The Essentials of FIPVCC Compliance

California's Fair Investment Practices by Venture Capital Companies Law represents one of the most significant regulatory shifts for venture capital firms in recent years. Originally enacted as Senate Bill 54 in 2023 and later amended by Senate Bill 164 in 2024, the law creates a comprehensive reporting regime that affects far more firms than many initially realize.

With the March 2026 registration deadline and April 2026 first filing deadline rapidly approaching, understanding the full scope of these requirements has become urgent for fund managers across the country.

Who Must Comply?

The law applies to what it terms "covered entities" and applies only if all three criteria are met. First, an entity must qualify as a "venture capital company" under California Code of Regulations Section 260.204.9.

This definition is broader than many expect. A fund qualifies if it meets any one of three conditions: maintaining at least 50% of assets in venture capital investments during each annual period, qualifying as a "venture capital fund" under the Investment Advisers Act of 1940, or meeting the definition of a "venture capital operating company" under ERISA.

The practical implication is broad. If your fund typically takes board seats or observer rights in portfolio companies, you may meet the venture capital company definition regardless of your stated strategy.

Second, the entity must primarily engage in investing in or financing startup, early-stage, or emerging growth companies.

The law leaves these terms largely undefined. Fund managers should compare these terms to how their own strategies are described in offering documents and investor communications.

Third, and often most consequential, the entity must have a California nexus. The firm must meet at least one of four connections: headquartered in California, significant presence or operational office in the state, venture investments in California-based businesses, or soliciting/receiving investments from California residents.

The last two prongs can make national firms eligible. A single California resident investor or even a single California-based portfolio company can trigger coverage in many interpretations.

Coverage is assessed at the individual fund level, not adviser level. If you manage multiple funds, each vehicle requires its own coverage analysis.

Registration Requirements

By March 1, 2026, each covered entity must submit identifying and contact information to the California Department of Financial Protection and Innovation.

Required information includes the covered entity name, a designated point of contact name, title, and email, and the entity email address, phone, physical address, and website.

Information must stay current and be updated during annual filing cycles. As of mid-February 2026, the DFPI registration portal was still under development, with expectations that it would be available before the March deadline.

The Survey Process

Covered entities must use a DFPI standardized survey to collect demographics from founding team members of relevant portfolio companies.

A qualifying founding team member is either a founder who met the statutory ownership and contribution criteria, or someone designated as CEO or president.

The survey must gather eight required categories to the extent founders voluntarily provide them: gender identity, race, ethnicity, disability status, LGBTQ+ identification, veteran or disabled veteran status, California residency, and whether a respondent declined to answer.

Surveys can be sent only after executing an investment agreement and making the first transfer of funds so founders are not pressured by the fundraising process.

Disclosure requirements are strict: participation must be voluntary, no adverse action can follow a refusal, and reporting must be only aggregated.

The law also prohibits any direct or indirect influence by covered entities or DFPI to coerce participation.

Annual Reporting Obligations

By April 1, 2026, covered firms must file annual reports for prior-year investments; the first filing covers 2025.

The annual report includes three components: aggregated founding-team demographics, diverse founding-team metrics, and investment-level reporting.

Aggregated demographics must be report-level only, with no way to re-link data to a specific founder.

The law defines a "diverse founding team member" across a broad set of protected identities and characteristics. A business is "primarily founded by diverse founding team members" only when more than half of its team responded and at least half of those respondents qualify.

The report also must include the number and total dollar value of investments in businesses meeting that diverse composition requirement and show those amounts as percentages.

Investment-level reporting requires the total amount invested in each 2025 portfolio company and principal place of business, regardless of survey completion rates.

The Privacy Challenge

FIPVCC creates a direct privacy paradox: firms need sensitive demographic data, but should not retain identifiable responses.

Simple tools often fail because they link identities to answers through metadata. For example, standard form tools and spreadsheets can preserve respondent identity in ways that conflict with anonymization goals.

Solo-founder companies add additional complexity because aggregate disclosure can still allow inference if data is not shielded.

Successful compliance requires clean separation of identity-bearing invitation systems from anonymized collection systems, immediate aggregation, and retention controls that preserve a long audit trail without personal linkage.

Fees, Penalties, and Enforcement

A minimum filing fee of $175 applies per report, with possible adjustments for administrative costs.

If the annual report is late, firms receive notice and a 60-day cure period.

After cure expires, enforcement can include desist and refrain orders, recovery of attorney fees and investigative expenses, injunctive relief, and civil penalties up to $5,000 per day of non-compliance.

Penalties may be higher for reckless or knowing violations, and the statute allows discretion in calculating and adjusting penalty outcomes.

Given this exposure, firms should also consider reputational risk because filed reports become public documents.

Practical Steps for Compliance

Start with a coverage analysis for each fund, then confirm reporting structure: separate filings for each covered entity or consolidated filings where legally available through a control relationship.

Build a data process that captures required investment-level fields for 2025, including amount invested and principal place of business.

Establish founder identification and survey sequencing rules that match the legal timing limits and privacy architecture.

Use secure workflows for updates and annual process ownership so compliance is embedded before each reporting cycle, not improvised.

Monitor DFPI guidance, especially around undefined terms like significant presence, operational office, significant operations, and control.

Remaining Uncertainties

Key terms remain underdefined, including what constitutes significant presence, operational office, and significant operations. Jurisdictional questions also remain around minimal California contacts.

Because these are likely to be tested in practice, teams should proceed with compliance planning while tracking new DFPI guidance and legal updates.

Solving the Privacy Paradox

The core challenge is operational architecture, not paperwork: teams must gather required data without retaining identifiable founder-level records.

A purpose-built process should provide real-time aggregation, immediate handling controls, separate identity and response systems, solo-founder protections, and compliant retention for audits without identifying founders.

For teams needing this infrastructure, Comply with VCC is built specifically for this workflow and avoids forcing firms to become sensitive-data processors. Start your 2025 filing for automated compliance that is built for the law's privacy constraints at https://complywithvcc.com.