.svg)
In September 2025, the California Privacy Protection Agency (CPPA) finalized regulations to further strengthen the California Consumer Privacy Act (CCPA), the country’s most comprehensive and stringent state-level privacy law. Once effective, the new regulations will require businesses to conduct regular cybersecurity audits and risk assessments, and provide consumers with transparency and opt-out features for automated decision-making technology (ADMT).
California’s move comes at a pivotal moment, as federal agencies continue rolling back supervision, terminate ongoing enforcements from the Biden administration, and reopen previously finalized rules, including Section 1033 of the Dodd-Frank Act.
As federal oversight stalls and technology continues to evolve, state regulators are increasingly shaping the next phase of financial and technological governance. In the absence of a federal framework and a steady retreat from supervision by the executive branch, states with strong consumer protection traditions, like California, are setting more stringent regulatory measures and effectively establishing de facto national standards.
California is not just regulating California, it is shaping emerging national standards for privacy, data governance, cybersecurity, and AI-driven decisioning. Financial institutions should view these moves not as isolated state action, but as the opening signal of a broader shift in how the US regulatory framework is being shaped.
The bigger picture
Recent federal actions have weakened or reversed the prior administration’s efforts to regulate privacy and data protection in financial services. The Consumer Financial Protection Bureau (CFPB) attempted to vacate Section 1033 of the Dodd-Frank Act, a rule that expands consumer control over financial data and restricted third-party use of that data. In August 2025, the CFPB reopened the rulemaking process for Section 1033 of the Dodd-Frank Act and the status of it still remains unknown. Rolling back or diluting protections like these leaves consumers more vulnerable and gives states an incentive to increase enforcement activity.
The United States lacks a single, comprehensive data privacy or cybersecurity law, relying instead on a patchwork of state and sector-specific requirements. A handful of federal laws govern particular aspects of the financial sector’s data protection and cybersecurity dimensions, but gaps in coverage remain. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to maintain reasonable safeguards on consumer data collected while providing a financial service, but its breach reporting, lack of automated decision-making guidance, and broader data governance requirements are limited.
This, coupled with the current administration’s explicit orders to deregulate at the federal level and its shift of enforcement responsibility toward the states, empowers states to follow California’s lead and formulate stronger consumer protection laws and ensure consistent enforcement.
The CCPA provides a carve-out for data already covered by the GLBA, but banks subject to the law must still comply with California’s law for other types of information, including personal information collected through general advertising and marketing, personal information gathered from third-party vendors, and personal information obtained for miscellaneous commercial purposes. Further, banks that use ADMT to assess credit eligibility or qualify consumers for personalized financial products must conspicuously alert California consumers and provide meaningful opt-out mechanisms.
Businesses are subject to the CCPA if they do business in California and meet any one of the following:
- Have an annual gross revenue exceeding $25m.
- Buy, sell, or share the personal information of 100,000 or more California residents or households.
- Derive 50 percent or more of their annual revenue from selling consumers’ personal information.
By strengthening its privacy laws to include cybersecurity audits, risk assessment and ADMT, California is effectively signaling to other states it will lead on setting the privacy framework if the federal government will not establish a comprehensive privacy law.
The result is the gap widening between federal and state consumer protection laws, creating an environment where federal rollbacks don’t reduce regulatory burden but rather increase compliance, operational and legal exposure.
Why should you care?
California’s size, economic clout, and regulatory policy give it influence on national trends, a phenomenon known as the “California Effect," in which regulatory standards shift toward consumer-first priorities. Since the introduction of the CPPA, several other states including Virginia, Colorado, and Florida have passed their own privacy laws and become more active in state-level privacy efforts.
In April 2025, eight states joined the CPPA in the Consortium of Privacy Regulators, a bipartisan effort to share expertise and resources, and coordinate efforts to investigate potential violations of applicable laws. Although this may create a more consistent approach, a complex patchwork of compliance environments for banks that operate or have customers in multiple states persists, as each state has its own obligations.
Although no new state privacy frameworks were enacted in 2025, nine states amended their existing privacy laws. For example, Connecticut’s Senate Bill 1295 expanded coverage, providing consumers with more rights over their personal information, and integrated AI-related provisions. Further, Montana’s Senate Bill 297 broadened the attorney general’s enforcement power and removed the right of a party to repair its violation to avoid enforcement action.
With these recent updates from California and other states, and data privacy remaining a priority for consumers, banks can expect to see more states continuing to pass privacy laws and existing ones evolving to keep pace with California’s emphasis on stronger cybersecurity laws and the federal government's push for innovation in financial services.
State attorneys general have the discretionary authority to enforce state-level consumer protection laws, and may do so by launching lengthy investigations and costly civil lawsuits. In California, there are almost 100 open CCPA cases against financial services providers, second only to the healthcare industry, making it one of California’s top enforcement priorities. In addition, litigation is costly, and fines for CCPA penalties are substantial.
In addition, consumers are well-aware that they trade their personal data for the use of popular financial products and services each day, and consider the level of care that their data receives when choosing who to bank or invest with. If they believe their information is being mishandled, they will take their business elsewhere.
California has shifted from being a progressive exception to shaping the expectations that will continue to define privacy laws going forward.
Next steps
Financial services providers covered by the CCPA should prepare to comply with the new regulations, and those that are not bound by the CCPA should examine their current data governance procedures, as states are likely to follow California’s consumer-first lead.
The CPPA has declared that any business “whose processing of consumers’ personal information presents significant risk to consumers’ privacy” must conduct a risk assessment. For processing activities already underway, initial assessments are due by December 31, 2027. The risk assessment must involve relevant stakeholders involved in the specific processing and produce a report maintained by the financial institution. Banks that ingest and store large amounts of personal information, such as government names, social security numbers, and the passwords to customer accounts, will need to include the following in their risk assessment:
- Their reasons for processing consumers’ personal information.
- The categories of personal information being processed, including any categories of sensitive personal information.
- The operational elements of their processing, including data collection and use methods, plans to retain data, the disclosures they plan to make to consumers about the processing of their personal information, and how they may use ADMT to make significant decisions,
- The benefits and negative impacts for consumers associated with the processing.
- Safeguarding practices that the bank plans to implement with regards to personal information processing.
Banks subject to the CCPA must provide consumers with notice when using ADMT to make “significant decisions,” allowing consumers to opt-out of such processing, unless an exemption applies. The regulations define a significant decision as a “decision that results in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services.” By January 1, 2027, banks using ADMT for significant decisions must do the following:
- Conduct a risk assessment.
- Provide a pre-use notice to customers about the bank’s use of ADMT for a significant decision.
- Provide an opt-out option to California customers.
- Allow customers to request access to information about the bank’s use of ADMT, including how ADMT is used in decision-making.
- Provide California customers with the ability to appeal the results of ADMT.
Banks subject to the CCPA must conduct independent annual cybersecurity audits, covering core components of their cybersecurity programs, if their processing presents a “significant risk” to the security of California customers. All audit records must be retained for at least five years. The audit must be conducted using recognized auditing standards and include the following:
- A description of its existing cybersecurity program, assessing specific factors laid out by the CPPA.
- Gaps and weaknesses of its policies and procedures, along with plans to address them.
- Qualified individuals responsible for the bank’s cybersecurity program.
Lastly, annual audit requirements will be phased in based on the revenue of the bank:
- April 1, 2028: Businesses with more than $100m in 2026 revenue.
- April 1, 2029: Businesses with $50m to $100m in 2027 revenue.
- April 1, 2030: Businesses with less than $50m in 2028 revenue.
Conclusion
California’s privacy laws are not just state laws but an emerging framework for data protection laws in the US. Banks subject to the CCPA should take early steps to meet California’s new data governance requirements, and banks that are not covered by the law would be wise to match these standards to keep up with competitors and prepare for other states to adopt similar approaches to California’s regarding consumer data protection.
Even amid a relaxed federal data governance outlook, compliance with California’s new standards positions financial services providers to stay ahead of an evolving patchwork of state regulations, remain competitive, and stand out as trustworthy institutions that put consumers first.
Banks can mitigate compliance missteps and build customer trust by proactively complying with California’s new consumer protection laws, and fortifying their existing data protection and cybersecurity structures in anticipation of further state action.
