Updated California data privacy laws expose fintech companies to costly compliance risks

The California Privacy Protection Agency recently handed down a $1.1 million fine to a company for violating elements of California data privacy law. More fines are likely to follow, especially after additional California data privacy enforcement mechanisms start kicking in this year.

Companies in industries like fintech that routinely handle sensitive consumer data should pay close attention to new implementing regulations for the California Delete Act and the California Consumer Privacy Act (CCPA). These regulations require companies that collect and process data from California residents to take prompt compliance action or risk escalating penalties.

Keep reading to learn more.

What should you know about the California Delete Act?

The California Delete Act is an amendment to the California Data Broker Registry data privacy law that gives consumers the right to require data brokers to delete their personal data for use in data broker activities by submitting a single form rather than submitting individual requests to each data broker that could have their personal information. As of January 1, 2026, consumers can make this request via the California Privacy Protection Agency’s Delete Request and Opt-Out Platform (DROP).

• Oversight for the DROP platform has been given to the CalPrivacy agency that enforces CCPA.
• Businesses that engage in activities that are considered data brokerage have already been required to register as data brokers with the state for several years.
• But as of August 1, 2026, all registered data brokers will be required to access the DROP platform at least once every 45 days to apply any consumer requests to the data they maintain.
• Delete requests apply to data held by the data broker or an associated service provider or contractor.

Who is considered a data broker?

Traditional data brokers — firms that gather and sell consumer data to other businesses — are an obvious target for the Delete Act. But the rules may also apply to many businesses that fall outside that traditional definition of a data broker.

Under California law, a data broker means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. The tricky part is that under CCPA, a business can still be considered a data broker if it has a direct relationship with a consumer, but also sells personal information about the consumer that the business did not collect directly from the consumer.

In today’s digital landscape, certain business activities can be unknowingly classified as falling under data broker rules if they involve the transfer, licensing or exchange of personal data for monetary consideration with other parties. Digital marketing, advertising, web experience personalization, identity verification services and market research firms are all examples of business activities that should be reviewed to understand data-sharing practices between parties. 

What are the penalties for failing to comply with the Delete Act?

Enforcement of the Delete Act begins on August 1, 2026. Businesses need to begin processing DROP requests by this date or face fines of up to $200 per day for each individual deletion request they fail to address. Enforcement fines and penalties can also be triggered against organizations for failing to register as a data broker if their business activities are deemed to fall under the scope of the Data Broker Registry and Delete Act requirements.

Audit requirements begin on January 1, 2028

In addition to facing the possibility of $200 daily fines for noncompliance, businesses subject to the Delete Act will also need to undergo audits beginning on January 1, 2028. These audits will be conducted by a third-party auditor and must occur every three years to document ongoing compliance with the Delete Act.

The scope of these audits includes not only the data the business maintains, but also its process for applying delete requests to applicable vendors and contractors. This includes documenting how requests were handled and maintaining adequate audit records.

What should you know about the California Consumer Privacy Act?

CTOs, CIOs and compliance officers are already familiar with CCPA. This is a broad data privacy law that first took effect in 2020 and is similar to the European Union’s GDPR rules. The CCPA was amended by the California Privacy Rights Act (CPRA) to strengthen CCPA, address employee data and extend data privacy obligations to service providers.

The newest CCPA amendments have been finalized by California regulators who recently published new implementing regulations affecting areas like automated decision-making technology (ADMT), cybersecurity audits and privacy risk assessments. Some of these rules began kicking in on January 1, 2026, with additional key deadlines over the next few years.

Here’s what’s changed:

Consumers can opt-out of automated decision-making technology (ADMT)

Under the CCPA, any technology that processes personal information and uses computation to replace or substantially replace human decision-making may fall under ADMT opt-out rules. These rules apply to situations that involve significant decisions about a consumer or their transactions.

Businesses that need to comply with the ADMT provisions will need to assess and document the risk of their data processing practices. For example, businesses that deploy automated decision-making technology must tell consumers, using a pre-use notice, about their ADMT practices and give them the opportunity to opt out. Businesses also need to be prepared to respond to consumers’ questions about how ADMT is used and the impact on outcomes or decisions that affect them.

This provision goes active on January 1, 2027, and may be especially relevant for fintech companies as the industry is increasingly experimenting with ADMT. To comply with this requirement, you may have to create an alternative process for consumers who opt out that includes involving a human being in any decision-making.

High-risk businesses must perform privacy risk assessments

Businesses that engage in certain activities deemed significant privacy risks need to complete an annual privacy risk assessment and prepare a risk assessment report. Risky activities include processing sensitive personal information, using ADMT for significant decisions or using consumer data to extrapolate personality details about your customers. Risk assessment requirements also apply to processing personal information to train ADMT using various technologies.

Covered businesses needed to begin the risk assessment process on January 1, 2026, and deliver information about these assessments. For assessments conducted in 2026 and 2027, the report is due to the CCPA by April 1, 2028.

Certain businesses must pass annual cybersecurity audits

The CCPA now also includes an annual cybersecurity audit requirement that applies specifically to businesses that meet either of two particular thresholds:

• 50% or more of revenue from selling or sharing personal information
• Over $25 million in revenue while also processing the personal information of over 250,000 California consumers or households or the sensitive information of 50,000 California consumers or households.

These audit requirements begin phasing in on April 1, 2028, for businesses with over $100 million in revenue, with a longer time frame for smaller companies. The results of each audit will be published.

Regulators also offered Gramm-Leach-Bliley Act clarifications fintech leaders should know

The CCPA provides that companies involved in financial services may be able to sidestep certain CCPA privacy provisions if they already comply with the Gramm-Leach-Bliley Act (GLBA). However, CCPA regulators have clarified that the exemption is a narrow and specific one. These exemptions are triggered at an organization or entity-level but are data-driven.

GLBA specifically governs privacy for financial data collected by financial institutions. In certain situations, fintech companies compliant with GLBA data privacy rules don’t also need to follow CCPA — but only with regards to financial data. A common area cited in the clarifications is that GLBA exemptions do not apply to marketing, advertising, social media or web site analytics practices.

Regulators have also clarified that even financial institutions governed by GLBA are still accountable for implementing and maintaining reasonable security to protect certain categories of personal information.

In other words, if your company collects any data other than personal financial data, you must still comply with CCPA even if you’re already GLBA-compliant.

What steps should fintech CTOs and CCOs take to help ensure compliance with both laws?

CTOs, CISOs, CCOs and other relevant leaders should carefully review the latest updates to both the California Delete Act and CCPA to find out if they need to take additional compliance action. However, even within the fintech space, specific compliance needs may vary.

• The first step is to assess if your business activities fall under the definitions of data brokerage. If they do, you need to be prepared to register as a data broker and update your business processes to apply consumer opt-outs. This includes building out the automated process to access the DROP platform every 45 days, starting on August 1, 2026, and preparing for annual Delete Act audits beginning in 2028.
• However, if any of the new CCPA rules apply to your business, you may also need to think more deeply about how your company handles ADMT, begin undertaking regular privacy risk assessments or institute stricter cybersecurity rules to get ready for a cybersecurity audit.
• If you’ve assumed that GLBA compliance means you don’t need to think about CCPA, you should also reassess that assumption in light of the new clarifications provided by regulators.
• Seek additional guidance from a third-party advisor with experience in regulatory compliance as well as the fintech industry to better understand your specific obligations under new data privacy rules and get help making sure you comply.

How Wipfli can help

We advise fintech companies on performance, risk and regulatory compliance, transactions and growth. Let’s talk about your goals and how we can help you achieve them. Start a conversation.

Let’s make your fintech company stronger

Read more

• AI hype is costing startups funding. What’s the fix?
• The right cybersecurity framework boosts your business’s value
• SOC 1 versus SOC 2: What’s the difference?