Below is a recap of the essential regulatory updates for contact compliance professionals for September. 

This is a marketing blog and is not intended, nor should it be interpreted, as legal advice. Please seek legal counsel for full interpretations of all rules and laws outlined in this blog. 

New Homebuyers Privacy Protection Act Effective March 5, 2026 

What Mortgage and Finance Companies Must Know About Trigger Leads, Consent, and EBR 

On September 5, 2025, President Donald Trump signed the bipartisan Homebuyers Privacy Protection Act (HPPA – H.R. 2808) into law. This Amendment to the Fair Credit Reporting Act (FCRA) restricts the sale of mortgage “trigger leads.” These leads are generated when a consumer applies for a mortgage, and the resulting credit inquiry is reported to credit bureaus, which can sell the data to multiple third parties. The HPPA becomes effective March 5, 2026, requiring mortgage lenders, brokers, and finance companies to update compliance accordingly. 

What Are Trigger Leads and Why They Matter 

Trigger leads enable competitors to contact consumers after a mortgage inquiry, often leading to an influx of unsolicited calls, texts, and emails. 

Under the HPPA, trigger leads cannot be sold unless: 

• The recipient makes a firm offer of credit or insurance 
• The consumer has explicitly consented to receive such offers
• The recipient is the consumer’s current mortgage originator, servicer, or a bank or credit union holding an existing account (proof of an Existing Business Relationship, “EBR”) 

The ABA Banking Journal notes that the law shields consumers from intrusive and misleading solicitations while protecting legitimate lender-consumer relationships.  

Telemarketing, Text Messaging and Email Compliance 

Here is what this bill means in terms of telemarketing, text message, and email compliance: 

• Mortgage and finance companies must also comply with the FCC’s Telephone Consumer Protection Act (TCPA) and the FTC’s Telemarketing Sales Rule (TSR) 
• Email communications are regulated separately under the CAN-SPAM act, which sets requirements for commercial email messages 
• TCPA and TSR require prior express written consent for telemarketing via calls or texts using autodialers or prerecorded messages, and established business relationships allow some limited outreach subject to documentation and expiration 
• A clear and easy opt-out mechanism must be provided in all channels, with opt-out requests honored promptly 
• According to the Consumer Finance Monitor, the HPPA helps consumers regain control by reducing disruptive marketing that may interfere with ongoing financing 

Consumer Viewpoint from ICBA 

The Independent Community Bankers of America (ICBA) supports the law as a benefit to consumers tired of aggressive marketing. The ICBA highlights that reforming trigger lead practices enhances consumer confidence in community banks by protecting data but allowing appropriate marketing by institutions with existing consumer relationships. 

Steps for Compliance 

Mortgage finance companies have 157 days from today to prepare for this monumental change in leads procurement. Here is what you can do to prepare: 

• Begin an audit of existing lead generation and marketing processes, and revise as needed to meet the March 5, 2026 deadline 
• Train teams and vendors on HPPA, TCPA, and TSR compliance 
• Strengthen consent capture, EBR documentation, and opt-out handling 
• Provide transparent disclosures and maintain accurate records to support compliance efforts (as a reminder, see the FTC’s TSR recordkeeping requirements for Consent and EBR records, effective 10/15/2024) 

The HPPA and related telemarketing rules represent a significant regulatory shift emphasizing consumer privacy and consent. Mortgage lenders should act swiftly to update lead trigger and sales strategies, reduce regulatory risks and build customer trust. 

TCPA Text Messaging in Flux: Conflicting 2025 Court Rulings on Do-Not-Call Coverage 

The applicability of the TCPA’s Do Not Call (DNC) rules to text messages has faced sharply divergent court rulings in 2025, reflecting recent shifts in judicial interpretation following the Supreme Court’s McLaughlin Chiropractic Associates v. McKesson Corp. decision. 

Historically, the Federal Communications Commission (FCC) interpreted “calls” in the TCPA to include texts, thereby extending DNC protections to unwanted marketing texts. However, the Central District of Illinois in Jones v. Blackstone Medical Services departed from this view, ruling that texts are not “calls” under 47 U.S.C. § 227(c) and dismissing TCPA claims brought on that basis. 

On the other hand, the District of Oregon in Wilson v. Skopos Financial found the opposite, upholding that text messages do fall under TCPA’s DNC rules. The court emphasized the intrusive nature of texts and aligned its interpretation with the FCC’s long-held stance on consumer protections. 

These conflicting outcomes stem from the Supreme Court’s ruling that lower courts are no longer bound to defer to FCC interpretations of the TCPA, triggering judicial independence in statutory interpretation. Businesses using text marketing face uncertainty as the legal landscape varies by jurisdiction, with increased litigation risk and the need for vigilant compliance monitoring. 

Businesses should not interpret recent conflicting court rulings on texts and the TCPA as a green light to disregard compliance. Experts from Mac Murray & Shuster underscore that litigation risk remains significant given the ongoing split among jurisdictions, with some courts upholding FCC interpretations including texts under the TCPA and others rejecting it. This inconsistency leads to forum shopping and unpredictable outcomes. Firms must continue to maintain stringent consent, revocation, and Do-Not-Call processes for text messaging to mitigate risks of costly lawsuits across different courts (Mac Murray & Shuster Insights; CommLaw Group Analysis). Vigilance in legal monitoring and proactive adjustments remain essential in navigating the evolving TCPA text marketing regulatory landscape. 

FTC’s National Do Not Call Registry Fees Increase Effective October 1, 2025 

Starting October 1, 2025, telemarketers will face increased fees to access the Federal Trade Commission’s National Do Not Call (DNC) Registry. The cost to access a single area code will rise from $80 in FY 2025 to $82 in FY 2026. The maximum fee for accessing the entire DNC Registry nationwide will increase from $22,038 to $22,626. Additionally, the fee for accessing an extra area code mid-year will rise from $40 to $41. 

These fees fund the administration and enforcement of the Do Not Call Registry, helping reduce unwanted telemarketing calls. Telemarketers must subscribe annually to download the registry data and comply with the Telemarketing Sales Rule under 16 CFR §310.8. The fee adjustments reflect inflation and operational costs, continuing the pattern of periodic fee updates as authorized by the Do Not Call Registry Fee Extension Act of 2007. 

For more information, see the Federal Register Notice. 

Robocall Enforcement Intensifies: Industry Faces Tougher Traceback Rules and Provider Removals 

The Federal Communications Commission (FCC) stepped up its fight against illegal robocalls in August 2025 by removing over 1,200 voice service providers from its Robocall Mitigation Database (RMD), effectively disconnecting those providers from the U.S. telephone network until they meet compliance standards. This action represents the most aggressive and comprehensive enforcement thus far under Chairman Brendan Carr’s tenure. 

Why the Crackdown? 

The FCC had expanded robocall mitigation obligations beginning with a January 2024 Public Notice, requiring providers to submit detailed Robocall Mitigation Plans (RMPs) and certify compliance by a February 2024 deadline. More than 2,000 providers failed to meet this deadline or filed deficient plans that lacked necessary detail. These non-compliant filings risked undermining efforts to stop illegal robocall traffic. 

In December 2024, the Enforcement Bureau warned these providers to correct deficiencies or face removal. Despite this, hundreds failed to cure the problems. Shortly after, the Bureau began removing providers in batches, including an initial removal of 185 non-compliant companies in August 2025, followed by the larger removal of over 1,200 providers later that month. 

Traceback Compliance: A Key Factor 

A critical element behind enforcement is traceback participation. Providers are required to respond within 24 hours to traceback requests that identify the sources of illegal calls. Several recent orders have targeted providers who pledged compliance but failed to respond adequately, resulting in formal deficiency findings and potential removal from the RMD if uncorrected. This is vital to the FCC’s two-track approach: stopping illegal traffic and enforcing truthful mitigation documentation. 

New Third-Party Call Authentication Rules 

An additional regulatory layer took effect in September 2025, requiring providers who use third parties for STIR/SHAKEN call authentication to obtain their own Secure Parameter Certificates (SPC) and manage signing certificates themselves. Previously, some providers outsourced this function, but now the FCC demands direct control to enhance accountability and prevent spoofing or fraud abuses. 

Industry Doubts Remain 

While the FCC’s hardline enforcement demonstrates commitment, industry experts caution that the problem of illegal robocalls is complex. Some voice providers express skepticism that larger systemic issues – including fraudsters swiftly moving to less-regulated networks or offshore providers – can be fully addressed just through RMD removals and traceback enforcement (Law360). These observers stress that continuous innovation in analytical and technical tools, inter-agency collaboration, and downstream carrier vigilance are essential complements to regulatory orders. 

What Providers Must Do 

For voice service providers, these developments underscore that compliance with the RMD is no longer optional but fundamental to business continuity. Providers must: 

• Submit and maintain detailed, actionable robocall mitigation plans 
• Respond promptly (within 24 hours) to traceback requests 
• Act to block traffic once illegal activity is identified 
• Ensure certificate control in call authentication per new STIR/SHAKEN rules 
• Prepare for rigorous FCC scrutiny and potential removal for non-compliance 

Providers removed from the RMD face a stringent reinstatement process, requiring prior FCC approval to re-enter the database and network. The Commission’s strong stance signals ongoing enforcement vigilance and the need for providers to operationalize compliance across networks, plans, and technologies to reduce illegal robocalls. 

New FCC Regulatory Body: Consumer Protection & Accessibility Advisory Committee (CPAAC) 

The Federal Communications Commission (FCC) announced the Consumer Protection and Accessibility Advisory Committee (CPAAC), a key new regulatory body established to advise the FCC on a broad array of consumer protection and accessibility issues in telecommunications and related services. Formerly known as the Consumer Advisory Committee (CAC), it was renamed to emphasize inclusion of disability access matters, expanding its mission beyond traditional consumer advocacy to also encompass the needs of people with disabilities. 

CPAAC is composed of 27 members representing consumer organizations, communications companies, trade associations, and non-profits, bringing diverse expertise and perspectives to FCC policymaking. The committee provides recommendations on Commission initiatives, including combating robocalls, improving call-blocking technologies, enhancing emergency alerts, and addressing the digital divide. It meets regularly, with public participation encouraged through live streaming and open microphone sessions. 

The CPAAC’s formation strengthens stakeholder collaboration, ensuring the FCC addresses consumer protection and accessibility challenges comprehensively. By tapping into a wide range of expertise, CPAAC supports the FCC in crafting regulations that protect telecommunications consumers, including those with disabilities, and help close gaps in technology access nationwide. 

In sum, CPAAC serves as an essential forum for dialogue between the FCC and stakeholders, providing expert advice to promote equitable access, consumer rights, and effective protections in the rapidly evolving communications landscape. 

Click here to view the recorded livestream of the CPAAC’s first meeting of the current term on Wednesday, September 10, 2025. 

October Holiday Solicitation Bans 

Please be aware of the following U.S. holiday telephone solicitation bans for the month of October 2025: 

1. On October 13, 2025, Alabama, Nebraska*, Pennsylvania, Rhode Island, and Utah prohibit unsolicited sales and marketing calls to residents in observance of Columbus Day. 

Other holidays may be proclaimed by the Governor in each state throughout the year.  

*Nebraska does not prohibit calls on Sundays or legal holidays; however, it does restrict the use of prerecorded messages to 1 pm to 9 pm on these days (subject to certain exceptions). 

Please be aware of the following Canadian holiday telephone solicitation bans for the month of October 2025: 

1. On October 13, 2025, unsolicited sales and marketing calls to residents of the following provinces and territories are prohibited in observance of Thanksgiving Day: Alberta, British Columbia, Manitoba, Northwest Territories, Nunavut, Ontario, Quebec, Saskatchewan, and Yukon. 

Gryphon has updated its existing service parameters to reflect these solicitation bans.

New Tennessee and Louisiana Area Codes Effective in September 2025 

TheNorth American Number Plan Administrator (NANPA) has announced the implementation of a new Area Code in Tennessee: 

• New area code: 729 
• Jurisdiction: Tennessee 
• Effective Date: September 5, 2025 
• Type: Geographic 
• Overlay: 729 overlays 423 

See Press Release here. 

NANPA also announced a new Area Code in Louisiana: 

• New area code: 457 
• Jurisdiction: Louisiana 
• Effective Date: September 25, 2025 
• Type: Geographic 
• Overlay: 457 overlays 318 

See Press Release here. 

Gryphon has implemented this new area code throughout all systems, ensuring compliance with the published effective date and requirements.  

Planned NPAs Not Yet in Service: 

QUIET Act Stealthy Sponsorship Roster Climbs 

The Quashing Unwanted and Interruptive Electronic Telecommunications (QUIET) Act, introduced on February 5, 2025, proposes disclosure of Artificial Intelligence (AI) use at the beginning of a telemarketing call, along with increased penalties for violations involving AI voice or text messages, now has 21 total co-sponsors including original co-sponsor Sorensen (IL) and with Representatives Josh Gottheimer (D-NJ) and Chris Deluzio (D-PA) joining in August. Notably, co-sponsor Raul Grijalva (D-AZ) is no longer serving. While co-sponsorship is growing, the govtrack.us prognosis estimates only a 2% chance of this bill being enacted. 

H.R. 7123, a previous version of this bill introduced on January 29, 2024, died in previous Congress; it had 8 co-sponsors. 

FTC’s New Approach to Non-Competes: Targeted Enforcement in 2025 

The Federal Trade Commission (FTC) has significantly shifted its non-compete enforcement approach in 2025, abandoning its broad nationwide ban on most employee non-compete agreements following court rulings that blocked the regulation’s implementation.  

On September 4, 2025, the FTC formally withdrew its appeals against these court orders while simultaneously filing a targeted enforcement action against Gateway Pet Memorial Services. The FTC’s complaint criticized Gateway for requiring nearly all employees – including hourly workers and facility laborers – to sign overly broad non-compete agreements that restricted employment in the entire pet cremation industry across the U.S. for one year post-employment. The agency emphasized the lack of individualized consideration and the expansive geographic scope as key concerns. 

While the FTC has stepped back from rulemaking, it committed to vigorously enforcing under the FTC Act and the Sherman Act on a case-by-case basis. The proposed consent order with Gateway halts enforcement of existing non-competes except for narrow exceptions involving senior executives or equity owners and requires notification to employees that their agreements are void. Employers are advised to reassess their non-competes to ensure tailored, lawful terms aligned with FTC priorities and diverse state-level laws (Law360). 

The FTC has set up a workshop open to the public, “Moving Forward: Protecting American Workers from Anticompetitive Noncompete Agreements,” on October 8, 2-6 p.m. EST. Livestream link will be posted on ftc.gov the same day. 

The FTC also is seeking comment from “members of the public, including current and former employees restricted by noncompete agreements, and employers facing hiring difficulties due to a rival’s noncompete agreements, are encouraged to share information about the use of noncompete agreements.” 

Public comments are due November 3, 2025. 

Find docket FTC-2025-0463-0001 on Regulations.gov 

Submissions may also be submitted confidentially to noncompete@ftc.gov. 

FTC Settlement Forces Chegg to Simplify Auto-Renewal Cancellations, Pay $7.5M 

Auto-renewing subscriptions can be convenient, but as recent Federal Trade Commission (FTC) action shows, companies must make canceling these subscriptions easy and straightforward. On September 14, 2025, the FTC announced a $7.5 million settlement with education technology company Chegg, Inc. over allegations that it made canceling auto-renewing subscriptions unnecessarily difficult for consumers. 

The FTC’s complaint detailed how Chegg buried cancellation links deep within its website and required multiple confusing steps to complete cancellations. Even after consumers navigated through these hurdles, Chegg continued to charge nearly 200,000 users post-cancellation requests. Internal Chegg communications showed company awareness of these issues but no sufficient action to improve cancellation processes (Law360). 

Under the proposed consent order, Chegg must provide a simple, easy-to-use cancellation mechanism equal in ease to the sign-up process. It also must promptly stop all recurring charges upon cancellation and pay $7.5 million in consumer refunds. The settlement reinforces the federal Restore Online Shoppers’ Confidence Act (ROSCA) requirements that companies offering “negative option features” – like auto-renewals – clearly disclose terms and provide an easy way to cancel recurring charges (Law360). 

Subscription businesses should take note: friction in cancellation flows or continuing to charge after cancellation requests risks FTC enforcement, monetary penalties, and reputational harm. 

Navigating Colorado’s Pioneering AI Law as Enforcement Postpones to Mid-2026 

Colorado’s landmark Artificial Intelligence Act, originally scheduled to take effect on February 1, 2026, has been delayed until June 30, 2026, following a special legislative session and Governor Jared Polis’s signature on Senate Bill 25B-004. 

The AI Act is designed to regulate “high-risk” AI systems – those used in consequential decisions impacting consumers in housing, employment, healthcare, education, and finance. It requires developers and deployers to use reasonable care to prevent algorithmic discrimination, complete impact assessments, and provide public transparency about the AI systems’ use and risks. Consumers must also be notified when AI influences significant decisions about them, with rights to correct data and appeal adverse outcomes. 

The delay aims to give lawmakers more time to consider amendments amid concerns over compliance complexity and regulatory costs facing businesses and governments. While substantive provisions remain unchanged, proposals submitted during the special session would clarify responsibilities of developers versus deployers and enhance consumer rights regarding data used in AI decision-making. 

Businesses using high-risk AI systems in Colorado should continue preparing for compliance and monitor legislative developments as the state refines its pioneering AI regulatory framework. 

Texas Advances AI and Nondisclosure Laws: Key Provisions Taking Effect in 2025-26 

Texas is enacting two important laws impacting nondisclosure agreements and artificial intelligence starting late 2025 and early 2026. First, Senate Bill 835, effective September 1, 2025, voids nondisclosure and confidentiality provisions in agreements that prohibit disclosure of sexual abuse or assault claims, applying retroactively unless a court permits nondisclosure. While these provisions can’t keep abuse facts confidential, other settlement terms may remain private under Texas law. The law does not create a private right of action but renders such confidentiality clauses unenforceable as a matter of law. 

Second, the Texas Responsible Artificial Intelligence Governance Act (TRAIGA 2.0), effective January 1, 2026, establishes a framework regulating AI systems in Texas. It includes oversight mechanisms and ethical standards particularly for government use but extends to private employers. The law bans AI systems that discriminate illegally or manipulate behaviors and requires disclosures around AI decision-making affecting individuals. TRAIGA also creates a regulatory sandbox and advisory council, while enforcement lies with the Texas Attorney General and no private lawsuits are authorized. 

Together, these laws represent Texas’s growing focus on transparency, consumer protection, and responsible AI use. Businesses operating in Texas should prepare for compliance with these new legal standards. 

The Push for Practicality: ACA International Continued Challenge to the FCC’s Consent Revocation Rule 

On September 15, 2025, ACA International submitted a detailed comment letter to the U.S. Department of Justice (DOJ) and National Economic Council (NEC), emphasizing business challenges caused by inconsistent state telemarketing and debt collection laws. The letter highlighted the economic burden of navigating this fragmented regulatory landscape and urged federal action to harmonize consent and revocation rules. The DOJ letter followed an ExParte Presentation to the FCC on August 27, 2025 detailing the ‘in practice’ impact this consent rule will have on businesses and consumers alike (e.g. if a consumer opts out of an airline text message, did they really mean to stop getting gate change notifications, and flight updates, too?) This advocacy aligns with ACA’s broader efforts to influence telecommunication policy at the federal level. See recent ACA summary here. 

Notably, ACA International led a successful petition that persuaded the Federal Communications Commission (FCC) to delay the implementation of its strict “revoke all” consent revocation rule from April 2025 to April 2026. This rule requires businesses to treat a consumer’s single revoke request, such as texting “stop,” as a comprehensive withdrawal of consent for all calls and texts across all business units and communication channels. 

Consent remains the cornerstone of compliance in both telemarketing and debt collection. Consumers expect clear, straightforward ways to revoke consent and quick enforcement of their preferences. The FCC’s updated rules mandate businesses honor revocation requests within 10 business days, heightening expectations for responsiveness and transparency. 

For businesses, especially larger institutions and debt collectors, this presents operational complexity and increased compliance costs. Coordinating revocations across siloed units, vendors, and CRM systems demands significant resource investment. The FCC’s delay, driven by ACA’s advocacy (in partnership with American Bankers Association (ABA), the American Financial Services Association (AFSA), and the Mortgage Bankers Association), provides critical time for businesses to implement compliant systems that meet these consumer protections without sacrificing operational efficiency. 

ACA International’s leadership continues to balance enhanced consumer privacy with practical compliance timelines, helping businesses navigate an evolving and often fragmented regulatory environment. 

New York State of Emergency Extended Through October 25th  

Consistent with prior communications, Executive Orders declaring disaster emergencies in the State of New York trigger telemarketing restrictions under the Nuisance Call Act.    

The Nuisance Call Act makes it unlawful for any telemarketer to make unsolicited telemarketing sales calls to areas of the state under an emergency declaration.      

Executive Order 52 declaring a State Disaster Emergency in the State of New York arising from concerns due to Federal Actions related to vaccine access, has been issued effective through October 5, 2025.  

Executive Order 47.10 declaring a State Disaster Emergency in the State of New York arising from an illegal and unlawful strike by correction officers, was extended through October 25, 2025.  

Gryphon AI has extended State of Emergency blocks for New York to October 25, 2025, to ensure compliance with the above Executive Orders.    

About Gryphon AI 

Staying updated with the latest regulatory changes is crucial for any enterprise aiming to minimize risk and maximize reach. Gryphon AI is the only automatic, real-time, intelligent contact compliance solution on the market that delivers compliant, real-time intelligence into every customer conversation.     

With Gryphon AI, enterprises can stay ahead of the regulatory curve and efficiently manage all regulatory changes, ensuring seamless compliance and operational excellence.     

To learn more about how Gryphon AI can help you manage these updates, reach out to us today.