California’s privacy laws have fundamentally reshaped how businesses collect, use, and share personal data. For private lenders, understanding the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), is not optional. Noncompliance can result in significant financial penalties, reputational damage, and costly litigation. This guide provides private lenders with a comprehensive overview of their obligations under California privacy law as it stands in 2025.
The Evolution of California Privacy Law
The CCPA took effect on January 1, 2020, establishing the most comprehensive state-level privacy framework in the nation. The law was the result of a ballot initiative championed by real estate developer Alastair Mactaggart, who spent millions of his own money gathering more than 600,000 signatures to bring a privacy referendum before California voters. The strong public support for the initiative prompted state legislators, technology companies, and privacy advocates to negotiate a legislative compromise that became the CCPA.
However, concerns that the CCPA did not go far enough led to a second ballot initiative, the California Privacy Rights Act (CPRA), which California voters approved in November 2020. The CPRA took full effect on January 1, 2023, and significantly expanded the rights of California residents while creating a new enforcement body, the California Privacy Protection Agency (CPPA). In 2025, the CPRA framework governs most privacy obligations for covered businesses.
Who Is Covered by California Privacy Law?
A business is subject to the CCPA/CPRA if it meets any one of three thresholds:
- Annual gross revenue exceeds $25 million. This is the threshold most relevant to established private lenders and mortgage fund operators.
- The business annually buys, sells, or shares the personal information of 100,000 or more California residents, households, or devices. The CPRA increased this threshold from the original 50,000 under the CCPA.
- The business derives 50% or more of its annual revenue from selling or sharing California residents’ personal information.
Even if a business does not independently meet these thresholds, it may still be covered if it is controlled by or shares common branding with a covered business. Additionally, service providers that process personal information on behalf of covered businesses have specific obligations under the law.
The Four Pillars of Consumer Privacy Rights
California residents possess four core privacy rights under the CCPA/CPRA framework:
Right to Know
California residents can request that a business disclose the categories and specific pieces of personal information it has collected, the sources of that information, the business purposes for which it was collected, and the categories of third parties with whom it was shared or to whom it was sold. Businesses must be able to respond to these requests with data covering the prior 12 months.
Right to Delete
Consumers can direct a business to delete personal information that has been collected. The business must also notify its service providers and contractors to delete that information from their systems. However, if the personal information is necessary to continue providing a financial product or service, such as servicing an active loan, the business is not required to delete that information.
Right to Opt Out of Sale or Sharing
California residents can direct a business to stop selling or sharing their personal information with third parties. If a business sells personal data, it must post a conspicuous link on its website homepage using the words “Do Not Sell or Share My Personal Information.” The CPRA expanded this right to cover not just the sale of data but also the sharing of data for cross-context behavioral advertising.
Right to Non-Discrimination
A business cannot deny goods or services, charge different prices, or provide a different level of quality to consumers who exercise their privacy rights. However, a business may offer financial incentive programs, such as loyalty programs, provided that the value of the incentive is reasonably related to the value of the consumer data.
Categories of Protected Personal Information
The law identifies 11 broad categories of personal information, encompassing identifiers, financial data, biometric information, internet activity, geolocation data, professional or employment information, and more. For private lenders, the most relevant categories include:
- Borrower names, addresses, Social Security numbers, and contact information
- Financial account data, credit history, and loan application details
- Information about guarantors, principals, and authorized signers
- Employment and income verification data
- Device identifiers and browsing data collected through websites and loan origination platforms
A covered lender must create comprehensive data inventories to identify what categories of personal information it collects, where that data is stored, who has access to it, and to whom it has been shared or sold.
The Gramm-Leach-Bliley Exemption: Critical for Consumer Lenders
One of the most important exemptions under the CCPA/CPRA for the lending industry is the Gramm-Leach-Bliley Act (GLBA) exemption. Personal information that is already subject to the GLBA Federal Privacy Rule is exempt from the CCPA/CPRA.
The GLBA protects personal information collected from consumers who apply for or obtain consumer-purpose financial products or services from a financial institution. This includes all personal information collected during the origination, servicing, modification, or foreclosure of a consumer-purpose mortgage loan.
For lenders who originate both consumer and business-purpose loans, this creates a dual compliance obligation. Consumer loan data is governed primarily by the GLBA, while business-purpose loan data falls under the CCPA/CPRA.
Compliance Requirements for Private Lenders
Notices and Disclosures
Covered businesses must provide several categories of notices to California residents:
- Collection Notice: Before collecting personal information, you must inform the individual of the categories of data being collected and the purposes for which it will be used. For a loan originator taking an application over the phone, this notice must be provided before any information is gathered.
- Privacy Policy: A detailed California-specific privacy policy must be posted on your website, disclosing all four consumer rights, the categories of information collected and shared during the prior 12 months, and the categories of third parties to whom data was disclosed.
- Opt-Out Notice: If your business sells or shares personal information, the opt-out page and notice must be prominently linked from your homepage.
Responding to Consumer Requests
When a California resident submits a request to know, delete, or opt out, the business must provide at least two methods for submitting the request (typically a web form and a toll-free phone number). Specific response timelines apply:
- Acknowledgment: Within 10 business days of receiving the request
- Substantive response: Within 45 calendar days, with a possible 45-day extension if necessary
- Opt-out compliance: Within 15 business days
Businesses are not required to respond to more than two requests to know or two requests to delete from the same consumer within a 12-month period.
Identity Verification
Before fulfilling a request to know or delete, the business must verify the identity of the person making the request. The verification standard depends on the type of request:
- Request for categories of information: Match at least two data points with information already in your systems
- Request for specific pieces of information: Match at least three data points and require a declaration under penalty of perjury
- Request to delete: Verification standards vary based on the sensitivity of the data
Data Security Obligations
The CCPA/CPRA requires businesses to implement and maintain reasonable security procedures to protect personal information. Failure to maintain adequate security that results in a data breach is one of the few areas where California residents have a private right of action, meaning they can sue the business directly without waiting for the Attorney General or the CPPA to act.
Enforcement Landscape in 2025
The California Privacy Protection Agency (CPPA) now serves as the primary enforcement authority for the CPRA, with the California Attorney General retaining concurrent enforcement power. Civil penalties include:
- Up to $2,500 for each unintentional violation
- Up to $7,500 for each intentional violation or violation involving the data of minors
Given the volume of transactions and data points involved in lending operations, a lender with even a modest number of compliance failures could face substantial aggregate penalties.
Privacy Legislation Beyond California
California’s privacy framework has influenced similar legislation across the country. As of 2025, more than a dozen states have enacted comprehensive privacy laws, including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others. Private lenders operating in multiple states should evaluate their obligations under each applicable state privacy law, as requirements vary in scope, thresholds, and enforcement mechanisms.
Prepare Your Business for Ongoing Privacy Compliance
Privacy regulation is an evolving area of law, and the compliance burden on private lenders will only increase as more states adopt their own frameworks and existing laws are amended. Building a robust compliance program now, including data inventories, notice frameworks, request response procedures, and security protocols, positions your business to adapt efficiently as the regulatory landscape continues to shift.
Geraci LLP advises private lenders on CCPA/CPRA compliance, data privacy policies, and multi-state regulatory obligations. Our attorneys can help you assess whether your business is covered, identify gaps in your current compliance program, and implement the policies and procedures needed to meet your obligations under California and federal privacy law.
Geraci LLP | (949) 403-3488 | 90 Discovery, Irvine, CA 92618
