from zero calls in July 2025 to more than 136 million calls by September 2025, the majority illegal. The ABA urged the FCC to codify minimum caller verification standards and establish base forfeiture amounts for providers that fail to screen out bad actors.  

The common thread: broad agreement that illegal robocalls must be stopped, but sharp differences on how aggressively, and how prescriptively, the rules should be written. 

In summary, accountability is expanding across the call path, from the point of foreign origination all the way to domestic termination. Companies that touch any point in that chain owe it to themselves to understand what is coming and prepare accordingly. 

Silence Has a Price: The FCC’s First Traceback Enforcement Action 

The Industry Traceback Group (ITG), which is the FCC-designated industry consortium, authorized under the TRACED Act to conduct robocall tracebacks, has real enforcement teeth, and a small Montana-based voice provider found out the hard way. 

SK Teleco LLC became the first provider to face a potential network shutdown order specifically for failing to respond to ITG traceback requests. In an Initial Determination Order (DA 26-384, adopted April 20, 2026), the FCC Enforcement Bureau found SK Teleco in violation of 47 C.F.R. § 64.1200(n)(1), which requires all voice service providers to respond to traceback requests within 24 hours. The company had been previously notified in December 2025 of suspected illegal traffic, an AI-voice scam campaign impersonating Walmart, estimated by YouMail to have generated nearly 8 million calls nationwide, and failed to respond on multiple occasions. 

The ITG identified 29 specific calls linked to the scam between January and April 2025. SK Teleco received the traceback notices, provided no response, and took no visible remedial action. The result: a 48-hour deadline to block the traffic and a 14-day window to implement permanent safeguards, or face removal from the Robocall Mitigation Database – which would effectively isolate the company from the entire U.S. communications network. 

The 24-hour traceback response requirement has been on the books for years. As Somos noted in its coverage of the FCC’s broader enforcement wave, the SK Teleco action signals that the FCC is now actively enforcing the rule, not just citing it. Every voice service provider, CPaaS platform, and carrier in the call path should treat an ITG traceback request as time-critical. Silence is not a neutral response, it is now an enforcement trigger. 

Washington’s CEMA Is Not Just an Email Problem 

Washington’s Commercial Electronic Mail Act (CEMA) covers both commercial emails and text messages. Under RCW 19.190.010(3), a “commercial electronic text message” is broadly defined as any text sent to promote goods or services, with no autodialer requirement and no need to prove actual harm. Violations carry $500 per message and constitute a per se violation of Washington’s Consumer Protection Act, opening the door to treble damages and attorneys’ fees. 

Courts are enforcing it aggressively, and the exposure is growing. Ulta Beauty lost its motion to dismiss over deceptive “free gift” email subject lines. Destination XL is challenging CEMA’s constitutionality on due process grounds, arguments courts have consistently rejected. A state law reducing CEMA’s per-message penalty from $500 to $100 takes effect June 11, but does not apply retroactively, meaning existing exposure remains fully intact. 

Most critically for contact compliance teams: a fintech company’s refer-a-friend program is now the subject of a $13.5 million class action alleging that pre-composed referral texts sent to Washington residents without recipient consent violate CEMA. If your program touches Washington residents via text or email, your exposure may be larger than you think. 

TCPA Litigation Explodes in Q1 2026

Source: Webrecon 

TCPA filings opened 2026 at elevated levels and have not let up.  

According to WebRecon’s monthly litigation data, 794 TCPA cases were filed in the first quarter – up 23.7% year-over-year – with class actions accounting for an average of 75.7% of all TCPA filings across the quarter, a rate WebRecon has characterized as “extraordinarily high, historically speaking.” 

• January started with 219 total TCPA cases, 170 of which were class actions (77.6%).  
• February surged to 292 cases, driven by a 33.3% month-over-month TCPA spike, with 211 class actions (72.3%).  
• March pulled back slightly to 283 cases but class action volume continued climbing, reaching 220, the highest of the quarter, at a 77.7% class action rate. 

 

The year-over-year comparison tells a sharper story: February and March 2026 class action filings ran well ahead of their 2025 counterparts (148 and 187, respectively), signaling that plaintiff attorneys are increasingly favoring the class action vehicle for TCPA claims.  

Roughly 42% of plaintiffs filing each month had sued before, and South Florida attorney Gerald Lane led all consumer attorneys for a 14th consecutive month in March, representing 267 consumers year-to-date. 

CFPB complaint volume also remained elevated throughout the quarter, up 46.6% year-over-year through March, even as the agency has pulled back from its historically aggressive enforcement posture in this sector.

 

The takeaway for contact compliance teams: TCPA class action exposure is not easing, and the plaintiff bar is active, organized, and increasingly experienced. 

New York State of Emergency Issued through June 21, 2026 

Consistent with prior communications, Executive Orders declaring disaster emergencies in the State of New York trigger telemarketing restrictions under the Nuisance Call Act.   

The Nuisance Call Act makes it unlawful for any telemarketer to make unsolicited telemarketing sales calls to areas of the state under an emergency declaration.     

Executive Order 47.18 declaring a State Disaster Emergency in the State of New York ordering into active service the New York national guard to assist authorities in guaranteeing public order (correctional facilities), is in effect through June 21, 2026.  

Gryphon AI has extended State of Emergency blocks for New York to June 21, 2026, to ensure compliance with the above Executive Orders.   

Contact the Gryphon AI Helpdesk with any questions at 866-366-6822.   

May Holiday Solicitation Bans

Please be aware of the following U.S. holiday telephone solicitation bans for the month of JUNE 2026: 

1. On June 1, 2026, Alabama prohibits unsolicited marketing calls to residents in observance of Jefferson Davis’ Birthday. 
2. On June 15th, 2026, Pennsylvania prohibits unsolicited marketing calls to residents in observance of Flag Day. 
3. On June 15th, 2026, Utah prohibits unsolicited marketing calls to residents in observance of Juneteenth Day. 
4. On June 19th, 2026, Alabama, Louisiana*, Nebraska**, Pennsylvania, and Rhode Island prohibit unsolicited marketing calls to residents in observance of Juneteenth Day. 

Other holidays may be proclaimed by the Governor in each state throughout the year. 

*Proclamation No. 07 JML 2026 

**Nebraska does not prohibit calls on Sundays or legal holidays; however, it does restrict the use of prerecorded messages between 1pm to 9pm on these days (subject to certain exceptions). 

Please be aware of the following Canadian holiday telephone solicitation bans for the month of June 2026: 

1. On June 21st, 2026, Northwest Territories and Yukon prohibit unsolicited sales and marketing calls in observance of National Indigenous Peoples Day. 
2. On June 24th, 2026, Quebec prohibits unsolicited marketing calls in observance of St. Jean Baptiste Day.

Gryphon AI has updated its existing service parameters to reflect these solicitation bans. Please contact us with any questions at 866-366-6822. 

About Gryphon AI

Staying updated with the latest regulatory changes is crucial for any enterprise aiming to minimize risk and maximize reach. Gryphon AI is the only automatic, real-time, intelligent contact compliance solution on the market that delivers compliant, real-time intelligence into every customer conversation.      

With Gryphon AI, enterprises can stay ahead of the regulatory curve and efficiently manage all regulatory changes, ensuring seamless compliance and operational excellence.      

To learn more about how Gryphon AI can help you manage these updates, reach out to us today.