Recently, the New York DFS announced that an online payday loan lead generator and its CEO will pay a $1 million penalty and cease payday loan lead generation activities in New York to resolve allegations that its payday loans charge fees had interest rates greater than the usury limits allowed under New York law, and that it failed to protect consumers’ personal information. According to the DFS, the company (i) “advertised payday loans and connected New York consumers to payday lenders without disclosing that the payday loans contained terms that violate New York usury laws”; and (ii) failed to take any protective measures when selling leads to its network of lead buyers, despite advertising that it “‘prides itself in putting [its] customer’s security and personal information protection at the top of [its] priority list.’” In the event that the company solicits non-payday lending services in New York in the future, the order requires it to establish and adhere to data security protocols for the secure use, transfer, and storage of consumers’ personal information. This action represents the DFS’s first action to require a company to implement consumer data security measures to its future collection of consumers’ personal information.