The Homebuyers Privacy Protection Act

The Homebuyers Privacy Protection Act (H.R. 2808, Public Law 119-36) was signed into law on September 5, 2025, and took full effect on March 4–5, 2026. It amends the Fair Credit Reporting Act (FCRA) to sharply restrict when credit bureaus can sell your mortgage data to third-party lenders — ending the widespread practice known as “trigger leads.”

If you’ve ever applied for a mortgage and immediately received dozens of calls, texts, and emails from lenders you’d never heard of — that experience now has a legal name: trigger leads and as of March 2026, a new federal law has largely put an end to the practice.

This guide from Captain Compliance who leads the way toward helping business owners with state privacy laws can also help with Homebuyer Privacy Protection Act Compliance. Our guide below covers everything you need to know: what the law does, what trigger leads are, who benefits, what lenders must do now, how enforcement works, and what steps you can take to protect yourself.

What Are Mortgage Trigger Leads?

When you apply for a mortgage, your lender pulls your credit report from one or more of the three major credit bureaus: Equifax, Experian, and TransUnion. That inquiry is recorded on your credit file. Under the old rules of the FCRA, those credit bureaus were permitted to sell lists of consumers who had recently had a mortgage inquiry — known as “trigger leads” — to any lender or broker willing to pay for them.

The result was predictable and, for most consumers, deeply frustrating. Within hours of applying for a mortgage — sometimes within minutes — homebuyers began receiving floods of phone calls, text messages, and emails from lenders and brokers they had never contacted. Many callers were aggressive, some were deceptive, and almost all were unwanted.

Some mortgage applicants reported receiving hundreds of unsolicited calls and texts within days of their credit being pulled. Many borrowers incorrectly believed their own lender, real estate agent, or title company had sold their information — damaging trust in the homebuying process at a critical moment.

The trigger lead industry was technically legal under existing FCRA rules because it was structured around “firm offers of credit.” But consumer complaints mounted, the CFPB flagged the practice in congressional testimony, and bipartisan support grew for a legislative fix.

What the Homebuyers Privacy Protection Act Does

The HPPA amends the FCRA by adding new, stricter conditions that must be satisfied before a credit reporting agency can sell trigger lead data in connection with a residential mortgage transaction. It does not eliminate trigger leads entirely — but it restricts them to a narrow set of circumstances.

The Two-Part Test

Under the new law, a credit reporting agency may only provide a consumer’s mortgage-related data to a third party if both of the following are true:

1. The transaction involves a firm offer of credit or insurance (a vague solicitation is not enough).
2. The requestor meets at least one of the approved relationship or consent criteria listed below.

Who Can Still Receive Trigger Lead Data?

Even after the law took effect, four categories of entities may still receive trigger lead data — but only when making a genuine firm offer of credit or insurance:

• Consumer opt-in: The consumer has given documented written authorization to a specific third party and opted in.
• Current mortgage originator: The requestor originally made the consumer’s existing home loan.
• Current mortgage servicer: The requestor is actively servicing the consumer’s current mortgage.
• Existing banking relationship: The requestor is an insured depository institution or credit union that currently holds an account for the consumer.

Any lender or broker that does not fall into one of these categories — and does not have documented consumer consent — can no longer legally receive your mortgage trigger lead data.

Legislative History: How the Law Was Passed

The Homebuyers Privacy Protection Act had a notably smooth path through Congress for major consumer legislation, reflecting strong bipartisan support in both chambers.

• House sponsors: Rep. John Rose (R-TN) and Rep. Ritchie Torres (D-NY)
• Senate sponsors: Sen. Jack Reed (D-RI) and Sen. Bill Hagerty (R-TN)
• December 2024: The Senate passed companion legislation (S. 3502) with strong bipartisan support.
• 2025: The House passed H.R. 2808; both chambers reconciled minor differences, including retaining a GAO study provision on text-based trigger leads.
• September 5, 2025: President Trump signed H.R. 2808 into law as Public Law 119-36. The 180-day compliance window began.
• March 4–5, 2026: The law became fully enforceable.
• September 4, 2026: The Government Accountability Office (GAO) must deliver its report to Congress on text-based trigger leads.

Supporters of the bill included the Mortgage Bankers Association, the American Bankers Association, the Independent Community Bankers of America, the National Association of Mortgage Brokers, the National Association of Realtors (NAR), the National Consumer Law Center, the Center for Responsible Lending, and the Consumer Federation of America.

How the HPPA Amends the Fair Credit Reporting Act

The Homebuyers Privacy Protection Act does not create an entirely new legal framework. Instead, it amends the existing Fair Credit Reporting Act (FCRA) — the landmark 1970 federal law that governs how consumer credit information is collected, shared, and used.

Before the HPPA, the FCRA already required any entity requesting a consumer’s credit report to have a “permissible purpose.” One such permissible purpose was making a “firm offer of credit or insurance” — the legal hook that allowed trigger lead sales to exist. The HPPA narrows this permissible purpose specifically for residential mortgage transactions by adding the new relationship-or-consent requirement on top of the existing firm offer standard.

Because the HPPA is an amendment to the FCRA, all existing FCRA enforcement mechanisms apply, including:

• CFPB oversight — The Consumer Financial Protection Bureau retains primary regulatory authority.
• Private right of action — Consumers can sue violators directly without relying solely on government enforcement.
• Actual and statutory damages — Available even without proving specific financial harm.
• Punitive damages — Available for willful violations.
• Attorney’s fees — Prevailing consumers may recover legal costs.
• State AG enforcement — Consumers may report violations to their state attorney general.

What This Means for Homebuyers

Fewer Unsolicited Contacts

The most immediate benefit is a dramatic reduction in unwanted calls, texts, and emails from competing lenders after your credit is pulled. The flood of solicitations that many borrowers described as harassment is now largely prohibited — unless you’ve explicitly opted in or the lender already has a qualifying relationship with you.

More Control Over Your Data

For the first time under federal law, mortgage applicants have a meaningful opt-in control mechanism. If you want to comparison-shop and receive offers from multiple lenders, you can provide documented consent. If you don’t, your data is protected by default.

A Less Stressful Process

One of the documented harms of trigger lead abuse was that borrowers receiving calls from strangers often became confused about who their actual lender was — and some were misled into switching lenders mid-process at considerable cost. The new law significantly reduces that risk.

Key points for homebuyers to know:

• The law does not prevent your chosen lender from contacting you.
• Your current bank or credit union may still reach out with offers under the existing-relationship exception.
• You can still voluntarily consent to receive offers from multiple lenders if you want to comparison shop.
• The law applies to refinances and home equity loans — not just initial home purchases.

What Lenders and Credit Bureaus Must Do Differently

For financial institutions, mortgage brokers, and credit reporting agencies, the compliance implications of the HPPA are significant. The 180-day window between enactment and enforcement gave the industry time to adjust, but the required changes are substantial.

Credit Reporting Agencies

Equifax, Experian, and TransUnion must now verify that any party requesting trigger lead data meets the new eligibility requirements — either documented consumer consent or one of the three existing-relationship categories. Broadly selling trigger lead lists, as had been common practice, is no longer permitted for residential mortgage transactions.

Lenders and Mortgage Brokers

Lenders who built lead generation pipelines around purchased trigger lead data must redesign those workflows. Key compliance steps include:

• Auditing all existing lead sources to identify which relied on trigger lead data
• Updating privacy notices and loan application disclosures to reflect the new consent framework
• Training loan officers on permissible purpose and consent pathways
• Reviewing vendor and data broker agreements
• Building systems to document and verify consumer opt-in consent when applicable
• Shifting toward referral-based and permission-based marketing strategies

The GAO Study on Text-Based Trigger Leads

One notable provision — retained from the House version of the bill — directs the Government Accountability Office (GAO) to study the use of trigger leads delivered specifically via text message. The report is due to Congress by September 4, 2026.

This provision signals that lawmakers may be considering further legislative action specifically targeting SMS-based mortgage solicitation if the GAO report reveals significant consumer harm.

Homebuyer Privacy Protection Act Compliance Software Provider – State Laws and the Federal Baseline

The federal Homebuyers Privacy Protection Act establishes a national floor. Some states — including Texas and Idaho — had already enacted their own state-level protections before the federal law passed. The HPPA standardizes protections across all states and may inspire additional state-level privacy legislation in adjacent financial services areas.

Your Pre-Existing Opt-Out Rights

Even before the HPPA took effect, consumers had a mechanism to limit prescreened credit offers under the existing FCRA: the OptOutPrescreen.com program. This opt-out remains available and works independently of the new law.

Visit OptOutPrescreen.com or call 1-888-5-OPT-OUT to opt out of prescreened credit and insurance offers. You can choose a 5-year opt-out or a permanent opt-out. This provides an additional layer of privacy protection on top of the HPPA.

How to Report Violations

If you believe your rights have been violated after March 4–5, 2026, you have three main options:

1. File a Complaint with the CFPB

The Consumer Financial Protection Bureau handles FCRA violations. Submit a complaint at consumerfinance.gov/complaint. The CFPB can investigate and take regulatory action against violators.

2. Report to Your State Attorney General

State attorneys general can also receive complaints about FCRA and HPPA violations. Most states have consumer protection divisions equipped to handle these cases.

3. Consult an FCRA Attorney

Because the FCRA includes a private right of action, you can hire a consumer protection attorney and file a lawsuit directly. Remedies can include actual damages, statutory damages, punitive damages (for willful violations), and attorney’s fees — meaning many attorneys take these cases on contingency.

Frequently Asked Questions

When exactly did the Homebuyers Privacy Protection Act take effect?

The law was signed on September 5, 2025, and took effect 180 days later on March 4–5, 2026. As of early March 2026, it is fully enforceable.

Does this law prevent me from comparison shopping for mortgages?

No. The law protects your data by default, but if you want to receive offers from multiple lenders, you can provide documented opt-in consent. The law gives you control — it does not restrict your ability to shop around.

Can my current bank still contact me about mortgage offers?

Yes. If you have an active account with an insured depository institution or credit union, that institution may still receive trigger lead data and contact you with a firm offer of credit. The same applies to your current mortgage originator and servicer.

Does the law apply to refinances as well as new purchases?

Yes. The law applies to any “residential mortgage transaction,” which includes refinances, home equity loans, and other mortgage credit transactions — not just initial home purchases.

What if I still receive unsolicited calls after the law took effect?

You can report it to the CFPB at consumerfinance.gov/complaint, contact your state attorney general, or consult a consumer protection attorney. Willful violations can result in punitive damages, statutory damages, and attorney’s fees under the FCRA.

Is the Homebuyers Privacy Protection Act the same as the “trigger leads bill”?

Yes. H.R. 2808 (Public Law 119-36) is commonly referred to as the “trigger leads bill” because its central purpose is to restrict the sale of mortgage trigger leads. Both names refer to the same law.

What is the GAO study, and will there be more legislation?

The GAO has been directed to study trigger leads delivered via text message, with a report due to Congress by September 4, 2026. While this does not change current law, it signals Congress may consider additional restrictions on SMS-based mortgage solicitations depending on the findings.