In This Article
- California's Layered Privacy and Security Stack
- What Actually Applies to Banks, Credit Unions, and Mortgage Companies
- Mapping Microsoft 365 to California Requirements
- Implementation Steps for a Compliant Tenant
- Audit Preparation and Evidence Collection
- Ongoing Governance That Survives Examinations
- Frequently Asked Questions
California financial institutions are the most heavily watched in the country on privacy and information security. In 2026 the regulatory layers stack four deep: federal Gramm-Leach-Bliley Act (GLBA), the California Financial Information Privacy Act (CalFIPA), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and Department of Financial Protection and Innovation (DFPI) supervision under the California Residential Mortgage Lending Act and California Financing Law. Each layer has its own scope, its own enforcer, and its own penalty schedule. None of them displaces the others.
The operational consequence is that a single piece of customer data may be governed by GLBA at one stage of its lifecycle, by CalFIPA when shared with affiliates, by CCPA when used in marketing or analytics, and by DFPI exam procedures throughout. If your privacy program treats these as separate compliance projects, you will spend more, document less, and still get cited. If you treat them as one operational stack that maps to a single Microsoft 365 tenant configuration, the work becomes manageable and the evidence becomes reusable.
This guide walks through what California now requires, which Microsoft 365 controls satisfy which obligations, and how to operationalize the program so that examiners and the California Privacy Protection Agency (CPPA) see the same compliance posture. The productivity gain is concrete: a properly configured tenant lets your team move faster on loans, member service, and audits because every record is already classified, retained, and discoverable.
California's Layered Privacy and Security Stack
California did not consolidate its financial privacy and information security rules into one statute the way New York did with 23 NYCRR Part 500. Instead, the state layered new protections on top of existing federal and state law. Each layer brought its own enforcer, its own definitions, and its own remedies. For a community bank, credit union, or mortgage company doing business in California, the practical question is not which law applies. All of them do. The practical question is which data each one touches and which control in your Microsoft 365 tenant produces the evidence each one wants.
The federal floor is GLBA, codified in the Privacy Rule and the Safeguards Rule, which has governed financial institutions since 1999. GLBA requires initial and annual privacy notices, opt-out for certain disclosures to non-affiliated third parties, and a written information security program covering administrative, technical, and physical safeguards. The Federal Trade Commission's updated Safeguards Rule, in force since 2023, added explicit requirements for access controls, encryption, multi-factor authentication, qualified individual oversight, incident response, and risk assessments. If you are licensed by the DFPI under the California Residential Mortgage Lending Act, your GLBA obligations flow through both the FTC and DFPI supervisory channels.
The California overlay starts with CalFIPA, codified at Financial Code sections 4050 through 4060. CalFIPA does not replace GLBA. It tightens it. Where GLBA generally allows sharing of nonpublic personal information with an opt-out, CalFIPA requires affirmative opt-in for sharing with non-affiliated third parties and gives consumers an opt-out right for joint-marketing arrangements between financial institutions. Civil penalties run up to $2,500 per violation and $500,000 per incident for negligent disclosures, and double for violations that result in identity theft. The DFPI and the California Department of Insurance enforce CalFIPA inside their supervisory portfolios.
What Changed Operationally in 2026
Two things shifted the workload this year. First, the CPPA finalized a consolidated set of CCPA regulations effective January 1, 2026, that govern privacy notices, consumer-request handling, verification, consent standards, service-provider obligations, and cybersecurity audits and risk assessments for high-risk processing. Second, the Delete Act and its centralized Delete Request and Opt-Out Platform (DROP) became operational, with data brokers required to access DROP at least every 45 days starting August 1, 2026 and process consumer deletion requests within 90 days. Any non-GLBA data flow that resembles list brokering, lead aggregation, or behavioral marketing now has to be evaluated against the Delete Act independently of CCPA.
The third layer is the CCPA itself, as amended by CPRA. The California Attorney General and the CPPA share enforcement, with the CPPA holding administrative-fine authority and the Attorney General holding civil-penalty authority in court. Both can target the same conduct, and both apply CPI-adjusted penalty caps. As of January 1, 2025, those caps stand at up to $2,663 per violation and up to $7,988 per intentional violation or violations involving consumers under 16. The CCPA also carries a private right of action for data breaches involving non-encrypted personal information, with statutory damages between $107 and $799 per consumer per incident.
The fourth layer is DFPI cybersecurity supervision. California has not yet issued a prescriptive cybersecurity regulation comparable to NYDFS Part 500 for the full mortgage and consumer-finance sector. The closest analog is the Digital Financial Assets Law for licensed crypto firms. For mortgage lenders and brokers, DFPI's 48-hour cyber-incident reporting guidance and its broader safety-and-soundness exam authority under the California Consumer Financial Protection Law (CCFPL) carry the program-level expectations. DFPI examiners read GLBA, CalFIPA, and CCPA together when they scope an exam, and they expect your information security program to produce evidence aligned to all three.
| Regulatory Layer | Primary Enforcer | What It Covers | Penalty Ceiling |
|---|---|---|---|
| GLBA Privacy Rule and Safeguards Rule | FTC (non-bank), federal banking agencies, DFPI | Nonpublic personal information collected from consumers in connection with financial products and services | Per-violation civil penalties under FTC Act, supervisory actions |
| CalFIPA (Fin. Code 4050-4060) | DFPI, California Department of Insurance | Sharing of nonpublic personal information with non-affiliated third parties; opt-in required | $2,500 per violation, $500,000 per incident, doubled for identity theft |
| CCPA as amended by CPRA | California Attorney General, CPPA | Non-GLBA personal information, including HR data, B2B contacts, business-purpose accounts, marketing analytics, and online tracking | $2,663 per violation; $7,988 per intentional violation; $107-$799 per consumer per breach |
| Delete Act and DROP | CPPA | Data broker registration and consumer deletion requests through the state platform | Per-violation civil penalties with no cure period |
| DFPI Supervisory Expectations under CCFPL and CRMLA | DFPI | Information security program design, incident reporting (48-hour expectation), vendor management, exam findings | Supervisory orders, license actions, restitution |
Reading the table from left to right is how examiners think. They start with the layer, identify the enforcer, scope the data, and then calibrate the financial exposure. Your job is to make the same map work in reverse: start with the Microsoft 365 control, identify which data category it governs, and produce the evidence each enforcer asks for.
What Actually Applies to Banks, Credit Unions, and Mortgage Companies
The most common mistake is assuming GLBA exempts your institution from CCPA. It does not. California adopted a data-level exemption, not an entity-level exemption. That single design choice changes the compliance posture for every financial institution doing business in California.
The CCPA does not apply to personal information that is collected, processed, sold, or disclosed pursuant to GLBA or CalFIPA. That is the only carve-out, and it covers only the data that GLBA and CalFIPA already protect. Everything else your institution touches remains subject to CCPA. The CPRA's removal of the temporary HR and B2B exemptions made this even more consequential: employee records, job-applicant data, and vendor contact lists are now fully in scope.
A California mortgage company buys leads from an online lead aggregator. The leads include name, email, estimated home value, and an inferred refinance score. The company stores the leads in HubSpot, dials them through a CRM-integrated power dialer, and the leads that close move into the loan origination system as borrower files.
The borrower file is GLBA and CalFIPA territory. The lead in HubSpot is not, because no financial product or service has been provided yet. That lead data is full CCPA personal information. The aggregator that sold the lead may itself be a data broker under the Delete Act. The mortgage company owes a "Notice at Collection," a "Do Not Sell or Share My Personal Information" mechanism, and rights-handling procedures for the lead population, regardless of how compliant its loan-origination GLBA program is.
The same logic applies on the institutional side. Marketing analytics that uses cookies, pixels, session replay, or behavioral targeting against your website visitors is processing CCPA personal information whether or not those visitors are GLBA-protected customers. Lead-generation forms outside the GLBA boundary are CCPA-regulated. Employee benefits, payroll, recruiting data, and applicant tracking systems are CCPA-regulated. Business-purpose loan accounts where the borrower is a sole proprietor often slip out of GLBA's "consumer" definition and into CCPA's broader "consumer" definition.
Examiners and the CPPA will not split your tenant for you. They expect your information security program to handle all four layers and produce the evidence each one demands. The fastest way to do that is to push the work down into Microsoft 365 so the tenant becomes the system of record and the evidence repository at the same time.
Mapping Microsoft 365 to California Requirements
ABT manages Microsoft 365 tenants as a Tier-1 Microsoft Cloud Solution Provider, which means we administer the productivity and security stack on your behalf via delegated admin. The work that follows is what we configure and what your team gets to use. Microsoft hosts the underlying cloud infrastructure. We configure the tenant. Your team gets faster loan decisions, cleaner audits, and a single evidence repository.
The Microsoft 365 controls that map to California requirements concentrate in five Purview-family services and one set of Entra ID policies. None of them require leaving the productivity surface your team already uses. Email, documents, Teams chat, and SharePoint sites continue to behave the way they always did. What changes is what the tenant knows about each record, who can reach it, how long it lives, and how quickly you can produce it for a consumer request, an examiner, or a litigation hold.
Default Microsoft 365 Tenant
- 90-day email retention. Default fails GLBA, CalFIPA, and DFPI retention expectations for financial records.
- No sensitivity labels. Borrower files, loan documents, and HR records mix freely with general business documents.
- No DLP policies. Social Security numbers and account numbers flow to personal email, consumer cloud storage, and unmanaged devices without resistance.
- Audit logs at default retention. Microsoft 365 E3 logs are gone after 180 days, which is shorter than DFPI exam look-back windows.
- Conditional Access in Report-Only mode. Multi-factor authentication is not enforced consistently across admin and remote access.
- No CCPA request workflow. Right-to-know and right-to-delete requests have to be answered manually, with no defensible search of record.
California-Aligned Microsoft 365 Tenant
- Retention policies sized to GLBA and DFPI requirements. Loan files, member communications, and email retained for the periods examiners expect, with legal hold available immediately.
- Microsoft Purview sensitivity labels applied automatically. Borrower, member, employee, and California-resident data classified at creation and protected on export.
- Purview Data Loss Prevention active in enforcement mode. SSNs, account numbers, and California-resident identifiers blocked at the boundary or auto-encrypted.
- Purview Audit (Premium) with extended retention. One-year (or longer with add-on) audit retention covers DFPI exam windows and CCPA verification.
- Microsoft Entra ID Conditional Access enforcing MFA in Grant mode. Admin, remote, and privileged sessions require phishing-resistant authentication.
- Compliance Manager CCPA assessment template tracking improvement actions. Right-to-know and right-to-delete responses produced from eDiscovery in days, not weeks.
The right column is not aspirational. Every control listed is shipping today inside the standard Microsoft 365 SKUs that financial institutions already own. The choice is whether to configure them or to keep paying the operational cost of running an unconfigured tenant. Most California institutions we onboard discover that the tenant they have already pays for between 80 and 90 percent of what they need; the gap is in policy authorship, label taxonomy, and the operational rhythm that keeps the policies aligned to the regulatory layers. This connects closely to BYOD + AI: The Security Hole Your Mobile Policy Doesn't Cover.
Microsoft Purview Compliance Manager makes the regulatory map operational. Each statutory obligation in the California stack resolves to a Microsoft-managed control, a customer-managed control, or a shared control inside the tenant.
Microsoft Purview Compliance Manager ships with a dedicated California Consumer Privacy Act assessment template. Each statutory obligation maps to a Microsoft-managed control, a customer-managed control, or a shared control, and each control resolves to one or more "improvement actions" that are executable inside the tenant. For California financial institutions, the productivity benefit is concrete: instead of building a spreadsheet inventory of CCPA controls and assigning them to teams manually, the assessment template generates the inventory automatically and tracks the score as the controls move from "Not Implemented" to "Implemented" to "Tested." Microsoft 365 Defender XDR, Microsoft Sentinel, and Microsoft Entra ID feed the same control set, so a single piece of evidence from Defender's audit trail can close out multiple CCPA improvement actions simultaneously.
The point of the Compliance Manager template is to stop running CCPA, GLBA, and CalFIPA as separate compliance projects with separate spreadsheets and separate review meetings. The template aligns every California obligation to a Microsoft control, the control produces evidence in the tenant, and the same evidence satisfies the federal and state regulators that share scope. Examiners read this as a maturing security program. Your team experiences it as fewer interrupts.
For California mortgage shops in particular, the data-layer problem sits one step earlier than the tenant itself. Borrower information enters from the loan origination system, lead aggregators push CCPA-regulated records into marketing tools, servicing data flows back to investors, and every hop multiplies the places a California-resident identifier or a Social Security number can leak. ABT MortgageExchange is the custom interface layer that puts a clean, standardized data exchange between the LOS, the core banking system, and Microsoft 365, so the records that land in Exchange, SharePoint, and OneDrive are already tagged with the California-resident, customer-NPI, and HR sensitivity attributes that Microsoft Purview is configured to recognize. Once the data lands clean, Purview's auto-labeling rules apply the correct sensitivity classifications at creation, audit logs capture every read and modification under Purview Audit Premium, and DLP policies enforce California-aware controls on export without requiring loan officers, processors, or underwriters to change how they work day to day. The productivity payoff is concrete: cleaner loan files, faster decisions, fewer interrupts. The CalFIPA, CCPA, and DFPI evidence trail emerges as a byproduct of the same configuration.
Implementation Steps for a Compliant Tenant
The implementation pattern below is the sequence ABT uses on every California financial institution onboarding. It assumes you already hold Microsoft 365 Business Premium, E3, or E5, and a Compliance add-on for Purview Audit Premium and the full Information Protection feature set where required. If your institution is still on E1 or a license tier without Purview, the first step is the license uplift.
Data Map and Classification Taxonomy
Before any control is configured, you need a defensible answer to "what data do we have, where is it, and which California layer governs it?" The data map separates GLBA/CalFIPA nonpublic personal information from CCPA-regulated personal information at the category level. Categories include borrower files, member account data, payroll, recruiting, vendor records, marketing analytics, lead-aggregator imports, and any AI-tool prompts and outputs.
The map becomes the input to the Microsoft Purview Information Protection label taxonomy. A practical first taxonomy for a California institution is six labels: Public, Internal, Confidential - Customer (GLBA/CalFIPA), Confidential - Employee (HR/CCPA), Highly Confidential - California Resident (CCPA-sensitive), and Highly Confidential - Privileged. Each label carries a default retention, encryption, and DLP behavior. Auto-labeling rules then assign labels based on the data the tenant detects.
Retention Policies and Legal Hold
Retention is where California financial institutions most often fail their first examination after activating new policies. The default Exchange and SharePoint retention does not match GLBA, CalFIPA, or DFPI expectations. Configure Purview retention policies that hold mail and documents for the applicable statutory and supervisory period: typically seven years for loan files, five years for member communications under federal banking retention rules, and at least three years for marketing communications that may need to be produced for a CCPA right-to-know request. Apply preservation hold to legal hold scenarios immediately on receipt of any litigation or examination notice.
Data Loss Prevention in Enforcement Mode
Move every California-relevant DLP policy out of "Test" or "Audit only" mode and into "Block with override" or "Block." Standard policies cover Social Security numbers, financial account numbers, driver's license numbers, and California resident identifiers. Each policy generates an evidence trail when it fires, and the evidence is what closes out improvement actions in Compliance Manager and what you produce to DFPI examiners. See also our breakdown of Guardian Security Insights.
Conditional Access in Grant Mode
Microsoft Entra ID Conditional Access stays in Report-Only mode at far too many financial institutions. Switch every admin, privileged, remote-access, and high-risk policy into Grant mode with phishing-resistant authentication required. The Safeguards Rule's MFA requirement and the CCPA's "reasonable security" standard both expect enforced MFA. Report-Only mode does not satisfy either.
Audit Premium and Sentinel Coverage
Microsoft Purview Audit Premium extends audit-log retention beyond the default and unlocks high-value events such as MailItemsAccessed and Search-Mailbox. For institutions facing both DFPI exam windows and potential CCPA verification, one-year retention is the practical minimum. Microsoft Sentinel, fed by the same audit telemetry, becomes the SIEM that produces the chronology DFPI's 48-hour incident report expects.
Consumer Request Workflow Through eDiscovery
CCPA right-to-know and right-to-delete requests are operational events, not legal interrupts. Build the workflow in Microsoft Purview eDiscovery so that every request triggers a defined search against the labeled corpus, an export to the response package, and an audit trail showing the search query, the matched records, and the retention or deletion outcome. The eDiscovery export becomes the verification packet you produce if the CPPA asks how a specific request was handled.
Audit Preparation and Evidence Collection
Both DFPI examinations and CPPA enforcement inquiries operate on the same principle: the burden is on the institution to demonstrate that controls were designed, implemented, tested, and operating throughout the period under review. The institutions that pass their first California exam after activating new policies are the ones that built the evidence pipeline into the tenant from day one, not the ones that tried to reconstruct the evidence after the request arrived.
The evidence pipeline has three parts. First, the operating evidence: Compliance Manager improvement-action history, Purview policy assignment reports, DLP and label match counts, Conditional Access sign-in logs filtered by policy, and the eDiscovery case archive. Second, the design evidence: written policies, board approval minutes, risk assessments, and the data map. Third, the testing evidence: tabletop exercises, red-team or vulnerability-scan reports, vendor SOC 2 Type II reports on file for material vendors including Microsoft, and the annual GLBA risk assessment.
-
Compliance Manager California assessment exported.
Pull the current and trailing-period scorecards for the CCPA assessment template plus any state-specific templates active in the tenant.
-
Purview sensitivity label deployment report.
Demonstrates that the label taxonomy is applied across Exchange, SharePoint, OneDrive, and Teams, with auto-labeling rules in production.
-
DLP policy match summary.
Twelve-month rolling view of DLP matches by policy, with evidence that high-severity matches are reviewed within the SLA defined in the incident-response plan.
-
Entra ID Conditional Access policy export.
Document state (Grant vs. Report-Only), targeted user populations, conditions evaluated, and the most recent change-control approval.
-
Purview Audit retention configuration.
Proof of Audit Premium (or equivalent retention add-on), retention period set, and audit-search availability for the full exam window.
-
eDiscovery case log for CCPA consumer requests.
Closed-case ledger showing request type, search scope, result count, verification method, response sent date, and any disputes raised.
What examiners and CPPA investigators look for is not perfection. They look for a program that is designed, operating, and self-aware. A clean Compliance Manager score with rising improvement-action coverage tells the same story to both audiences. A disorganized binder of screenshots tells a different story to both.
Examiners read your information security program through the evidence it produces, not the policy that promises to produce it. Microsoft 365 makes that distinction collapse if the tenant is configured to be the system of record. Our guide to Zero Trust's Blind Spot goes deeper on this.
Ongoing Governance That Survives Examinations
The institutions that struggle with California compliance are not the ones that fail to deploy controls. They are the ones that deploy controls, drift away from them, and discover the drift when the examination notice arrives. Governance is what stops the drift. Microsoft 365 makes the governance loop cheap because the same telemetry that proves operation also triggers the alerts that catch drift.
- Quarterly Compliance Manager review. Score, improvement-action additions, action ownership, and aging-out actions reviewed at the same cadence as the federal compliance committee meeting.
- Monthly DLP and label match review. Trend analysis on what categories of data are leaking, where, and to whom. Used to refine policy thresholds before a real incident.
- Semi-annual Conditional Access policy attestation. Board-level confirmation that admin and remote-access MFA stays in Grant mode and that no policy has been weakened for operational convenience.
- Annual GLBA risk assessment refresh. Updated to reflect new fintech partnerships, new AI tools, new vendor SOC 2 reports, and any change in California regulatory expectations.
- Continuous incident drill against the 48-hour DFPI reporting window. Tabletop exercise at least twice a year, with Microsoft 365 Defender XDR and Sentinel telemetry as the source of truth for the incident chronology.
California's privacy and information security stack is the densest in the country. The institutions that meet it without burning operational hours are the ones that pushed the work into a properly configured Microsoft 365 tenant, used Microsoft Purview Compliance Manager as the operating system for the program, and let the tenant produce the evidence for every layer at once. The license you already pay for does most of this work. The question is whether your tenant is configured to do it.
For California mortgage shops that want the whole stack delivered as a single operating model rather than as a configuration project, ABT pairs M365 Guardian with a dedicated Calyx PointCentral environment in Azure. M365 Guardian is ABT's productized operating model that layers California-tuned Conditional Access, Purview retention and sensitivity-label policies, DLP enforcement, Audit Premium, and Microsoft Sentinel telemetry on top of the standard Microsoft 365 tenant we manage as a Tier-1 CSP. Calyx PointCentral is the loan origination platform we host on Azure for mortgage shops that want their LOS, their tenant, and their compliance evidence operated by one partner under one set of controls. The combination gives a California mortgage company a single technology stack where the LOS, the productivity tools, the security layer, and the audit evidence are configured against the same CalFIPA, CCPA, GLBA, and DFPI obligations from day one. Your team gets the productivity unlock. Examiners and the CPPA get the evidence on demand. ABT operates the rest.
Get California-aligned Microsoft 365 from a Tier-1 CSP
ABT manages Microsoft 365 tenants for more than 750 financial institutions, including dozens across California, and hosts Calyx PointCentral on Azure for mortgage shops that want LOS and M365 Guardian operated by one partner. We configure Purview, Compliance Manager, Conditional Access, and DLP against the layered California stack so your team produces evidence by default, not by exception. Start with a no-cost assessment.
Frequently Asked Questions
No. California adopted a data-level exemption, not an entity-level exemption. CCPA does not apply to personal information already covered by GLBA or CalFIPA, but it does apply to every other category your institution touches: employee records, job-applicant data, vendor B2B contacts, business-purpose accounts associated with individuals, marketing analytics, lead-generation data, and website tracking. The CCPA private right of action for data breaches also applies regardless of GLBA coverage.
The California Privacy Protection Agency's CPI adjustment effective January 1, 2025 set CCPA administrative fines at up to $2,663 per violation and up to $7,988 per intentional violation or violations involving consumers under 16. Civil penalties sought by the California Attorney General use the same caps. Statutory damages in private actions for data breaches range from $107 to $799 per consumer per incident. These figures remain operative in 2026 until the next CPI adjustment.
Not yet for the full mortgage and consumer-finance sector. California's most Part 500-like framework lives in the Digital Financial Assets Law for licensed crypto firms. For state-licensed mortgage lenders and brokers, the Department of Financial Protection and Innovation supervises information security through a combination of federal GLBA Safeguards Rule obligations, CalFIPA, CCPA reasonable-security requirements, and DFPI's 48-hour cyber-incident reporting expectation under its California Consumer Financial Protection Law authority. Expect the gap to narrow as the CPPA's cybersecurity-audit and risk-assessment regulations mature.
The core control set comes from Microsoft Purview and Microsoft Entra ID. Microsoft Purview Information Protection provides sensitivity labels and auto-labeling for California-resident and customer financial data. Microsoft Purview Data Loss Prevention blocks or encrypts SSNs, account numbers, and other California-regulated identifiers at the boundary. Microsoft Purview Audit Premium extends audit-log retention to cover DFPI exam windows. Microsoft Purview eDiscovery handles CCPA right-to-know and right-to-delete requests through a defensible search workflow. Microsoft Entra ID Conditional Access enforces phishing-resistant multi-factor authentication for admins, remote access, and privileged sessions. Microsoft Purview Compliance Manager ties every control to a regulatory obligation through its dedicated CCPA assessment template.
Any business that knowingly collects and sells personal information about consumers with whom it does not have a direct relationship can qualify as a data broker under the Delete Act. Traditional direct-customer mortgage origination does not, but secondary uses such as selling lead lists, buying enriched lead data, or operating an affiliate that monetizes non-GLBA data can. Registered data brokers must access the state Delete Request and Opt-Out Platform (DROP) at least every 45 days starting August 1, 2026 and process consumer deletion requests within 90 days. The Delete Act provides no cure period before enforcement, which is stricter than the original CCPA enforcement model.
Expect three categories. Operating evidence: Microsoft Purview Compliance Manager scorecards, sensitivity-label deployment reports, DLP policy match summaries, Conditional Access policy exports with the user populations and conditions, audit-log retention configuration, and the eDiscovery case ledger for consumer requests. Design evidence: written information security policies, board approval minutes, the data map separating GLBA/CalFIPA data from CCPA data, and risk assessments. Testing evidence: tabletop exercise reports, vulnerability scans and penetration test results, current SOC 2 Type II reports on file for material vendors including Microsoft, and the annual GLBA risk-assessment refresh.
