California Privacy Protection Agency's New CPPA Rules for Financial Institutions

The California Privacy Protection Agency (CPPA) has finalized sweeping new California Consumer Privacy Act (CCPA) regulations that will transform how financial institutions (FIs) manage consumer data. These California privacy rules go far beyond existing requirements, introducing mandatory cybersecurity audits, detailed risk assessments, and restrictions on automated decision-making technology (ADMT).  

What does this mean for FIs and businesses operating in or with clients in California? It's time to start preparing for CPPA compliance requirements coming in 2027 and 2028. 

Related: Laws vs. Regulations vs. Rules vs. Guidance: What Are the Differences? 

What are the CCPA and CPRA?

The CCPA was signed into law as AB 375 and took effect in January 2020, giving Californians new rights to access, delete, and opt out of the sale of their data. 

In 2020, voters approved the California Privacy Rights Act (CPRA) — also known as Proposition 24 — which expanded consumer rights, added safeguards for sensitive data, and established the California Privacy Protection Agency (CPPA) as an independent regulator. The CPRA went live in 2023, shifting enforcement from the Attorney General's office to the newly formed CPPA. 

Since then, the CPPA has been steadily building out the regulatory framework. Its latest major rules package — finalized in July 2025 — requires cybersecurity audits, risk assessments, and restrictions on automated decision-making. These rules are now under review by the Office of Administrative Law and are expected to take effect beginning in 2026, with phased compliance deadlines stretching into 2027 and beyond. 

Which institutions must follow California privacy rules? 

For FIs and other organizations handling California consumer data, the CCPA's rapid evolution signals an era of deeper governance, stricter oversight, and rising operational demands. 

The new rules apply to "businesses" that:  

• Make more than $25 million annually  
• Handle personal information from 50,000+ consumers per year  
• Make significant money selling consumers' personal information 

Unlike many state privacy laws, the CCPA does not provide blanket exemptions for FIs. While the Gramm-Leach-Bliley Act (GLBA) exempts certain financial data covered under federal law, California takes a unique approach: it exempts specific data types but not the institutions themselves. This means FIs must comply with CCPA requirements for any consumer data processing that goes beyond traditional financial records. 

Bottom line: If you serve California customers, market to California residents, or do any business touching California consumers, these rules apply to you — even if you're based outside California. 

What do the California Privacy Protection Agency's new regulations require?

1. Mandatory annual cybersecurity audits

Your institution will need comprehensive annual cybersecurity audits when processing consumers' personal information that presents a significant risk to their security. These audits cover a wide range of areas from multi-factor authentication to vendor management. The larger your institution, the sooner you should begin the audit preparation process: 

• Revenue over $100M: First audit due April 1, 2028  
• Revenue between $50M and $100M: First audit due April 1, 2029  
• Revenue under $50M: First audit due April 1, 2030 

Your institution is required to submit cybersecurity audit reports and annual compliance certifications to the CPPA and retain all related records for a minimum of five years. 

Related: Best Practices for Tracking Audit & Exam Findings 

2. Detailed risk assessment requirements

When engaging in high-risk processing, selling or sharing personal information or using automated systems, you'll need comprehensive risk assessment reports. 

Sensitive personal information includes everything from Social Security numbers and financial account details to precise geolocation, racial/ethnic origin, genetic data, and even neural data (information from measuring nervous system activity).

Third-party considerations

Your risk assessments must also evaluate third-party vendors and service providers. If you use fintech companies for mobile apps, payment processing, or other services, you're responsible for ensuring they comply with CCPA requirements and aren't using consumer data without proper consent or opt-out mechanisms. 

Compliance Deadline: December 31, 2027, with first reports due to the CPPA by April 1, 2028. 

Related tools: Ncyber delivers a cybersecurity platform for measuring institutional risk exposure, while Nrisk provides risk assessment templates for CCPA, as well as other privacy and cybersecurity areas, that simplify third-party oversight and provide other actionable insights. 

3. Automated Decision-Making Technology (ADMT) rules

FIs should pay particular attention to new rules around automated decision-making technology (ADMT). ADMT refers to systems that use personal information to replace or significantly replicate human decision-making. 

If you use ADMT for significant decisions, such as providing or denying financial services, you must:  

• Provide pre-use notices explaining how the system works
• Give customers the right to access ADMT information
• Offer the right to opt out of ADMT in many cases
• Provide appeal rights through qualified human reviewers 

Human involvement requires reviewers who can interpret the technology's output, analyze it, and have actual authority to change decisions, not just rubber-stamp them. 

Compliance Deadline: January 1, 2027

Related: 7 Fair Lending Risks Every FI Needs to Know 

CPRA regulations compliance: Action steps for FIs

Don't wait until the compliance deadlines approach. The implementation process can take several months to over a year, especially when third-party vendors, IT system updates, and policy revisions are involved. 

Immediate action items to prepare for California privacy rules 

• Review current practices: Compare your privacy policies, cybersecurity audit processes, and risk assessment procedures against the new requirements.  
• Identify compliance gaps: Find weaknesses in cybersecurity audit report content and documentation standards.  
• Update your frameworks: Revise cybersecurity audit processes and risk assessment templates to meet the new standards.  
• Map your ADMT systems: Identify where you use automated decision-making for loans, account access, or fraud detection.  
• Assess third-party relationships: Review contracts with fintech providers, mobile app developers, and other vendors to ensure they can support CCPA compliance requirements.  
• Update consumer notices: Ensure website privacy policies, account opening disclosures, and marketing materials include required CCPA opt-out language and consent mechanisms.  
• Train your team: Educate staff on new requirements, especially those handling customer service, marketing, and data management. 

Timeline considerations

• Start planning now, even though deadlines range from 2027-2030.  
• Factor in time for vendor negotiations, system testing, and policy approvals.  
• Consider whether you need new technology solutions or consultant expertise.  

Looking ahead: The future of privacy regulations

As California leads on privacy regulations, other states may adopt similar requirements. Building robust privacy and data governance practices now can help position your FI for future regulatory changes nationwide. 

Want to learn how Ncomply can help you stay ahead of regulatory changes and streamline your manual processes?