California's privacy landscape shifted significantly in 2026 with updated CPRA regulations that every lender handling consumer data needs to understand. The law now draws a clear line between legitimate operational data use and commercial data exploitation — and the consequences of misclassification are serious.
The definition of "business purpose" has narrowed considerably. Cross-context behavioral advertising is now prohibited and classified as a "share" requiring consumer opt-out rights, while contextual advertising on current pages remains acceptable. Building consumer profiles, however, is not. For lenders already navigating a complex web of federal obligations — from FCRA compliance to FinCEN AML requirements — this adds another layer of scrutiny to how data is collected, used, and shared, making credit compliance intelligence more essential than ever.
A new "Contractor" category now sits alongside traditional Service Providers. Contractors must provide written certification confirming they understand CPRA restrictions — an additional compliance layer beyond standard Data Processing Addendums that lenders must now account for in every vendor relationship. This is especially relevant for institutions operating within embedded finance ecosystems, where the embedded finance revolution has multiplied the number of third-party data touchpoints lenders must manage.
The most consequential change may be the anti-combining rule. Service providers are prohibited from combining personal information across different clients or sources, except for security, fraud detection, or explicitly authorized purposes. Violating this rule retroactively reclassifies the data transfer as a "Sale," triggering significant regulatory exposure. Institutions already managing FCRA compliance obligations around permissible purpose will immediately recognize how this mirrors the consumer protection logic embedded in federal credit law.
For lenders using Automated Decision-Making Technology — including AI for credit decisioning or risk assessment — 2026 brought new transparency and audit requirements. Institutions must now be able to explain how automated systems reach decisions and maintain contractual audit rights with their service providers. This directly affects how lenders document and defend their decisioning workflows, particularly where FinCEN AML requirements intersect with automated customer due diligence processes.
Staying compliant means reviewing vendor contracts, updating data processing agreements, and ensuring your decisioning infrastructure can withstand regulatory scrutiny. Lenders already familiar with the FTC Safeguards Rule will recognize the pattern — the FTC Safeguards Rule, FCRA, FinCEN, and now CPRA are collectively raising the bar on data governance, and institutions that build structured, auditable compliance frameworks now will be far better positioned as requirements continue to tighten. LASER's COMPLY pillar is built to support exactly this kind of compliance — so lenders can operate with confidence as the regulatory landscape continues to evolve.