Understanding VCC Reporting: What the FIPVCC Actually Requires Firms to File

California's Fair Investment Practices by Venture Capital Companies Law — the FIPVCC — introduced an entirely new category of regulatory obligation for the venture capital industry. While a lot of attention has gone toward the question of whether a given firm is covered, far less has been written about the mechanics of what covered entities actually have to produce. VCC reporting is not a simple checkbox exercise. It involves multiple data streams, a specific sequencing of steps, strict privacy constraints, and public disclosure of the final output. This article walks through the full structure of what the FIPVCC requires firms to file, why the reporting process is more technically demanding than it first appears, and what needs to be in place before the April 1 deadline arrives.

The Two-Track Obligation

Every covered entity faces two distinct obligations that run in parallel. The first is registration with the California Department of Financial Protection and Innovation (DFPI), due by March 1, 2026. This is the administrative layer — submitting the covered entity's name, a designated point of contact, and basic contact information including email, phone, physical address, and website. This information must be kept current and updated at each subsequent annual filing. The registration portal was still under development as of mid-February 2026, though the DFPI has stated it will be available before the deadline. Covered entities can subscribe on the DFPI website to receive email updates when it goes live.

The second obligation is the annual report itself, due April 1, 2026, covering all venture capital investments made during the 2025 calendar year. These two tracks are separate but linked — a covered entity must be registered before it can file, and registration information is refreshed with each annual submission. Missing either deadline triggers a 60-day cure window, but continued non-compliance beyond that period exposes the firm to enforcement action and civil penalties of up to $5,000 per day.

What the Annual Report Must Contain

The annual report is not a single data field — it is a structured document containing three categories of information, each sourced differently and subject to different rules.

Aggregated founder demographic data

The first and most complex component is demographic information about founding team members of every portfolio company in which the covered entity made a venture capital investment during the prior calendar year. The FIPVCC specifies eight demographic fields that must be collected and reported: gender identity (including nonbinary and gender-fluid identities), race, ethnicity, disability status, LGBTQ+ identification, veteran or disabled veteran status, California residency, and whether any founding team member declined to provide any of the above. Critically, this information must be reported at an aggregated level only. Individual responses may not be linked to specific founders in any portion of the report.

Diverse founder investment metrics

The second component requires firms to calculate and report what percentage of their total venture capital investments — both by number and by dollar amount — went to businesses primarily founded by diverse founding team members. This calculation must be presented in aggregate and broken down by each demographic category. A business qualifies as "primarily founded by diverse founding team members" when more than half of the founding team responded to the survey, and at least half of those respondents self-identify as belonging to one or more diverse categories. The diverse founding team member definition includes women, nonbinary individuals, racial and ethnic minorities (including Black, African American, Hispanic, Latino-Latina, Asian, Pacific Islander, Native American, Native Hawaiian, and Alaskan Native), disabled individuals, veterans, and LGBTQ+ individuals.

Investment-level data

The third component is per-company investment data: the total dollar amount invested in each portfolio company during the prior calendar year, and each company's principal place of business. Unlike the demographic components, this section is not optional or contingent on founder participation. Even if every founding team member in the entire portfolio declined to respond to the survey, the covered entity is still legally required to file a report that includes this investment-level information. There is no scenario in which a covered entity with any 2025 investments is exempt from filing.

The Survey Is the Foundation

The demographic data included in the report can only come from one place: the DFPI's standardized Venture Capital Demographic Data Survey, which the agency has now published on its VCC Reporting Program webpage. Covered entities cannot use their own forms, modify the standardized form, or collect demographic data through any other channel and apply it to the report. The survey is the sole permissible mechanism.

The timing rule around survey distribution matters significantly for firms still working through their post-closing workflows. The FIPVCC prohibits a covered entity from sending the survey to any founding team member until after the investment agreement has been fully executed and the first transfer of funds has been made. This post-closing requirement is not optional — it exists to prevent survey results from influencing investment decisions, which would undermine the law's design. For investments made in 2025 where the survey has not yet been sent, firms should move quickly given the April 1 filing deadline.

The Cooley law firm received direct confirmation from the DFPI that the standardized survey should be sent to all portfolio companies receiving funding from a covered entity — but the report submitted to DFPI covers only those investments that qualify as "venture capital investments" under the management rights definition. This means the survey net is intentionally broader than the reporting net. Firms should track both categories separately.

Who Counts as a Founding Team Member

Not every person associated with a portfolio company qualifies as a "founding team member" under the FIPVCC, and getting this definition right determines who receives a survey and whose responses count toward the report.

The law defines a founding team member as either: (1) a person who has been designated as the CEO or president of the business, or (2) a person who meets all three of the following conditions — they owned initial shares or similar ownership interests; they contributed to the concept, research, development, or work of the business before initial shares were issued; and they were not a passive investor. The two prongs operate independently. A CEO who joined the company after founding and never held initial shares still qualifies under the first prong. An early employee who received options but did not contribute pre-incorporation would not qualify under either.

The distinction matters because firms must identify every qualifying founding team member across every portfolio company that received a qualifying investment in the prior year. For companies with several cofounders, that can mean multiple survey recipients per company. For solo-founder companies, it means a single person — which creates a specific privacy challenge addressed further below.

The Anonymization Requirement and Its Technical Implications

The FIPVCC's anonymization requirements are where the reporting obligation becomes architecturally complex. The law prohibits covered entities from collecting or reporting survey data in any manner that associates a response with an identifiable founding team member. This applies throughout the entire data pipeline — from the moment a survey is sent to the moment the report is submitted to the DFPI.

This creates a technical paradox that many firms have not fully worked through. To send a survey, the firm needs to know who the founding team members are and how to reach them. But the system handling survey responses cannot be the same system that holds those identities, or it will have created an identifiable record. A spreadsheet where row one is a founder's email address and row two is their demographic responses is precisely what the law prohibits — even if the spreadsheet is never shared externally. The obligation is not simply about how data is disclosed; it is about how data is structured and stored from the outset.

The problem is compounded for solo-founder companies. If a portfolio company has exactly one founder and that founder responds to the survey, any aggregated result — even a percentage — effectively re-identifies that person. The law's mandate to anonymize "to the extent possible" implies that firms must recognize and handle this scenario differently from multi-founder companies. Several legal commentators, including Goodwin Law, have specifically recommended using a third-party survey tool that aggregates data before it reaches the deal team as the appropriate technical solution to this problem.

Consolidated Reporting and the Fund-by-Fund Analysis

VCC reporting does not automatically aggregate across all funds under a single manager. Coverage is assessed at the individual fund or vehicle level, not at the adviser level. A manager running multiple funds must analyze each one separately to determine whether it qualifies as a covered entity. SPVs are included in this analysis.

That said, the FIPVCC does allow for consolidated reporting. A business that controls a covered entity may submit a single consolidated report covering multiple covered entities, provided the report contains all required information for each. This is the mechanism that allows a fund manager to file once for all in-scope funds rather than separately for each. "Control" is not defined in the statute, but legal guidance broadly suggests that most fund managers should be able to file a single report covering all of their covered entities. Firms should confirm their reporting structure with counsel before the deadline.

The fee structure applies per report: at least $175 per submission, though the DFPI may adjust this amount. For managers filing a single consolidated report on behalf of multiple entities, that $175 floor applies to the consolidated filing.

Public Disclosure and What It Means in Practice

Once filed, the annual report becomes public. The FIPVCC requires the DFPI to make all submitted reports readily accessible, easily searchable, and easily downloadable on its website. The agency may also publish its own aggregate analysis based on the data it collects across all covered entities.

This public disclosure dimension is consequential in ways that go beyond regulatory compliance. Limited partners, founders, journalists, policymakers, and advocacy organizations will be able to search and download any covered entity's filed report. For firms that have not historically tracked or disclosed founder demographics, the first filing will establish a public baseline against which future filings will be measured. Firms that file incomplete, inconsistent, or technically deficient reports will have those deficiencies on public record. WilmerHale flagged this specifically, noting that covered entities should anticipate increased scrutiny from LPs and other stakeholders as a direct result of the public disclosure requirement.

Record Retention Requirements

The reporting obligation does not end at submission. The FIPVCC requires covered entities to maintain all records related to each report for at least five years after the report is delivered to the DFPI. This is not simply a matter of keeping a copy of the filed report — the five-year retention obligation extends to the underlying data and documentation that supported the report.

The DFPI has broad examination authority under the law. It can require covered entities to produce records, submit written responses, and answer questions as part of its compliance review process. The Commissioner of Financial Protection and Innovation can conduct both public and private inquiries. Ropes & Gray noted that this examination authority extends to privacy laws in other states as well: firms operating across California, Colorado, Connecticut, and Virginia face layered obligations given those states' comprehensive privacy frameworks.

Given that individual survey responses must not be retained in identifiable form — but the underlying records supporting the report must be retained for five years — firms need a retention architecture that preserves audit-ready documentation without creating the identifiable data store the anonymization rules prohibit. These two requirements can coexist technically, but they require intentional system design rather than standard file storage.

Enforcement After the Deadline

If a covered entity misses the April 1 filing deadline, the DFPI is required to provide formal notice and open a 60-day cure window. During that period, the entity can file without penalty. Once the cure period expires without a filing, the DFPI may pursue enforcement — including cease and desist orders, recovery of the DFPI's attorney's fees and investigative expenses, and civil penalties up to $5,000 per day for each day the violation continues. For reckless or knowing violations, the penalty can exceed $5,000 per day at the Commissioner's discretion.

The same notice-and-cure structure applies to failures in the registration process — missing the March 1 deadline for entity-level submission, or failing to update registration information when it changes. Each type of violation has its own cure window before penalties begin to accumulate.

The DFPI is also entitled to publish information about violations by covered entities. Combined with the public availability of filed reports, this creates a reputational exposure that for many firms may be more motivating than the financial penalty itself.

What This Means for the April 1 Deadline

For most covered entities, the challenge of VCC reporting is not understanding what the law requires — it is building the operational infrastructure to actually meet those requirements within the constraints the law imposes. The sequencing rules around survey distribution, the anonymization architecture, the investment-level data tracking, the solo-founder privacy issue, and the five-year retention obligation all create a compliance picture that standard tools were not designed to handle.

A Google Form creates an identifiable record. A spreadsheet cannot separate the invite system from the response system. Standard CRM tools don't aggregate in real-time or discard raw submissions. And none of these tools account for the re-identification risk that emerges when a portfolio company has only one founder.

Comply With VCC was built specifically around the architectural requirements the FIPVCC creates. Survey invitations and survey responses flow through completely separate systems — the part of the platform that knows who your founders are never sees their answers. Responses are aggregated in real time, and the raw submission is discarded immediately. Solo-founder companies are automatically data-shielded to prevent re-identification. The five-year audit trail is maintained without identity linkage, satisfying the DFPI's retention and examination requirements without creating the identifiable data store the law prohibits. Start your 2025 filing at ComplywithVCC.com.