California Continues to Set the Privacy Standard
California's consumer privacy framework has always operated ahead of federal standards — and 2026 brings a new wave of requirements that tighten the obligations financial institutions face when handling California residents' data. Several significant changes took effect January 1, 2026, with additional requirements activating throughout the year. Understanding what these changes mean for the GLBA exemption — and where that exemption does not apply — is essential for lending institutions serving California consumers.
The most consequential changes for financial institutions in 2026: a new 30-day breach notification standard under SB 446, the launch of the DELETE Request and Opt-Out Platform (DROP) for consumer data deletion requests, and continued regulatory enforcement activity that is testing the boundaries of the GLBA exemption in ways that affect even purely commercial lenders.
Lenders using LASER's COMPLY pillar have compliance documentation built directly into their Salesforce workflows. Schedule a Compliance Discussion to assess your California privacy posture against the 2026 requirements.
The GLBA Exemption: Narrower Than Many Assume
The CCPA/CPRA provides an exemption for personal information collected and used by financial institutions in a manner subject to GLBA. Many lending institutions interpret this exemption broadly — as covering the institution rather than specific information categories. That interpretation overstates the exemption's scope.
The exemption covers the specific personal information that is collected and used subject to GLBA's framework. It does not cover all personal information that a financial institution collects:
| Data Category | GLBA Exemption Status |
| Loan application data, credit reports, financial history | Covered — exempt from CCPA/CPRA |
| Website visitor analytics, cookie data, behavioral tracking | Not covered — CCPA/CPRA applies |
| Employee personal information | Not covered — California employee privacy protections apply |
| Marketing data for non-customers | Not covered — depends on collection context |
| Data shared with data brokers or marketing partners | May not be covered — sharing context determines |
The practical implication: even lenders whose core lending operations are GLBA-governed have California privacy obligations they cannot fully satisfy through GLBA compliance alone. Any data collection that occurs outside the GLBA-governed lending relationship — website analytics, marketing programs, employment records — remains subject to CCPA/CPRA.
SB 446: The New 30-Day Breach Notification Standard
Effective January 1, 2026, SB 446 replaced California's vague "expediently" breach notification standard with a specific timeline:
- 30 days from discovery of the breach to notify affected California residents
- 15 days from individual notification to notify the California Attorney General, if 500 or more California residents are affected, with a sample of the individual notice
This 30-day timeline creates a parallel notification requirement alongside the FTC Safeguards Rule's 30-day FTC notification requirement for breaches affecting 500 or more customers. For California-serving financial institutions, these parallel timelines create a coordinated incident response obligation: both federal (FTC) and state (California AG) notifications may be required within 30 days of discovery.
Incident response plans that have not been updated to reflect the California SB 446 timeline are incomplete for institutions serving California consumers.
The DROP Platform: A New Data Deletion Mechanism
California launched the Delete Request and Opt-Out Platform (DROP) on January 1, 2026. The DROP provides consumers a centralized mechanism to request data deletion from registered data brokers — replacing the process of submitting individual deletion requests to each data broker.
For financial institutions, the key question is whether their data sharing practices bring them within the DROP's data broker definition. Entities that sell or share personal information with third parties — including credit bureaus, data aggregators, marketing data providers, and analytics partners — may have DROP registration and compliance obligations.
DROP compliance timeline:
- January 1, 2026: DROP platform launched; initial registration requirements for data brokers
- August 1, 2026: Data brokers must begin processing consumer deletion requests from the DROP platform within 90 days
- Ongoing: Data brokers must access the DROP platform every 45 days to download updated deletion request lists
Non-compliance carries fines of $200 per day per violation plus enforcement costs — and the California Privacy Protection Agency (now also known as CalPrivacy) has signaled that data broker enforcement is a priority in 2026.
What "Business Purpose" Actually Means Under Current Law
The concept of "business purpose" in California privacy law defines one of the key pathways for lawful data processing — and its scope is narrower than the term implies. A business purpose must be:
- Specified in the privacy notice or service provider contract
- Reasonably necessary and proportionate to the disclosed purpose
- Compatible with the context in which the personal information was collected
- Not for the benefit of the business receiving the data outside the direct service relationship
For financial institutions, this means that data collected from consumers in the lending context — for purposes of evaluating a loan application, verifying identity, or assessing creditworthiness — can be used for those purposes under the business purpose framework. Using that same data for marketing analytics, selling to third-party data brokers, or profiling consumers for purposes outside the original collection context requires separate legal basis or consent.
The narrowing of business purpose interpretation through 2025-2026 CalPrivacy enforcement has made clear that financial institutions cannot rely on broad, vague business purpose language to justify data uses that consumers would not reasonably expect given the context of collection.
Building Compliant Data Practices for the 2026 California Framework
The practical compliance requirements for financial institutions serving California consumers in 2026:
Privacy notice accuracy. Notices must accurately reflect current data collection, use, and sharing practices — including any analytics, marketing, or third-party sharing that occurs outside the GLBA-governed lending relationship.
Incident response plan updates. Plans must reflect SB 446's 30-day consumer notification requirement and 15-day AG notification requirement, alongside the FTC Safeguards Rule's 30-day FTC notification requirement.
DROP registration assessment. Evaluate whether data sharing practices bring the institution within the DROP's data broker definition, and register if required before the August 2026 compliance deadline.
Data mapping. Maintain a current map of what personal information is collected, through what channels, used for what purposes, and shared with which third parties — the foundation of any defensible California privacy compliance program.
What This Means for Your Institution
California's privacy framework in 2026 is not a marginal addition to existing compliance programs — it is a substantive set of obligations that interact with GLBA, FCRA, and the FTC Safeguards Rule in ways that require careful, category-specific analysis. The GLBA exemption is real and meaningful for core lending data, but it does not cover the full scope of data that financial institutions typically collect from California consumers.
Institutions that have mapped their data practices against the 2026 California requirements — rather than assuming full GLBA coverage — are positioned to manage this compliance landscape with the same confidence they bring to their federal regulatory obligations.
Schedule a Compliance Discussion to assess your institution's California privacy compliance posture against the 2026 requirements — including the GLBA exemption scope, SB 446 breach notification, and DROP platform obligations.