FIPVCC logoFIPVCC
Back to blog

How to Not Invade Privacy and Still Comply With California's VCC Reporting Requirements

January 8, 2026 · 2 min read

FIPVCC Team

How to Not Invade Privacy and Still Comply With California's VCC Reporting Requirements

A practical approach for venture firms to meet California FIP-VCC reporting duties while avoiding person-level data collection and reducing privacy risk.

VCC ComplianceCalifornia DEI LawPrivacyFIP-VCCVenture Capital

California's Fair Investment Practices by Venture Capital Companies law requires annual demographic reporting, but it also requires that survey data be collected and reported in a way that does not associate responses with an individual founder. That means compliance and privacy are not competing goals. They are both legal and operational requirements.

What the law requires, in plain language

If your firm is a covered entity, you need to file annually with the DFPI and report:

  • Aggregate demographic results for founding teams of companies funded in the prior calendar year.
  • The number and percentage of investments in businesses primarily founded by diverse founding team members.
  • Investment amount and principal place of business for each funded business.

You also need to:

  • Use a survey that includes a decline-to-state option for each question.
  • Make participation voluntary with no adverse action for non-participation.
  • Send the survey only after investment agreement execution and first transfer of funds.

The privacy-first operating model

A privacy-first model for VCC compliance is straightforward:

  1. Do not store founder-level response records.
  2. Store only aggregate counters needed for filing.
  3. Track invite redemption state without storing sensitive answers.
  4. Keep request logging and analytics clean so sensitive payloads are never persisted.

This design reduces legal and reputational risk while still producing complete filing outputs.

Data you should store vs data you should avoid

Store

  • Company-level filing fields (investment amount, principal place of business).
  • Aggregate category counts for required demographics.
  • Invite status (issued/redeemed/expired) and reporting-year context.

Avoid storing

  • Raw founder answers tied to any individual.
  • Free-text demographic notes.
  • Any table shape that can reconstruct a person-level submission.

Common mistakes that create privacy risk

  • Using generic form tools that keep per-respondent records by default.
  • Logging full request bodies on survey endpoints.
  • Sending survey links too early in the deal lifecycle.
  • Treating "decline to state" as missing data instead of a valid response bucket.

A quick internal compliance check

Ask your team this question: "Could we reconstruct one founder's answers from our system?" If yes, your architecture likely needs remediation before filing season.

Bottom line

You can comply with California VCC reporting requirements without invading founder privacy. The key is an aggregate-only process, strict telemetry hygiene, and clear workflow controls for when and how surveys are sent.

Informational only, not legal advice. For legal interpretation, consult counsel familiar with California Corporations Code Sections 27500-27506.

Need a faster privacy-first workflow? Visit the FIPVCC homepage to see how teams operationalize this in practice.