California's comprehensive consumer privacy framework — with CPRA's automated decision-making rules directly targeting AI in credit decisions.
The California Consumer Privacy Act (CCPA), effective January 1, 2020, and its successor the California Privacy Rights Act (CPRA), effective January 1, 2023, represent the most comprehensive state-level privacy frameworks in the United States. For banks and financial institutions, CCPA/CPRA compliance is no longer optional. The California Privacy Protection Agency (CPPA), established by CPRA and fully operational as of 2023, now enforces these rules with escalating enforcement activity and fines exceeding $1.3 million in recent years. Understanding which requirements apply to your institution and which exemptions you can rely on is critical to avoiding costly violations.
The CCPA established baseline consumer privacy rights for California residents, including the right to know what personal information is collected, the right to delete it, and the right to opt out of the sale or sharing of that information. The CPRA built on this foundation in 2020 through a ballot initiative, expanding consumer rights significantly and creating an entirely new regulatory agency to enforce these rules. The CPRA also added critical provisions around automated decision-making technology (ADMT), profiling, and algorithmic processes. Both laws apply to any for-profit entity that collects the personal information of California residents and meets at least one threshold: annual gross revenues exceeding $25 million, buying, selling, or sharing personal information of 100,000 or more consumers or households, or deriving 50 percent or more of revenue from selling or sharing consumers' personal information.
Banks and other financial institutions regulated under the Gramm-Leach-Bliley Act (GLBA) have historically benefited from a broad exemption in the CCPA. This exemption excluded GLBA-regulated financial institutions from most CCPA requirements, provided they complied with GLBA's own privacy and security rules. However, the CPRA significantly narrowed this exemption. The "GLBA exemption" now applies only to the Financial Privacy Rule and the Safeguards Rule aspects of GLBA. This means that even large banks are no longer exempt from CPRA's newer provisions on automated decision-making technology, profiling, and certain other consumer rights. If your institution uses AI or algorithms to make decisions about consumers (credit decisions, pricing, product recommendations), the GLBA exemption likely does not protect you from CPRA obligations.
The narrowed GLBA exemption is a critical compliance issue. Many financial institutions have operated under the assumption that GLBA compliance equals CCPA/CPRA compliance. Under the CPRA, this is no longer true. You must evaluate whether your GLBA exemption truly covers your use of consumer data, especially when algorithms or AI are involved.
The CCPA grants California residents five core rights. The right to know allows consumers to request what personal information you collect about them, the categories of sources, and how you use it. The right to delete enables consumers to request deletion of personal information you have collected from them, subject to limited exceptions. The right to opt-out of sale or sharing of personal information allows consumers to opt out of any sale of their data and any sharing of their data with third parties for marketing or other commercial purposes. The right to correct inaccurate personal information is a CPRA addition, allowing consumers to correct their personal data. The right to limit use and disclosure allows consumers to restrict how you use their personal information, requiring you to use it only for disclosed purposes.
All of these rights have significant implications for banks. For example, a consumer could request deletion of their credit history data, though reasonable exceptions exist for legal compliance. A consumer could demand that you limit how you use their transaction data for marketing or AI model development. These requests must be honored within 45 days (or 90 days if you cannot easily verify the request). Failure to respond properly is itself a violation subject to statutory penalties.
The CPRA introduced groundbreaking rules around automated decision-making technology (ADMT) and consumer profiling. Businesses using ADMT to make decisions that produce legal, financial, or similarly significant effects on consumers must provide consumers the right to opt out of that automated decision-making. Consumers also have the right to request a manual review of any decision made by ADMT and the right to receive information about why an automated decision was made.
For banking, this provision is enormous. If your institution uses AI or machine learning to make credit decisions, set interest rates, determine eligibility for products, approve loans, or assign risk scores, that use of ADMT is now subject to CPRA requirements. You must inform customers of the fact that you are using ADMT, what data you are using, and the logic of the model. Consumers can opt out of automated decision-making and demand human review. You cannot simply rely on technical complexity to avoid explaining how your algorithms work. Effective January 1, 2027, businesses using ADMT to make significant decisions must fully comply with these CPRA provisions. The CPPA has already signaled that this area is a major enforcement priority.
Profiling is defined in CPRA as any automated processing of personal information to analyze, predict, or profile aspects of a person's personality, preferences, behavior, location, or movements. Profiling is closely related to ADMT but is broader. If you are analyzing customer data to predict creditworthiness, investment sophistication, likelihood of default, or propensity to purchase certain products, you are profiling. Consumers have rights regarding profiling, and the CPPA has indicated that machine learning models trained on customer data may constitute unlawful profiling under certain circumstances.
The relationship between CCPA/CPRA and GLBA is nuanced. GLBA's Financial Privacy Rule allows you to share nonpublic personal information (NPI) with affiliates and, with consumer opt-out rights, with non-affiliated third parties. CCPA/CPRA imposes stricter rules on sharing and sale of personal information. In practice, activities permitted under GLBA may violate CPRA. For example, you might share customer data with a third-party data broker under GLBA (with appropriate notice), but CPRA could require a consumer opt-out for that exact sharing if it qualifies as a "sale" or "sharing" under CPRA. The stricter standard applies. Additionally, CPRA's definition of personal information is broader than GLBA's definition of NPI, so data not regulated under GLBA might still be regulated under CPRA.
The CPPA enforces CCPA and CPRA violations, and the penalties are substantial. For unintentional violations, the CPPA may assess civil penalties of $2,500 per violation. For intentional violations, civil penalties jump to $7,500 per violation. Additionally, CPRA created a private right of action for data breaches. Consumers can sue directly for statutory damages between $100 and $750 per consumer per incident, and this can escalate quickly to class action exposure. Class actions have already begun settling for substantial sums. The CPPA has also shown it will investigate and fine companies across multiple states jointly, broadening enforcement reach. Recent CPPA actions include a $1.35 million fine against Tractor Supply Company for failing to maintain proper privacy notices and lacking effective opt-out mechanisms. The agency has indicated that enforcement will only accelerate as new CPRA provisions take effect.
The CPPA has also established a timeline for compliance with certain requirements. Compliance with cybersecurity audit obligations, risk assessments for ADMT, and ADMT consumer rights must be fully implemented by specific dates: April 1, 2028 (for entities over $100 million in revenue), April 1, 2029 (for those between $50 and $100 million), or April 1, 2030 (for those under $50 million). These deadlines are firm.
To comply with CCPA/CPRA, start by conducting a comprehensive audit of the personal information you collect, process, and share. Identify all data sources, all uses (including internal analytics and AI training), and all third-party recipients. Second, map your GLBA practices against CPRA requirements and identify gaps. Third, evaluate whether you are using ADMT or profiling, and if so, determine what new CPRA rights you must provide to customers. Fourth, design mechanisms to honor consumer rights: ability to access, delete, correct, opt-out, and request manual review. Fifth, update your privacy notices to clearly disclose ADMT and profiling practices in plain language. Sixth, train your teams on CPRA obligations, especially customer service, marketing, and AI/data teams. Finally, establish an ongoing monitoring and update process, as CPPA guidance and enforcement actions continue to clarify requirements.
Corvair helps financial institutions automate CCPA/CPRA compliance across customer data lifecycle management. Our platform identifies personal information in customer records, tracks data usage and sharing, and enables scaled consumer rights fulfillment (access, deletion, correction, opt-out). For institutions using AI or algorithms to make credit decisions, Corvair provides tools to document ADMT practices, assess disparate impact, and generate the explainability documentation required for both CPRA adverse action notices and ECOA compliance.
Schedule a BriefingThe foundational federal financial privacy framework that intersects with — and is increasingly supplemented by — CCPA/CPRA.
Read guideFair Credit Reporting Act requirements that complement CCPA/CPRA adverse action and AI decision-making obligations.
Read guideRegional overview of data privacy regulation across the Americas.
View overview