TL;DR

• California’s CPPA finalized automated decision-making technology (ADMT) regulations that directly apply to fintechs using AI for credit decisions, fraud scoring, and customer profiling
• Risk assessments before ADMT deployment are required starting January 1, 2026; pre-use consumer notices and opt-out rights take effect January 1, 2027
• The GLBA exemption does NOT shield fintechs from ADMT obligations — only specific GLBA-covered data types are exempt, not financial institutions broadly
• Credit and lending decisions are explicitly listed as “significant decisions” triggering the highest-obligation tier of the rules
• California’s enforcement track record — $2.75M against Disney, $1.35M against Tractor Supply, $375K against Ford — shows the CPPA is active and willing to penalize consumer rights failures

The CFPB’s rollback of federal disparate impact standards got a lot of coverage. What’s getting less attention: California just quietly activated a parallel AI accountability framework that applies to the same credit and fraud models — through privacy law, not fair lending law.

The California Privacy Protection Agency’s automated decision-making technology (ADMT) regulations aren’t hypothetical. Risk assessment requirements kicked in January 1, 2026. Pre-use consumer notices and opt-out rights go live January 1, 2027. And the CPPA that issued $2.75 million in fines against Disney and $1.35 million against Tractor Supply last year isn’t shy about enforcement.

If your fintech uses any AI or algorithmic system to make lending decisions, assess credit risk, detect fraud, or profile customers for account management purposes, this applies to you — regardless of what’s happening at the federal level.

What ADMT Means and Why It Covers Your Models

The ADMT regulations apply to any system that uses personal information to make, or significantly contribute to, a decision that produces a legal or similarly significant effect on a consumer.

That definition is intentionally broad. It covers:

• Automated credit scoring used in loan origination or limit setting
• Fraud risk models that block transactions or restrict account access
• Customer risk profiling used to determine product access, pricing, or account features
• Behavioral analytics used to automatically suppress marketing or flag account review
• Identity verification systems that deny account opening based on algorithmic matching

What matters is the decision’s effect on the consumer, not the sophistication of the model. A rules-based engine that denies a credit application is ADMT. A gradient-boosted fraud model that freezes a customer’s account is ADMT. An LLM that scores customer support tickets for escalation is ADMT if the output affects account status or product access.

The “Significant Decision” Tier

The ADMT rules establish different obligations depending on whether the use case involves a “significant decision” — a decision that produces a legal or similarly significant effect. California explicitly calls out the following as significant decision categories:

• Financial and credit services
• Insurance underwriting and pricing
• Employment decisions
• Housing and rental decisions
• Health care and medical treatment
• Access to educational programs

Credit and lending decisions are in the first category. If your underwriting model denies a loan, lowers a credit limit, triggers a rate increase, or places a customer in a different product tier, that’s a significant decision. If your fraud model blocks a transaction, restricts an account, or flags an account for manual review that results in a customer service denial, the CPPA’s position is that this falls within the significant-decisions framework.

The stakes are higher in this tier. Significant decisions trigger the pre-use notice obligation, the opt-out right, and the highest-scrutiny risk assessment standard.

The ADMT Compliance Timeline

Understanding what’s due when is the first practical question:

The January 1, 2026 risk assessment requirement is already past for most companies — if you haven’t documented risk assessments for your deployed AI systems, you’re already behind.

The Risk Assessment: What You Need to Document

Before deploying or materially updating an ADMT system, you must conduct and document a risk assessment covering:

1. Purpose and scope What decision is the ADMT making or contributing to? Who are the consumers affected? What personal information is processed? What categories of data drive the decision?

2. Benefits and likely negative impacts What consumer benefit does the ADMT provide? What are the likely negative effects — on accuracy, on fairness, on consumer autonomy, on specific population segments?

3. Safeguards What controls exist to address identified risks? Human review protocols? Testing and validation cadences? Feedback mechanisms? Audit logs?

4. Benefits-versus-risks analysis A documented conclusion that the benefits outweigh the identified risks, or that risks have been mitigated to an acceptable level.

The CPPA expects these to be documented and retained — not summarized in a slide deck and forgotten. Starting April 1, 2028, summaries must be submitted to the CPPA, which means your documentation must hold up to regulatory review.

For fintechs, this is a direct parallel to model risk management documentation under SR 11-7 / OCC Bulletin 2026-13 — but governed by privacy law, not banking regulation, and with a different enforcement mechanism.

The Pre-Use Notice: More Than a Privacy Policy Update

The pre-use notice requirement (effective January 1, 2027) is not satisfied by updating your privacy policy to mention that you use AI. The notice must be:

• Given before the ADMT is used — not buried in an onboarding document consumers signed months earlier
• Specific to the decision being made — what system, what decision, what data categories
• Actionable — it must tell the consumer how to exercise their opt-out right

For a consumer applying for a loan, this means a pre-use notice at the point of application: “We use automated decision-making systems to evaluate your creditworthiness. These systems process [categories of data]. You have the right to opt out of automated processing. [Here’s how.]”

The practical challenge for fintechs: most consumer-facing flows are already built. Retrofitting a pre-use notice into a lending or fraud-clearance flow without disrupting the user experience — and without creating legal risk by drawing attention to algorithmic decisioning — is a product and legal design problem.

The Opt-Out Right and Its Exceptions

Beginning January 1, 2027, consumers have the right to opt out of ADMT for significant decisions. Businesses must honor those requests.

The regulations include several exceptions most fintechs will want to understand:

Exception 1: Service-necessary ADMT If the ADMT is necessary to provide a requested product or service, the opt-out may not apply. If a consumer applies for an instant-approval loan, underwriting requires ADMT — there’s no manual equivalent at that speed. But the CPPA has been conservative in interpreting “necessary,” and this exception doesn’t give blanket cover to all ADMT.

Exception 2: Legal or regulatory obligations ADMT used to comply with legal obligations — sanctions screening, AML transaction monitoring, identity verification for BSA compliance — likely falls outside the opt-out obligation. The consumer cannot opt out of fraud controls required by law.

Exception 3: Fraud prevention and security Transaction monitoring and fraud prevention ADMT have some protection here, but the CPPA has not provided bright-line guidance on where fraud prevention ends and customer profiling begins. If your fraud model is also used to make product eligibility decisions, it may fall partially inside and partially outside the exception.

The practical implication: fintechs need to audit each ADMT use case against the exception criteria before building the opt-out workflow, because the scope of the obligation varies by use case.

The GLBA Exemption Doesn’t Protect You Here

The most common misconception among fintechs is that GLBA compliance provides a pass-through for California privacy obligations. It doesn’t.

California’s CCPA exempts specific data types regulated by GLBA — consumer financial information collected for regulated financial services purposes — from CCPA requirements. It does not exempt financial institutions as entities, and it does not exempt all data a financial institution processes.

What this means in practice:

• Your loan application data (GLBA-covered) may be outside CCPA scope
• Your mobile app behavioral data, device identifiers, and in-app analytics are not GLBA-covered
• Data processed for marketing, product personalization, or customer profiling beyond the core financial transaction is not GLBA-covered
• Data shared with third parties for non-financial purposes is often not GLBA-covered

A fraud model that scores transaction risk using real-time device behavior, location patterns, and app usage data is processing substantial non-GLBA data. A customer profiling system that determines which products to show a consumer falls outside GLBA’s scope.

Montana and Connecticut both narrowed the GLBA entity-level exemption in 2025, and California has consistently applied a data-level exemption. Fintechs relying on a blanket “we’re GLBA-regulated” answer are creating exposure.

What the CPPA Is Already Enforcing

The ADMT rules are new, but the enforcement agency behind them isn’t. The CPPA’s enforcement record in 2025 already includes $2.75 million in fines against Disney in February 2026 for failing to honor consumer opt-out requests across streaming platforms. It fined Tractor Supply $1.35 million in September 2025 — the agency’s largest penalty at the time — partly for failing to audit tracking technologies and failure to maintain service provider agreements. The CPPA’s formal Audits Division launched in February 2026 and can initiate reviews of any covered business without a consumer complaint.

The common thread in recent enforcement:

1. Consumer opt-out failures — adding any friction to the opt-out process, not recognizing Global Privacy Control (GPC) signals, or having different opt-out paths across products or channels. Ford paid $375,000 for requiring email verification before honoring an opt-out request.

2. Service provider contract gaps — failing to maintain written agreements restricting data processors from using consumer data for unauthorized purposes.

3. Failure to audit third-party technologies — not knowing what trackers and SDKs are running on consumer-facing platforms and what data they’re collecting.

All three patterns apply directly to fintechs. AI vendors, model providers, and data enrichment services are service providers under CCPA. The ADMT risk assessment requirement means you need to document what those vendors are doing with consumer data inside your models.

The So-What for Your Compliance Program

The ADMT regulations add a California-specific layer on top of your existing AI governance work. Here’s how they interact with what you’re probably already doing:

If you have a model risk management program (required under OCC Bulletin 2026-13 or existing federal guidance): your model inventory and pre-deployment validation process is the foundation for your ADMT risk assessments. Expand your MRM documentation templates to include the ADMT elements — purpose documentation, consumer impact analysis, safeguards narrative, benefits-risks conclusion.

If you have a CCPA compliance program: your data mapping should already identify which data flows are GLBA-exempt and which are not. Extend that mapping to tag ADMT-relevant data flows and flag which models are making significant decisions.

If you have an AI governance policy: add ADMT risk assessment to your pre-deployment checklist, and add the January 1, 2027 pre-use notice requirement to your product roadmap now — not three months before the deadline.

If you’re building new AI models: build the ADMT risk assessment into your SDLC gate requirements. The CPPA’s position is that the assessment must be completed before deployment, not after.

Action Checklist

What Comes Next: CalPrivacy’s Audit Division and ADMT Scrutiny

The CPPA stood up a formal Audits Division in February 2026, led by Chief Privacy Auditor Sabrina Boyson Ross. Unlike the enforcement division, which is complaint-driven, the Audits Division can initiate reviews of any covered business at any time based on sector risk or regulatory priority.

Among the CPPA’s publicly stated 2026 audit priorities: compliance with newly effective ADMT and risk assessment regulations. The CPPA has also named “use of consumer data in large language models” and “chatbot data practices” as priority themes.

The agency received 8,265 consumer complaints between July 2023 and September 2025 — roughly 150 per week. By early 2026, more than 100 investigations were open simultaneously. It’s an active enforcement agency, not a dormant one.

For fintechs that operate across multiple states, the ADMT regulations are part of a broader compliance picture: the state privacy consortium (now ten states including California, Colorado, Connecticut, Delaware, Indiana, New Jersey, Oregon, and others) coordinates enforcement priorities. A compliance failure that triggers CPPA scrutiny on opt-out handling can become a multistate investigation.

Building your ADMT compliance program now — before the January 2027 pre-use notice deadline — gives you time to do it thoughtfully rather than reactively. Retrofitting consumer-facing AI disclosures, opt-out workflows, and vendor contract revisions under a compliance deadline is the kind of thing that generates the service provider agreement gaps the CPPA is already fining companies for.

The federal regulatory floor for AI discrimination may have just dropped. The California floor is rising.

External resources: The CPPA published its final ADMT regulations at cppa.ca.gov; detailed compliance analysis is available from Lowenstein Sandler and Capco for teams that need deeper regulatory mapping to specific fintech use cases. The IAPP US State Privacy Legislation Tracker is the most reliable resource for tracking which state laws currently apply to your business.

The Data Privacy Compliance Kit includes a 19-state privacy law applicability matrix, CCPA/CPRA compliance documentation, privacy impact assessment templates, vendor data processing agreement checklist, and consumer rights request workflows — designed for financial services teams managing multi-state privacy compliance obligations.