Last Week, This Morning

March 9, 2026

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)1" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

Nebraska Requires Net Tangible Benefit Analysis for Borrowers Refinancing Installment or Mortgage Loans

Nebraska Governor Jim Pillen recently signed Legislative Bill 717, which, among other things: (1) amends the Nebraska Installment Loan and Sales Act to require licensees to disclose to a borrower, in connection with a refinance of an existing installment loan, whether or not the borrower will receive a net tangible benefit through the refinance; and (2) amends the Nebraska Residential Mortgage Licensing Act to require licensees to disclose to a borrower, in connection with a refinance of an existing residential mortgage loan, whether or not the borrower will receive a net tangible benefit through the refinance. "Net tangible benefit" is defined as "a benefit of a refinance that will be in the financial interests of the borrower." Net tangible benefit includes, but is not limited to:

  • obtaining a lower interest rate;
  • obtaining a lower monthly payment, including principal, interest, taxes, and insurance;
  • obtaining a shorter amortization schedule;
  • changing from an adjustable interest rate to a fixed interest rate;
  • eliminating a negative amortization feature;
  • eliminating a balloon payment feature;
  • receiving cash out from the new loan in an amount greater than all closing costs incurred in connection with the loan;
  • avoiding foreclosure;
  • eliminating private insurance; and
  • consolidating other existing loans into a new loan.

The disclosure provided to the borrower must be on a worksheet prescribed by the Nebraska Director of Banking and Finance or on a form prescribed by the director substantially similar to the worksheet.

The new law takes effect immediately.

Amicus Brief(ly): The "net tangible benefit" (or "tangible net benefit") test has been part of the refinance provisions of mortgage lending laws in a number of states for a while, in particular with respect to state laws regulating "high-cost" or "higher-cost" mortgage loans. It is a little unusual to see the requirement in the context of a fairly standard consumer lending law like the Installment Loan and Sales Act, but here we are. In this new law, Nebraska adds the disclosure requirement to both the mortgage lending law and the installment lending law and requires the regulator to prepare a worksheet (which, as best we can tell, the regulator has not yet published, despite the law becoming effective when signed). The new law does not prohibit licensed lenders from refinancing loans if there is no "net tangible benefit," which some states do. They just have to disclose to the borrower whether there is a "net tangible benefit" from the refinance, leaving to the borrower the decision whether to accept the refinanced loan if there is no "net tangible benefit."

Wyoming Enacts Uniform Mortgage Modification Act

Wyoming Governor Mark Gordon recently signed Senate Bill 31, which enacts the Uniform Mortgage Modification Act. For mortgage modifications subject to the Act: (1) the mortgage continues to secure the obligation as modified; (2) the priority of the mortgage is not affected by the modification; (3) the mortgage retains its priority regardless of whether the mortgage modification is recorded; and (4) the modification is not a novation.

The Act applies to the following categories of modifications: (1) an extension of the maturity date of an obligation; (2) a decrease in the interest rate of an obligation; (3) certain changes in the methods of calculating interest that do not result in an increase in the interest rate as calculated on the date the modification becomes effective; (4) a capitalization of unpaid interest or other unpaid monetary obligation; (5) a forgiveness, forbearance, or other reduction of principal, accrued interest, or other monetary obligation; (6) a modification of a requirement for maintaining certain escrow or reserve accounts; (7) a modification of a requirement for acquiring or maintaining insurance; (8) a modification of an existing condition to advance funds; (9) a modification of a financial covenant; and (10) a modification of the payment amount or schedule resulting from another modification to which the Act applies.

The Act does not apply to any of the following modifications: (1) a release of, or addition to, property encumbered by a mortgage; (2) a release of, addition of, or other change in an obligor; or (3) an assignment or other transfer of a mortgage or an obligation.

The Act does not affect existing law governing the required content of a mortgage, statutes of limitations, recording, priority of certain tax liens or other governmental liens, certain electronic transactions, or priority of certain future advances.

The new law is effective on July 1, 2026.

Amicus Brief(ly): Nevada and Utah were the first two states to adopt the Uniform Law Commission's Uniform Mortgage Modification Act from 2024, and now Wyoming has joined them in enacting its version of the Act, which is designed to provide some clarity around whether a lienholder's lien priority persists through a mortgage loan modification. The ULC identified that when parties to a mortgage agree to modify the terms of the mortgage loan or other obligation secured by the mortgage after origination, which is common, the law (especially the common law) is not always clear about whether and how modifications affect mortgage liens, including those of junior lienholders. To keep that uncertainty from adversely affecting borrowers - especially those who are entering into the modification as a foreclosure mitigation effort and who might lose their option to modify a loan if the first lienholder's lien could be at risk from the modification - the ULC's model Act identifies several categories of safe harbor modifications that mortgage holders and borrowers can agree to make to recorded mortgages without affecting lien priority. We expect other states to adopt versions of this useful model Act to provide clarity for mortgage holders and their customers.
Iowa AG Sues Car Manufacturer in Connection with its Collection and Sale of Consumers' Driving Data

The Iowa Office of the Attorney General recently filed a lawsuit against a major vehicle manufacturer and its subsidiary, which provides subscription-based telematic systems that are installed in the manufacturer's vehicles, for committing deceptive trade practices in violation of the Iowa Consumer Fraud Act in connection with their collection and sale of driving data from consumers.

According to the AG's petition, the telematic systems and the manufacturer's mobile applications installed on its vehicles allowed it to collect consumers' driving data, analyze it, and sell it to third-party data brokers for profit without the consumers' knowledge or consent. Data brokers then allegedly sold this driving data to insurance companies, which, in turn, used the data to allegedly increase insurance rates, drop insurance coverage, or deny insurance coverage. The petition also alleges that the manufacturer used aggressive and deceptive enrollment tactics to persuade consumers to purchase its connected vehicle products and services, sometimes misleading them into believing that enrollment was mandatory to access their vehicles' basic safety features.

The AG's petition seeks civil penalties, the deletion of all driving data including driving data in the possession of any third party, restitution to consumers who suffered a loss as a result of the allegedly deceptive acts and practices, and to enjoin further violations of the law.

Amicus Brief(ly): The list of states suing car manufacturers over their driver data collection and use practices just grew by one. The typically quiet Iowa attorney general joined the attorneys general of Texas, Nebraska, and Arkansas in their efforts to ensure that companies at least advise consumers that they plan to collect and sell the consumers' driving data and then give them the option to opt into, or opt out of, the data sharing practices. Consumers are upset when they learn that someone has collected and sold data about them without their knowledge or consent, but when they learn that one of the impacts of the non-consensual data sharing is an increase in their cost of insurance, they get pretty incensed. As we have stated previously in these weekly reports, we do not anticipate a slowdown in consumer data-related developments from the states any time soon.

Car Manufacturer that Required Consumers to Verify Email Address as Part of Data Sale/Sharing Opt-Out Process Violated California Consumer Privacy Act

On March 5, the California Privacy Protection Agency's Enforcement Division announced a final order against a major vehicle manufacturer, resolving allegations that it required consumers to verify their identity before they could opt out of the selling and sharing of their personal information collected by the manufacturer by means of its websites, mobile applications, and connected vehicle services. The CPPA found that requiring consumers to verify an email address as part of the opt-out process resulted in "unnecessary friction" for consumers when exercising their opt-out rights and, therefore, violated the California Consumer Privacy Act.

Under the CCPA, consumers have the right to opt out of the sale or sharing of their personal information. If a business provides online notice to consumers of their right to opt out of sale/sharing, it must include an interactive form by which consumers can submit their opt-out requests. The CCPA prohibits a business from requiring consumers to submit verifiable consumer requests to opt out of the sale/sharing of their personal information. A "verifiable consumer request" is a request that is made by a consumer that the business can verify to be the consumer about whom the business has collected personal information. Although a business may require consumers to submit a verifiable consumer request to exercise their right to delete, right to know, and right to correct, a business may not require a verifiable consumer request for the right to opt out.

In this case, the manufacturer provided notice of the right to opt out and used an online form for consumers to submit their opt-out requests. After consumers submitted requests to opt out by using the form, the manufacturer, according to the CPPA, could have processed those requests without requiring additional information. Instead, after consumers submitted the form, the manufacturer displayed a message on their screens stating: "Please check your email for confirmation, click confirm and we will start your request." The email message stated that the manufacturer had received the opt-out request, but before it would complete it, the consumer "must confirm [the consumer's] email and identity by clicking the [Confirm Email] button below." This confirmation requirement, according to the CPPA, was the additional step that added unnecessary friction to the opt-out process.

The manufacturer deemed as "expired" all requests to opt out of sale/sharing submitted by consumers who did not click "Confirm Email" in the email message, resulting in the manufacturer not processing dozens of requests to opt out within the period required by the CCPA. The manufacturer subsequently processed these requests in response to the CPPA's investigation.

In addition to paying a $375,703 fine, the manufacturer must change its business practices by providing consumers with easy methods to submit opt-out requests with minimal steps. It must also conduct an audit of the tracking technologies on its website and ensure compliance with opt-out preference signals, including the Global Privacy Control.

Amicus Brief(ly): Speaking of consumer data protection, this development from the CPPA is consistent with the agency's focus on compliance with its data sharing rules. The clearest takeaway from the CPPA's consent order is that opting out has to be easy. As a reminder, companies should be on the lookout for "opt-out preference signals" ("OOPS" for short) and should have tools for promptly honoring opt-outs. Evidently, the two-step process deployed by the car manufacturer in this case called for one step too many, and that apparent compliance mistake came with an expensive six-figure price tag.
1 For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.