Private lenders operating across multiple states face an increasingly complex regulatory landscape when it comes to consumer data privacy. Without a unified federal privacy framework, individual states have stepped in to create their own data protection requirements, and the pace of new legislation continues to accelerate. Understanding which laws apply to your lending operations and what they demand is no longer optional — it is a core compliance obligation.
The Expanding Patchwork of State Privacy Legislation
The United States remains one of the few major economies without a comprehensive national privacy statute. In response, state legislatures have moved aggressively to fill the gap. As of 2025, more than a dozen states have enacted consumer privacy laws, with several additional states actively considering similar legislation.
While these laws share common themes — granting residents greater control over their personal information and imposing obligations on businesses that collect and use that data — they differ significantly in scope, thresholds, and specific requirements. California’s Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), remains the most expansive. However, states such as Colorado, Connecticut, Virginia, Texas, Oregon, Montana, and others have enacted their own versions, each with distinct compliance triggers.
Most of these statutes adopt terminology inspired by the European Union’s General Data Protection Regulation (GDPR). For example, the term “Controller” — referring to the entity that decides why and how personal data is processed — appears throughout many state laws. Private lenders who collect borrower information, process loan applications, or maintain customer records will generally qualify as Controllers under these frameworks.
Determining Whether Your Lending Operation Is Covered
The threshold question for any private lender is straightforward: does a particular state’s privacy law apply to my business? The answer depends on several factors that vary by jurisdiction.
Common Coverage Triggers
Most state privacy laws apply to businesses that meet one or more of the following criteria:
- Revenue thresholds — Some states apply their law to businesses generating annual revenue above a specified amount (California’s threshold, for instance, covers businesses with gross revenues exceeding $25 million).
- Data volume thresholds — Many states apply their law to businesses that process personal data of a certain number of state residents (commonly 100,000 or more consumers per year).
- Data sale thresholds — Several states cover businesses that derive a specified percentage of revenue from selling personal data, or that process the data of a lower number of residents (often 25,000) while also selling that data.
- Doing business in the state — Most laws require that the business either conduct business in the state or produce products or services targeted to residents of that state.
Practical Implications for Private Lenders
Many smaller private lending operations will fall below these coverage thresholds. However, lenders who operate nationally, maintain large borrower databases, or share customer data with third-party marketing partners should carefully evaluate their exposure under each state’s law. The trend is clear: coverage thresholds are becoming lower, and more states are joining the regulatory landscape every year.
Key Compliance Obligations for Covered Private Lenders
For private lenders that do meet a state’s coverage thresholds, these laws impose a range of operational requirements. Below are the most significant obligations that lending businesses should prepare to address.
Handling Sensitive Personal Data
State privacy laws introduce a heightened category of information known as “sensitive personal data.” This classification triggers stricter processing rules and may require explicit consumer consent before collection or use. Categories commonly designated as sensitive include:
- Racial or ethnic origin
- Physical or mental health diagnoses and conditions
- Sexual orientation
- Citizenship or immigration status
- Genetic and biometric identifiers
- Data collected from known minors
- Precise geolocation data
- Religious beliefs
- Government-issued identification numbers (Social Security numbers, passport numbers, driver’s license numbers)
- Contents of private communications (applicable in California)
Private lenders routinely collect several of these data categories during the underwriting and loan origination process, making this a particularly relevant compliance area.
Consumer Rights Over Personal Data
One of the defining features of modern state privacy laws is the set of individual rights they grant to state residents. Covered private lenders must be prepared to receive and respond to consumer requests to:
- Access their personal data held by the lender
- Correct inaccurate personal data
- Delete their personal data from the lender’s records
- Obtain a portable copy of their data in a commonly used format
- Opt out of the sale of their personal data, targeted advertising, or automated profiling
Each state sets its own timelines and procedural requirements for responding to these requests, and failing to comply can result in enforcement actions or penalties.
Restrictions on Targeted Advertising
State privacy laws have introduced specific regulations around “targeted advertising” and “cross-context behavioral advertising.” These provisions address the practice of displaying ads to consumers based on data gathered from their activity across multiple unaffiliated websites or platforms over time. Private lenders who engage in digital marketing — particularly retargeting campaigns or lookalike audience strategies — should review whether their advertising practices trigger these provisions.
Privacy Impact Assessments
Many state laws require businesses to conduct and document a formal privacy impact assessment before engaging in certain high-risk data processing activities. These assessments must weigh the benefits of the processing activity against the potential risks to consumers. Activities that typically trigger this requirement include:
- Selling personal data to third parties
- Processing personal data for targeted advertising purposes
- Processing sensitive personal data
Some states also require that businesses obtain affirmative consumer consent before processing sensitive data categories.
Consumer Opt-Out Mechanisms
Every state privacy law provides residents with the right to opt out of at least one of the following activities:
- Sale of their personal data
- Use of their data for targeted advertising
- Profiling based on their personal data
- Use of voice or facial recognition technology
Several states — including California, Colorado, Connecticut, and Montana — go further by requiring covered businesses to recognize universal opt-out mechanisms. These are browser-level or platform-level signals (such as the Global Privacy Control) that communicate a consumer’s opt-out preference automatically, without requiring the consumer to submit individual requests to each business.
Privacy Policy and Disclosure Requirements
Covered private lenders must maintain clear, accessible privacy disclosures that include:
- The categories of personal data collected and processed
- The specific purposes for processing each category
- Instructions for consumers to exercise their privacy rights
- The categories of personal data shared with third parties
- The identities or categories of third parties receiving shared data
- Whether the business sells personal data and how consumers can opt out
Vendor and Service Provider Agreements
Private lenders who share borrower data with vendors, servicers, or technology platforms must ensure that their contracts with these service providers include specific data protection terms. Required contractual provisions typically address:
- Detailed processing instructions and limitations on data use
- The categories and types of data subject to processing
- The duration and scope of processing rights
- Obligations and rights of both the lender and the service provider
- Cooperation requirements for audits and regulatory compliance
- Confidentiality obligations binding on the service provider
- Requirements for subcontractor compliance
- Data return or deletion obligations upon contract termination
Data Security Standards
All state privacy laws require covered businesses to implement and maintain reasonable administrative, technical, and physical security measures to protect personal data. While “reasonable” is not uniformly defined, lenders should look to industry standards and frameworks — such as those published by NIST or reflected in existing financial services regulations — as benchmarks for compliance.
Building a Compliance Strategy for Your Lending Business
The proliferation of state privacy laws means that private lenders can no longer treat data privacy as an afterthought. A proactive compliance strategy should include:
1. Conducting a data inventory — Identify what personal data your business collects, where it is stored, who has access, and how it is used and shared. 2. Mapping applicable laws — Determine which state privacy laws apply to your operations based on where your borrowers reside and your business activities. 3. Updating privacy policies — Ensure your disclosures meet the requirements of every applicable state law. 4. Establishing consumer request procedures — Build workflows to receive, verify, and respond to access, correction, deletion, and opt-out requests within statutory deadlines. 5. Reviewing vendor contracts — Update agreements with service providers to include required data protection terms. 6. Training your team — Ensure that employees who handle borrower data understand their obligations under applicable privacy laws.
How Geraci LLP Can Help
Geraci LLP maintains detailed state-by-state summaries of privacy law requirements and can provide your lending business with a clear understanding of your compliance obligations. Our team works with private lenders nationwide to navigate these evolving regulations and implement practical, cost-effective compliance programs.
Whether you need a full privacy compliance assessment, assistance drafting or updating your privacy policies, or guidance on responding to consumer data requests, Geraci LLP is here to help. Contact us at (949) 403-3488 or visit us at 90 Discovery, Irvine, CA 92618 to discuss your privacy and compliance needs.
