The California Privacy Protection Agency (CPPA) has finalized sweeping new California Consumer Privacy Act (CCPA) regulations that will transform how financial institutions (FIs) manage consumer data. These California privacy rules go far beyond existing requirements, introducing mandatory cybersecurity audits, detailed risk assessments, and restrictions on automated decision-making technology (ADMT).
What does this mean for FIs and businesses operating in or with clients in California? It's time to start preparing for CPPA compliance requirements coming in 2027 and 2028.
Related: Laws vs. Regulations vs. Rules vs. Guidance: What Are the Differences?
The CCPA was signed into law as AB 375 and took effect in January 2020, giving Californians new rights to access, delete, and opt out of the sale of their data.
In 2020, voters approved the California Privacy Rights Act (CPRA) — also known as Proposition 24 — which expanded consumer rights, added safeguards for sensitive data, and established the California Privacy Protection Agency (CPPA) as an independent regulator. The CPRA went live in 2023, shifting enforcement from the Attorney General's office to the newly formed CPPA.
Since then, the CPPA has been steadily building out the regulatory framework. Its latest major rules package — finalized in July 2025 — requires cybersecurity audits, risk assessments, and restrictions on automated decision-making. These rules are now under review by the Office of Administrative Law and are expected to take effect beginning in 2026, with phased compliance deadlines stretching into 2027 and beyond.
| Full Name | What It Is | Key Features | |
| CCPA | California Consumer Privacy Act | Law passed in 2018, effective Jan. 2020. Gave Californians new rights to know, access, delete, and opt out of the sale of personal data. |
|
| CPRA | California Privacy Rights Act | Ballot initiative (Proposition 24) approved in 2020. Amends and strengthens CCPA by expanding rights, adding safeguards for sensitive data, and creating CPPA. |
|
| CPPA | California Privacy Protection Agency | Independent state agency created by the CPRA. Enforces California privacy laws, writes rules, conducts investigations, and oversees compliance. |
|
For FIs and other organizations handling California consumer data, the CCPA's rapid evolution signals an era of deeper governance, stricter oversight, and rising operational demands.
The new rules apply to "businesses" that:
Unlike many state privacy laws, the CCPA does not provide blanket exemptions for FIs. While the Gramm-Leach-Bliley Act (GLBA) exempts certain financial data covered under federal law, California takes a unique approach: it exempts specific data types but not the institutions themselves. This means FIs must comply with CCPA requirements for any consumer data processing that goes beyond traditional financial records.
Bottom line: If you serve California customers, market to California residents, or do any business touching California consumers, these rules apply to you — even if you're based outside California.
Your institution will need comprehensive annual cybersecurity audits when processing consumers' personal information that presents a significant risk to their security. These audits cover a wide range of areas from multi-factor authentication to vendor management. The larger your institution, the sooner you should begin the audit preparation process:
Your institution is required to submit cybersecurity audit reports and annual compliance certifications to the CPPA and retain all related records for a minimum of five years.
Related: Best Practices for Tracking Audit & Exam Findings
When engaging in high-risk processing, selling or sharing personal information or using automated systems, you'll need comprehensive risk assessment reports.
Sensitive personal information includes everything from Social Security numbers and financial account details to precise geolocation, racial/ethnic origin, genetic data, and even neural data (information from measuring nervous system activity).
Your risk assessments must also evaluate third-party vendors and service providers. If you use fintech companies for mobile apps, payment processing, or other services, you're responsible for ensuring they comply with CCPA requirements and aren't using consumer data without proper consent or opt-out mechanisms.
Compliance Deadline: December 31, 2027, with first reports due to the CPPA by April 1, 2028.
Related tools: Ncyber delivers a cybersecurity platform for measuring institutional risk exposure, while Nrisk provides risk assessment templates for CCPA, as well as other privacy and cybersecurity areas, that simplify third-party oversight and provide other actionable insights.
FIs should pay particular attention to new rules around automated decision-making technology (ADMT). ADMT refers to systems that use personal information to replace or significantly replicate human decision-making.
If you use ADMT for significant decisions, such as providing or denying financial services, you must:
Human involvement requires reviewers who can interpret the technology's output, analyze it, and have actual authority to change decisions, not just rubber-stamp them.
Compliance Deadline: January 1, 2027
Related: 7 Fair Lending Risks Every FI Needs to Know
Don't wait until the compliance deadlines approach. The implementation process can take several months to over a year, especially when third-party vendors, IT system updates, and policy revisions are involved.
As California leads on privacy regulations, other states may adopt similar requirements. Building robust privacy and data governance practices now can help position your FI for future regulatory changes nationwide.
Want to learn how Ncomply can help you stay ahead of regulatory changes and streamline your manual processes?