State Debt Collection Laws 2026: A Practitioner's Map

The Fair Debt Collection Practices Act and CFPB Reg F set the federal floor. Every state then adds its own layer — licensing, disclosure mandates, calling-hour restrictions, statute-of-limitations rules, and (in several states) far stricter substantive protections than the federal regime. A collection agency operating across the United States in 2026 needs to operate to fifty-plus rule sets simultaneously. This is the practitioner's map to state debt-collection laws, with a focus on the highest-volume jurisdictions and the operational implications.

Why State Laws Matter

Three structural reasons state law cannot be ignored:

• State law often goes beyond the FDCPA. California's Rosenthal Act extends FDCPA-style protections to first-party creditors — something the federal FDCPA does not do. New York requires substantiation within five days. Massachusetts caps call frequency far tighter than the 7-in-7 federal cap.
• License requirements are state-specific. Most states require a debt-collection license to collect within the state. License applications differ; bonding requirements differ; reporting differs.
• State AGs and DCAs are active. California's DFPI, the NY Department of Financial Services, the Massachusetts AG, and the Texas AG have all brought significant collection-industry actions in 2024-2025.

The Federal-State Structure

Federal law (FDCPA + Reg F) sets the baseline. State law either:

• Mirrors federal — adopts FDCPA-style protections with minor variations.
• Extends federal — adds substantive protections (more restrictive call frequency, broader covered entities, additional disclosures).
• Adds parallel obligations — license, bonding, reporting, fee restrictions independent of federal law.

Multi-state operation requires per-state rule encoding and per-state operational adjustment.

Ten-State Spotlight

The highest-volume jurisdictions for collection-industry compliance:

California

The Rosenthal Fair Debt Collection Practices Act applies FDCPA-style protections to first-party creditors as well as third parties. License required via the Department of Financial Protection and Innovation (DFPI). The California Consumer Financial Protection Law adds UDAP-style protections. AB 1864 (2020) created the DFPI and significantly expanded the state's debt-collection enforcement infrastructure.

New York

Department of Financial Services (DFS) licensure required for many collectors. The 2014 NYC Department of Consumer and Worker Protection (DCWP) rules, expanded in 2024-2025, require substantiation within five days, prohibit certain communication practices, and impose mandatory recordkeeping. Class-action exposure under NY GBL § 349 is significant.

Texas

Surety bond required ($10,000) for non-attorney debt collectors. The Texas Debt Collection Act parallels the FDCPA with additional restrictions on threats and misrepresentation. Texas AG enforcement has been active in 2024-2025 on first-party creditor conduct.

Florida

The Florida Consumer Collection Practices Act (FCCPA) applies to first- and third-party collectors. License required. Specific restrictions on communication with consumers represented by counsel.

Illinois

The Illinois Collection Agency Act requires license, bond, and operational compliance. The Illinois Consumer Fraud and Deceptive Business Practices Act provides parallel UDAP exposure. Chicago's home-rule debt-collection rules add a city-level overlay.

Massachusetts

The Massachusetts Attorney General's Debt Collection Regulations (940 CMR 7.00) impose far tighter call-frequency limits than the federal 7-in-7 — effectively two completed calls per consumer per week. Mass. Gen. Laws ch. 93A provides UDAP exposure with treble-damage potential.

Washington

Department of Licensing oversight. The Washington Collection Agency Act requires licensure, bonding, and operational compliance. Specific restrictions on harassment, false representation, and unauthorised fees.

Colorado

Administrator of the Uniform Consumer Credit Code (UCCC) oversees collection activity. Specific rules on validation notice, dispute handling, and prohibited conduct. Permission-to-collect requirements that mirror federal validation requirements.

Oregon

Department of Consumer and Business Services regulates collection. The Oregon Unlawful Debt Collection Practices Act (OUDCPA) applies to first-party and third-party collectors with FDCPA-parallel protections.

Connecticut

Department of Banking licensure required. The Creditors' Collection Practices Act covers consumer collections with specific rules on communications, disclosures, and validation.

Operational Overlay — What to Track Per State

• License status — current license, expiry date, renewal calendar.
• Bond requirement — surety bond level, surety company, renewal date.
• Calling hours — state-specific time-of-day windows.
• Communications restrictions — state-specific rules on text, email, place of employment.
• Disclosure mandates — state-specific notice content beyond the federal validation notice.
• Statute of limitations — for the debt type at issue; disclosure of expired statute often required.
• Permitted fees — state-specific caps on interest, collection fees, court costs.
• Filing notifications — state-specific pre-filing or post-filing notice requirements.

Multi-State Operational Strategy

For a national collection operation, the operational answer is per-state rule encoding at the dialler, the script library, the disclosure templates, and the audit trail. Manual tracking across 50 states is the failure mode.

Compliance technology that encodes state-specific rules — and routes calls / scripts / disclosures by consumer state — is the difference between a defensible multi-state operation and a state-AG-exposure liability.

How Sedric Helps

Sedric's state-law overlay encodes the highest-volume state regimes — California, New York, Texas, Massachusetts, Illinois, Florida, Washington, Colorado, Oregon, Connecticut, and others — as rule libraries that score each collection conversation against the applicable state framework based on the consumer's address. State-specific disclosures are surfaced through agent-assist, state-specific calling-hour windows are enforced at the dialler layer (or alerted at the call routing layer), and state-AG-relevant patterns surface in real-time MI.

FAQ

Does federal law preempt state debt-collection law?

No, the FDCPA explicitly does not preempt more-restrictive state law. A collector must comply with both federal and state regimes.

Which states have the strictest call-frequency rules?

Massachusetts (effectively two completed calls per consumer per week under 940 CMR 7.04) is among the strictest. California's Rosenthal Act provides for FDCPA-style frequency analysis applied to first-party creditors.

Do I need a separate license in every state I collect in?

Most states require licensure for in-state collection activity. Some have reciprocity arrangements; many do not. National operations typically maintain licenses in 35-50 states depending on the business mix.

What's the bond requirement structure?

Highly state-specific. Bonds range from $5,000 in some states to $50,000+ in others. Some states require additional bonds for specific debt categories.

How do I track state-law changes?

Subscribe to ACA International's regulatory tracker, monitor state-AG publications, and use a compliance platform with a vendor-maintained state rule library.

The Bottom Line

State debt-collection law is the under-appreciated source of compliance risk for national collection operations. The firms that handle it well encode per-state rules at the dialler layer, route disclosures and scripts by consumer state, and produce per-state audit trails on demand. Without that infrastructure, multi-state operations are operating on the strength of luck — until a state AG examination finds the gap.

Map Your State-Law Exposure

Sedric's State Law Compliance Audit reviews your collection footprint state-by-state, flagging license expirations, bond gaps, disclosure mismatches, and call-frequency-rule exposure. Book a demo for a state-specific compliance gap analysis.