California's SB 361: New Data Broker Transparency Requirements and What They Mean for Your Business

On October 8, 2025, California Governor Gavin Newsom signed Senate Bill 361 into law, marking another significant expansion of the state's already stringent data broker regulations. Known as the "Defending Californians' Data Act," this legislation dramatically increases disclosure requirements for data brokers while introducing new enforcement mechanisms that could cost non-compliant companies thousands of dollars per day.

For businesses operating in the data brokerage space, SB 361 represents a critical compliance challenge that demands immediate attention. Combined with the upcoming August 2026 implementation of the DELETE Request and Opt-Out Platform (DROP), California is fundamentally reshaping how data brokers must operate.

Understanding the Legislative Context

SB 361 builds upon California's 2023 Delete Act (SB 362), which already required data brokers to register with the California Privacy Protection Agency (CPPA) and process deletion requests through a centralized mechanism. The new amendments come as the CPPA finalizes regulations for DROP—a one-stop deletion platform that will allow California consumers to request data deletion from all registered data brokers with a single submission.

The legislation was introduced by Senator Josh Becker and gained unanimous support from both chambers of the California Legislature, reflecting broad bipartisan concern about data broker practices. Privacy advocates sponsored the bill amid investigations revealing that data brokers routinely sell sensitive personal data to federal agencies like Immigration and Customs Enforcement (ICE) and other law enforcement entities, enabling mass surveillance and enforcement actions against vulnerable populations.

Who Qualifies as a Data Broker Under California Law?

Before diving into the new requirements, it's essential to understand whether your business qualifies as a data broker under California law. A data broker is defined as "a business that knowingly collects and sells to third parties the personal information of consumers with whom it does not have a direct relationship".

The definition of "direct relationship" is narrower than many businesses realize. The CPPA's regulations specify that "a consumer intentionally interacts with a business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business's products or services within the preceding three years". Critically, merely collecting data directly from a consumer does not establish a direct relationship; the consumer must both intend and expect to interact with the business.

This means that businesses using cookies, pixels, SDKs, or other indirect collection methods likely qualify as data brokers—even if they believe they have a "first-party" relationship with consumers.

New Data Collection Disclosure Requirements

SB 361 significantly expands the categories of personal information that data brokers must disclose during annual registration. While existing law already required disclosure about collection of minors' information, precise geolocation, and reproductive health care data, the amendments add extensive new categories.

Basic Identifiers and Contact Information

Data brokers must now disclose whether they collect:

• Names
• Dates of birth
• ZIP codes
• Email addresses
• Phone numbers

Financial and Account Access Information

Perhaps most concerning from a security perspective, data brokers must disclose collection of:

• Account login credentials or account numbers in combination with any required security code, access code, or password that would permit access to a consumer's account with a third party

This provision recognizes the severe risk posed when data brokers aggregate login credentials with the authentication factors needed to access accounts.

Government Identification Numbers

Data brokers must disclose whether they collect any of the following government-issued identifiers:

• Driver's license numbers
• California identification card numbers
• Tax identification numbers
• Social Security numbers
• Passport numbers
• Military identification numbers
• Other unique identification numbers issued on government documents commonly used to verify identity

Digital and Device Identifiers

The law also targets modern tracking mechanisms:

• Mobile advertising identification numbers
• Connected television identification numbers
• Vehicle identification numbers (VINs)

These identifiers are commonly used for cross-device tracking and behavioral profiling, making them particularly valuable to data brokers and advertisers.

Sensitive Personal Characteristics

SB 361 adds several categories of sensitive personal characteristics that data brokers must disclose:

• Citizenship data, including immigration status
• Union membership status
• Sexual orientation status
• Gender identity and gender expression data
• Biometric data

The inclusion of citizenship status and union membership directly addresses concerns about data brokers enabling targeting of vulnerable populations.

The "Catch-All" Requirement

Recognizing that some data brokers may not collect the basic identifiers listed above, SB 361 includes an innovative provision: If a data broker does not collect consumers' names, dates of birth, ZIP codes, email addresses, phone numbers, mobile advertising identification numbers, connected television identification numbers, or vehicle identification numbers, then it must disclose "up to three, but no fewer than one, of the most common types of personal information that the data broker collects".

This ensures that even data brokers operating with pseudonymous or aggregated data must provide some transparency about their collection practices.

Privacy Protections for Disclosed Information

Importantly, the information provided in connection with these basic identifier disclosures will not be made publicly accessible on the CPPA's website. This balancing approach allows regulators to monitor data broker practices without creating a public roadmap of exactly what data each broker possesses.

Groundbreaking Third-Party Disclosure Requirements

Perhaps the most significant aspect of SB 361 is the requirement for data brokers to disclose their data sharing relationships with specific categories of third parties. This represents an unprecedented level of transparency about the downstream uses of consumer data.

Foreign Adversary Disclosure

Data brokers must now disclose whether, in the past year, they shared or sold consumers' data to a "foreign actor." The law defines "foreign actor" as either the government of a foreign adversary country or a partnership, association, corporation, organization, or other combination of persons organized under the laws of or having its principal place of business in a foreign adversary country.

"Foreign adversary country" has the same meaning as "covered nation" under 10 U.S.C. § 4872, which includes North Korea, China, Russia, and Iran.

This provision addresses national security concerns while also responding to geopolitical tensions around data access and surveillance capabilities. Data brokers must now audit their customer base to identify any entities that meet this definition—a potentially complex undertaking given the opacity of corporate ownership structures.

Government Entity Disclosures

SB 361 requires separate disclosure for sales or sharing of consumer data to:

• The federal government
• Other state governments
• Law enforcement (unless done pursuant to a subpoena or court order)

The law distinguishes between voluntary commercial sales to government entities versus compelled disclosures through legal process. This distinction directly responds to reporting that revealed how law enforcement agencies routinely purchase data from brokers rather than obtaining it through warrant processes that would require probable cause.

Generative AI Developer Disclosure

In what may be the most forward-looking provision, SB 361 requires data brokers to disclose whether they shared or sold consumers' data to "a developer of a GenAI system or model" in the past year.

The law defines a "developer of a GenAI system" as "a business, person, partnership, corporation, or other entity that designs, codes, produces, or substantially modifies a GenAI system", though the term "substantially modifies" remains undefined.

A "GenAI system" is defined as "an artificial intelligence that can generate derived synthetic content, including text, images, video, and audio, that emulates the structure and characteristics of the system's training data".

This provision acknowledges growing concerns about the use of personal data in training large language models and other generative AI systems. As AI companies scramble to acquire massive datasets for model training, this disclosure requirement provides California consumers with visibility into whether their personal information may be contributing to AI training corpuses.

Enhanced Enforcement and Penalty Structure

SB 361 doesn't just expand disclosure requirements—it dramatically strengthens enforcement mechanisms and penalties for non-compliance.

Doubled Daily Fines

The law doubles the daily fine from $100 to $200 per day for data brokers who fail to register. For a business that operates as a data broker for an entire year without registering, this amounts to $73,000 in potential fines.

Per-Request, Per-Day Penalties

Perhaps most significantly, the amended law introduces California's first per-request, per-day penalty tied to consumer deletion rights. Each unprocessed deletion request can trigger an independent fine of $200 per day until the broker fulfills its statutory obligations or demonstrates a valid exemption.

This creates potentially massive exposure for data brokers. Consider a scenario where a data broker receives 100 deletion requests through DROP and fails to process them for 30 days. The potential liability: 100 requests × $200 per day × 30 days = $600,000.

Cumulative Liability

Beyond per-request penalties, a broker found in violation may be liable for all registration fees owed during any unregistered period, the CPPA's investigative and administrative costs, and daily fines for each unprocessed or improperly handled deletion request.

The DROP Platform: August 2026 Compliance Deadline

SB 361's disclosure requirements cannot be understood in isolation from the broader Delete Act implementation, particularly the upcoming DROP platform launch.

Timeline and Requirements

The CPPA must make DROP accessible to consumers by January 1, 2026. Starting August 1, 2026, data brokers must access DROP every 45 days and complete deletion requests within that same timeframe.

Continuous Deletion Obligations

For consumers who have opted into ongoing deletion, brokers must implement a perpetual deletion cycle, checking DROP every 45 days and deleting any newly collected personal information relating to those consumers.

This represents a fundamental shift from traditional "one-and-done" deletion requests to an ongoing obligation to monitor and suppress data collection for consumers who have exercised their rights.

Data Matching Challenges

When a data broker receives a consumer deletion list through DROP, the proposed regulations require the broker to compare the listed consumer information against its own records. The matching process presents significant technical challenges, particularly given that:

• Consumers may have multiple identities or variations of their information across different databases
• Data brokers may maintain only partial information that doesn't perfectly match DROP records
• If a data broker only maintains a consumer's name, zip code, and date of birth, and two California residents share the same name and zip code but have different birth dates, a deletion request from one individual would require the data broker to delete the personal information of the other individual, unless an exemption applies

Service Provider and Contractor Obligations

Under the Delete Act, data brokers must direct service providers and contractors to comply with consumers' delete requests. The finalized regulations clarify that data brokers may share the minimum personal information necessary for service providers and contractors to facilitate compliance with a deletion request.

Mandatory Compliance Audits

Looking ahead, beginning January 1, 2028, and every three years thereafter, data brokers must undergo an audit by an independent third party to determine compliance with the requirements under the law and must submit the audit report to the Agency upon the Agency's written request.

Beginning January 1, 2029, a data broker registering with the Agency must also disclose whether they have undergone the audit and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the Agency.

This audit requirement mirrors provisions in other compliance frameworks like SOC 2 and ISO 27001, bringing data broker oversight in line with established information security and privacy audit practices.

Practical Compliance Steps for Data Brokers

Given the scope and complexity of SB 361's requirements, data brokers should take immediate action:

1. Conduct a Definitional Analysis

First, definitively determine whether your business qualifies as a data broker under California law. Don't rely on assumptions about "first-party" relationships. The CPPA clarifies that merely collecting data directly from a consumer does not establish a direct relationship; consumers must both intend and expect to interact with the business.

Consider engaging privacy counsel to conduct this analysis, particularly if your business uses cookies, pixels, SDKs, or purchases data from other sources.

2. Map Your Data Collection Practices

Create a comprehensive inventory of all personal information categories you collect, paying particular attention to the specific categories enumerated in SB 361:

• Basic identifiers (name, DOB, ZIP, email, phone)
• Account credentials and access information
• Government identification numbers
• Digital and device identifiers
• Sensitive personal characteristics (citizenship, union membership, sexual orientation, gender identity, biometrics)

This mapping exercise will form the foundation of your registration disclosures.

3. Audit Your Customer Base

This is perhaps the most challenging requirement: identifying whether you've shared or sold consumer data to any of the following in the past year:

• Foreign actors (requiring analysis of customer corporate structure and jurisdiction)
• Federal government entities
• State governments
• Law enforcement agencies (excluding subpoena/court order compliance)
• Generative AI developers

For the foreign actor requirement, you may need to:

• Conduct enhanced due diligence on customers
• Review ownership structures
• Implement contractual representations and warranties
• Establish ongoing monitoring procedures

4. Implement Technical Infrastructure for DROP

If not already underway, begin developing the technical infrastructure needed to:

• Create and maintain a DROP account
• Access DROP every 45 days automatically
• Compare deletion lists against your databases
• Process deletions within 45-day windows
• Maintain records of deletion compliance
• Direct service providers and contractors to honor deletion requests

The CPPA requires that brokers implement reasonable security procedures including administrative, physical, and technical safeguards appropriate to the nature of the information being processed.

5. Update Registration Procedures

With the January 31, 2026 registration deadline approaching, ensure your registration includes all newly required disclosures. The annual registration fee has increased significantly—from $400 to $6,600 in 2025—to fund DROP development.

6. Revise Contracts with Service Providers

Review and update all contracts with service providers and contractors to:

• Include mandatory CCPA compliance provisions
• Specify deletion request handling procedures
• Allocate responsibilities for DROP compliance
• Establish liability and indemnification for non-compliance

7. Clarify the 45-Day Timeline

SB 361 clarifies that data brokers have 45 days to comply with the Delete Act requirement to treat unverifiable deletion requests as opt-out of sale or sharing requests under the CCPA. Update your procedures to ensure this timeline is met consistently.

8. Prepare for Audit Requirements

Although the first mandatory audits don't begin until 2028, start preparing now:

• Document all compliance procedures
• Establish audit trails for deletion requests
• Implement quality control processes
• Consider engaging audit firms with data broker expertise
• Maintain records for at least six years as required

Enforcement Landscape and Recent Actions

SB 361 arrives against a backdrop of aggressive enforcement by the CPPA. Understanding recent enforcement actions provides context for the stakes involved.

Active Investigative Sweep

The CPPA's Enforcement Division is conducting a public investigative sweep of data broker registration compliance under the Delete Act, with the agency stating it "will take appropriate actions against data brokers that have failed to comply".

Escalating Penalties

Recent CPPA enforcement demonstrates the financial risks:

• In February 2025, the CPPA reached a settlement requiring Background Alert to shut down operations through 2028 or face a $50,000 fine, marking the first time a data broker was ordered to cease operations entirely
• Recent settlements have included $35,400 and $34,400 fines for companies that ignored registration requirements

Non-Data Broker Enforcement Provides Lessons

The CPPA's first non-data broker enforcement action against Honda in March 2025 provides important lessons applicable to data brokers. Honda paid $632,500 for requiring consumers to provide more information than necessary when exercising CCPA rights.

The Honda case established that requiring excessive information for privacy requests violates the CCPA—a principle directly relevant to how data brokers handle deletion requests through DROP.

Industry-Wide Compliance Challenges

Research reveals widespread compliance failures across the data broker industry, suggesting SB 361's enhanced requirements will only increase the challenge.

A UC Irvine study that systematically tested all 543 data brokers officially registered with California's Privacy Protection Agency found that 41% of data brokers failed to respond to access requests at all, and only 4% provided the personal information they held.

These findings underscore why California is taking increasingly aggressive enforcement action and why the per-request, per-day penalty structure in SB 361 is so significant.

Strategic Considerations

Beyond mere compliance, data brokers should consider SB 361's broader strategic implications:

Competitive Differentiation

As enforcement intensifies and penalties mount, compliance excellence could become a competitive advantage. Data brokers that can demonstrably meet all SB 361 requirements may find opportunities to differentiate themselves in a market where non-compliance is rampant.

Customer Due Diligence Programs

The requirement to disclose sales to foreign actors, government entities, and GenAI developers necessitates robust customer due diligence programs. Consider implementing:

• Enhanced know-your-customer (KYC) procedures
• Beneficial ownership analysis
• Ongoing customer monitoring
• Contractual representations regarding customer identity and purpose

Business Model Review

Some data brokers may find that the combined burden of:

• Annual registration fees ($6,600)
• Technical infrastructure for DROP compliance
• Enhanced disclosure requirements
• Per-request, per-day penalties
• Mandatory audits every three years

...makes certain business lines economically unviable. Now is the time to conduct a frank assessment of which data products can support the compliance overhead.

International Considerations

The foreign actor disclosure requirement has international implications. Data brokers that serve global markets must navigate complex questions about:

• How to verify customer jurisdiction and ownership
• Whether to exit certain markets or customer relationships
• How to handle customers with mixed ownership structures
• Contractual protections and warranties

The Broader Privacy Landscape

SB 361 doesn't exist in isolation. Data brokers must navigate an increasingly complex web of overlapping privacy regulations:

State-Level Patchwork

California leads a growing number of states with comprehensive privacy laws. As of 2025, 20 states have enacted comprehensive privacy legislation, creating compliance challenges for data brokers operating nationally.

Federal PADFA Requirements

The federal Protecting Americans' Data from Foreign Adversaries Act of 2024 (PADFA) also prohibits data brokers from transferring sensitive personal data to foreign adversary countries. While SB 361 requires disclosure, PADFA prohibits the transfer entirely, with violations treated as unfair or deceptive trade practices under FTC Act enforcement.

Evolving CCPA/CPRA Framework

Understanding the broader CCPA/CPRA framework is essential for data broker compliance. The Delete Act and SB 361 operate within this larger ecosystem of consumer rights and business obligations.

Looking Ahead: What's Next?

SB 361's January 1, 2026 effective date is only the beginning. Data brokers should anticipate:

DROP Launch and Growing Deletion Volumes

As DROP becomes accessible to consumers in January 2026 and data brokers in August 2026, deletion request volumes will likely surge dramatically. The platform's ease of use—a single request to all registered brokers—will encourage consumer adoption.

Continued Regulatory Evolution

California regularly updates its privacy framework. The CPPA is actively developing additional regulations, and the legislature continues to consider new privacy legislation. Data brokers must maintain ongoing regulatory monitoring.

Enforcement Intensification

With increasing enforcement activity and the implementation of the per-request, per-day penalty structure, the CPPA has demonstrated its intent to aggressively pursue non-compliant data brokers. Expect continued enforcement sweeps and potentially larger penalties as the DROP platform generates clear evidence of non-compliance.

Class Action Risk

While the CCPA generally doesn't provide a private right of action for most violations, data brokers should be aware that certain security failures can give rise to private litigation. The aggregation of sensitive personal information combined with enhanced disclosure requirements may increase scrutiny from plaintiff's attorneys.

Conclusion

California's SB 361 represents a watershed moment for data broker regulation. The combination of expansive disclosure requirements, strengthened enforcement mechanisms, per-request penalties, and the upcoming DROP platform creates a fundamentally new compliance landscape.

For data brokers, the path forward requires:

1. Immediate action to assess whether your business qualifies as a data broker under California's definition
2. Comprehensive mapping of data collection and sharing practices
3. Customer due diligence to identify foreign actors, government entities, and GenAI developers
4. Technical infrastructure development for DROP integration by August 2026
5. Process implementation for 45-day deletion cycles and audit readiness
6. Strategic assessment of whether your business model can sustain the compliance burden

The days of operating data brokerage businesses with minimal transparency and accountability are ending. SB 361 makes clear that California expects data brokers to provide unprecedented visibility into their operations—or face significant financial consequences.

As Senator Becker stated when introducing the legislation, "No one should have their personal data collected and sold without their knowledge—especially when that data is being used to target vulnerable communities." With SB 361 now law, California has the tools to enforce this principle more effectively than ever before.

Additional Resources

• California Consumer Privacy Act (CCPA) Overview
• California Intensifies CCPA Enforcement: Record Fines and New Priorities
• The Reality of CCPA Compliance: UC Irvine Data Broker Study
• Honda's $632,500 Privacy Fine: Compliance Failure Analysis
• US State Privacy Rights Comparison Tool
• Navigating the Patchwork: U.S. State Privacy Laws

This article is for informational purposes only and does not constitute legal advice. Organizations should consult with qualified legal counsel regarding their specific compliance obligations under SB 361 and related privacy laws.