What is FIPVCC: Everything You Need to Know

California's Fair Investment Practices by Venture Capital Companies Law represents one of the most significant compliance changes for venture capital firms in recent memory. Originally enacted as Senate Bill 54 in 2023 and subsequently replaced by Senate Bill 164 in 2024, the FIPVCC creates a venture capital transparency regime that requires covered firms to collect and publicly report demographic information about the founding teams of their portfolio companies.

The law's administration sits with the California Department of Financial Protection and Innovation (DFPI), which transferred oversight from the California Civil Rights Department when SB 164 was enacted. With the first registration deadline arriving March 1, 2026, and the initial annual report due April 1, 2026, venture capital firms need to understand whether they're subject to these requirements and what compliance actually entails.

Who Must Comply: The Three-Part Test

The law applies to what it defines as covered entities, but determining whether your fund qualifies requires passing through a three-part test. All three criteria must be met for reporting obligations to apply.

First: You Must Be a Venture Capital Company

California Code of Regulations Section 260.204.9 defines a venture capital company as any entity meeting at least one of these conditions.

The 50% Asset Test requires that during each annual period from initial capitalization, at least 50% of the entity's assets (excluding short-term investments) must be venture capital investments. This term has specific meaning under the regulation: securities in an operating company where the adviser, the fund, or an affiliate has or obtains management rights, meaning a contractual or ownership-based ability to substantially participate in, substantially influence, or significantly guide management, operations, or business objectives. Board seats and board observer seats typically satisfy this definition.

Federal Venture Capital Fund Status applies to entities qualifying as venture capital funds under the Investment Advisers Act of 1940. These are typically exempt reporting advisers filing Form ADV.

ERISA Venture Capital Operating Company Status covers entities meeting the Department of Labor's definition under the Employee Retirement Income Security Act of 1974.

The practical implication here is broad. If your fund takes board seats or observer seats in most of its investments, you likely meet the venture capital company definition regardless of your stated investment strategy.

Second: You Must Primarily Engage in Early-Stage Investing

The covered entity must primarily engage in the business of investing in, or providing financing to, startup, early-stage, or emerging growth companies.

Here's where things get ambiguous. The law doesn't define startup, early-stage, or emerging growth. The JOBS Act defines emerging growth companies as those with annual gross revenues under $1.235 billion, but that's not binding here. Fund managers should look at how they've characterized their strategies in offering documents and investor reports to assess whether this criterion applies.

Third: You Must Have a California Nexus

This is where the law's reach becomes surprisingly broad. A venture capital company has a California nexus if it meets any one of these conditions.

Being headquartered in California is straightforward enough.

Having a significant presence or operational office in California is less clear. These terms remain undefined. Does employing remote workers based in California constitute a significant presence? The DFPI hasn't provided guidance yet, leaving potential covered entities to make judgment calls or seek legal counsel.

Making venture capital investments in California-based businesses includes companies located in California or with significant operations in the state. No minimum threshold exists. A single investment in a California-based portfolio company could trigger nexus under the plain language of the statute. Whether California actually has jurisdiction to enforce this requirement against funds with such minimal contacts remains an open legal question.

Soliciting or receiving investments from California residents casts the widest net. This means any fund marketing to California-based limited partners (including family offices, high-net-worth individuals, or institutional investors) potentially falls under the law. A venture capital company headquartered in New York with no California office and no California portfolio companies becomes a covered entity if it accepted capital from even a single California resident.

One critical point: coverage is determined at the individual vehicle level, not the adviser level. If you manage multiple funds, you need to analyze each fund and each SPV separately to determine which are covered entities.

What Covered Entities Must Report

Registration Requirements (Due March 1, 2026)

Before you can file your first annual report, you must register with the DFPI. This registration requires basic identifying information: the covered entity's name; the name, title, and email address of your designated point of contact; and the entity's email address, telephone number, physical address, and website.

You'll need to keep this information current, updating it annually when you file your reports. As of February 2026, the DFPI registration portal remains under development but should be available before the March 1 deadline.

Annual Reporting Requirements (First Due April 1, 2026)

The annual report covers all venture capital investments made during the prior calendar year. The first report, due April 1, 2026, will cover investments made throughout 2025.

Each report includes three distinct components:

Aggregated Demographic Information

You must report demographic data for each founding team member of every portfolio company that received a venture capital investment during the reporting period. But here's the catch: you can only report information that founders voluntarily provide through the DFPI's standardized survey.

The demographic categories are gender identity (including nonbinary and gender-fluid identities), race, ethnicity, disability status, LGBTQ+ identification, veteran or disabled veteran status, California residency, and whether any founding team member declined to provide information.

This data must be reported at an aggregated level only. The law explicitly prohibits collecting or reporting data in any manner that could associate survey responses with individual founding team members.

Diverse Founder Investment Metrics

The law defines a "diverse founding team member" as someone who self-identifies as a woman, nonbinary, Black, African American, Hispanic, Latino-Latina, Asian, Pacific Islander, Native American, Native Hawaiian, Alaskan Native, disabled, veteran or disabled veteran, lesbian, gay, bisexual, transgender, or queer.

A business is considered primarily founded by diverse founding team members when more than half the team responded and at least half of those respondents qualify as diverse founding team members under the definition above.

Your report must include both the number and total dollar amount of investments in businesses primarily founded by diverse founding team members. These figures must be expressed as percentages of your total venture capital investments and broken down across each demographic category.

Investment-Level Data

Beyond demographics, you must report the total dollar amount invested in each portfolio company during the reporting period and each company's principal place of business.

This requirement applies even if every single founding team member of every portfolio company declines to participate in the demographic survey. The investment-level data reporting is mandatory regardless of survey participation rates.

The Survey Process: Where Compliance Gets Complicated

Who Qualifies as a Founding Team Member

Not everyone at a startup gets surveyed. The law defines founding team members as either a person who satisfies all three conditions (owned initial shares or similar ownership interests, contributed to the concept, research, development, or work performed before initial shares were issued, and was not a passive investor) or the person designated as CEO or President.

Timing Restrictions

You cannot distribute surveys until after you've executed the investment agreement with the portfolio company and made the first transfer of funds. This timing restriction exists to prevent any perception of coercion—founders shouldn't feel pressured to participate in a demographic survey to secure funding.

What You Cannot Do

The law strictly prohibits covered entities from encouraging, incentivizing, or attempting to influence a founding team member's decision to participate in the survey. The DFPI faces the same prohibition.

The standardized survey form must include specific disclosures stating that participation is voluntary, that no adverse action will be taken against founders who decline, and that only aggregated, anonymized data will be reported to the DFPI.

The Privacy Paradox

Here's where many firms discover the compliance challenge: the law requires you to collect sensitive demographic data but prohibits you from storing that data in any identifiable form.

You must collect responses and report data in a manner that doesn't associate survey responses with any individual founding team member. This creates an architectural problem that simple tools can't solve. Google Forms store individual responses, violating the anonymization requirement. Spreadsheets lack the technical infrastructure for proper anonymization. The DFPI hasn't yet released its own portal for data collection.

Firms need systems that can maintain architectural separation between the invitation system (which knows founder identities) and the response collection system, aggregate data in real-time, discard raw submissions immediately after aggregation, automatically shield data from solo-founder companies to prevent re-identification through small population inference, and maintain a five-year audit trail without identity linkage.

Consolidated Reporting Option

If you manage multiple covered entities, you may be able to file a consolidated report. The law allows a business that controls a covered entity to submit one report covering multiple funds. While control isn't defined in the statute, fund managers should generally be able to file either a single consolidated report or separate reports for each fund.

Privacy Law Implications

The demographic information you're collecting constitutes sensitive personal information under the California Consumer Privacy Act and potentially other privacy laws. Covered entities should maintain a privacy policy addressing how this data will be used, protected, and retained; provide this policy to founders along with survey requests; implement appropriate controls restricting access to survey responses during the required retention period; and establish proper disposal procedures once the retention requirement expires.

Record Retention and DFPI Examination Rights

Covered entities must preserve all records related to their reporting obligations for at least five years after delivering each annual report. These records should be stored securely with restricted access.

The DFPI has broad examination authority. The department can examine your records to assess compliance, require production of documents, and demand written reports or answers to questions. Your record retention system needs to satisfy these examination requirements while simultaneously maintaining the anonymization and privacy protections the law mandates.

Public Disclosure and Reputational Considerations

The DFPI must make all filed reports publicly accessible, easily searchable, and easily downloadable on its website. The department may also publish aggregate results based on the information it receives.

This public disclosure requirement means compliance failures carry reputational risk beyond financial penalties. Being the firm that didn't file—or filed incorrectly—becomes a matter of public record.

Fees and Penalties

Filing Fees

Each report submission requires a minimum fee of $175, though the DFPI may adjust this amount to cover its administrative costs.

Enforcement Process

If you fail to file your annual report by April 1, the DFPI must provide notice and allow a 60-day cure period to submit the report without penalty. Similar notice-and-cure provisions apply to failures to update your entity-level registration information.

Penalties After the Cure Period

Once the cure period expires, the DFPI Commissioner can pursue several remedies including desist and refrain orders requiring you to stop the violation, cost recovery for reasonable attorney's fees and investigative expenses incurred during the DFPI's investigation, injunctive relief through the courts, and monetary penalties up to $5,000 per day of non-compliance, with higher amounts possible for reckless or knowing violations.

When determining penalty amounts, the Commissioner considers the covered entity's financial standing, assets under management, the nature of the compliance failure, available financial resources, and history of previous violations.

The Commissioner has discretion to compromise, modify, or remit penalties, but the baseline of $5,000 per day adds up quickly for firms that miss deadlines.

Current Status and Open Questions

As of February 2026, the DFPI's registration portal and reporting process remain under development. The department has published the standardized demographic survey form and reporting template, but several key terms remain undefined: what constitutes a significant presence in California, what qualifies as an operational office, what is significant operations for portfolio companies, and how is control defined for consolidated reporting purposes.

Covered entities should monitor the DFPI's website for FAQ releases, interpretive guidance, and portal launch announcements.

Legal Challenges and Enforceability

Some legal commentators question whether California can enforce these requirements against venture capital companies with minimal California contacts for example, an out-of-state fund whose only connection is a single California resident investment source or a single California portfolio investment. This jurisdictional issue remains untested in the courts.

Despite these questions, firms should proceed with compliance planning unless and until a court blocks enforcement of the law.

Practical Steps for Compliance

For firms that may be covered entities, several immediate actions make sense.

Confirm your coverage status by analyzing each fund and vehicle you manage against the three-part test. This requires a vehicle-by-vehicle analysis, not just a firm-wide assessment.

Identify your reporting structure by deciding whether you'll file separate reports for each covered entity or pursue consolidated reporting.

Build investment tracking workflows that capture the dollar amount invested in each portfolio company and each company's principal place of business. Since the first report covers 2025 investments, these systems need to be operational now.

Review your 2025 investments to determine which qualify as venture capital investments under the management rights definition.

Plan your survey distribution process considering the timing restrictions and the architectural requirements for anonymization.

Implement data governance controls that treat founder demographic information as the sensitive personal data it is, with appropriate access restrictions and retention procedures.

Moving Forward with Compliance

The Fair Investment Practices by Venture Capital Companies Law creates a genuine compliance challenge. The issue isn't just collecting data or filling out forms. The real problem is the technical architecture: you need to survey founders on sensitive demographics, aggregate their responses in real-time, maintain complete anonymization, shield solo-founder data from re-identification, preserve a five-year audit trail without identity linkage, and do all of this while satisfying DFPI examination requirements.

Most firms' instinct to use Google Forms or spreadsheets won't work because these tools store individual responses, which violates the law's anonymization requirements. The DFPI's portal isn't ready yet, and the April 1 deadline is approaching fast.

Comply with VCC was built specifically to solve this architectural problem. Our system maintains separation between invitation and response collection, aggregates data in real-time without storing individual submissions, automatically shields solo-founder companies, and creates the required audit trail without identity linkage. If this reporting is required, compliance should be possible without forcing your firm to become a sensitive-data processor. Start your 2025 filing today at https://complywithvcc.com.