Upstart Faces Rising Data Privacy Risks as Stricter Laws Drive Up Compliance Costs and Legal Exposure

Upstart is signaling that its AI-driven, data‑intensive underwriting model is now bumping up against a much stricter, more fragmented privacy regime, which is increasing its ongoing compliance spend and widening its litigation and enforcement surface area.

Why privacy risk is rising for Upstart

• Upstart processes large volumes of highly sensitive borrower data, including financial, personal, and in some cases biometric or alternative data used for AI underwriting, which heightens the impact of any security or privacy lapse.

• The company explicitly warns in its filings that complying with evolving privacy and cybersecurity rules will increase its legal and financial compliance costs and may make some activities more difficult or time‑consuming.

• Greater reliance on remote work and cloud environments has increased exposure to privacy and data‑security incidents and fraud risks, which would be acutely material for a platform like Upstart.​

Regulatory drivers of cost and exposure

• Upstart is subject to a layered framework: GLBA and its privacy and Safeguards obligations, Section 5 UDAP standards, and a fast‑proliferating set of state privacy laws that increasingly regulate sensitive, biometric, geolocation, and financial data.

• New and amended state statutes are tightening thresholds (bringing more companies into scope), eliminating cure periods, expanding opt‑out and universal opt‑out requirements, and imposing impact assessments and heightened rules for minors, all of which raise monitoring and implementation costs for data‑driven lenders.

• Laws such as Connecticut’s and Oregon’s updated regimes, along with additional 2025–2026 state enactments, specifically increase obligations around precise geolocation, biometric identifiers, and children’s data—categories that can intersect with alternative‑data underwriting and marketing.

Enforcement, litigation, and AI‑specific scrutiny

• Upstart has already drawn significant regulatory attention over its AI and disclosures, including an SEC subpoena relating to its AI model and loan disclosures, underscoring that its use of data and modeling practices is under active federal scrutiny.​

• Securities and investor suits challenging statements about the performance and risk management of its AI underwriting models show that model transparency and data usage assumptions can translate into securities‑law exposure when outcomes diverge from expectations.

• As regulators increasingly focus on AI, automated decisioning, and alternative data, Upstart’s heavy use of automated underwriting and non‑traditional data points means any perceived opacity, bias, or inadequate disclosure around data use can trigger investigations or enforcement tied to both privacy and fair‑lending theories.

Implications for compliance costs

• To keep pace with state and federal developments, Upstart describes operating a formal information‑security and compliance management program, with continuous monitoring, third‑party testing, and controls aligned to regulatory expectations—all of which are ongoing cost centers that grow as rules proliferate.

• New obligations (e.g., data‑protection impact assessments, sensitive‑data opt‑ins, universal opt‑out recognition, limits on teen data and precise geolocation) require periodic system changes, vendor oversight, and documentation, increasing operational friction and the risk that legacy models or data flows fall out of compliance.

• The company acknowledges that compliance with these expanding rules and regulations will increase legal and financial compliance costs and could constrain some business activities, which, combined with heightened enforcement and private‑litigation risk, contributes to a more challenging operating and valuation backdrop for the stock.