On October 8, 2025, Governor Gavin Newsom signed SB 361, amending the state’s existing data broker registration statute to expand obligations for data brokers. The law takes effect January 1, 2026, with a registration deadline for data brokers set for January 31, 2026.
What does SB 361 do?
An act to amend Sections 1798.99.82, 1798.99.84, and 1798.99.86 of the Civil Code, relating to privacy.
Who Is a Data Broker?
Under California law, a data broker is ANY business that knowingly collects and sells personal information about consumers with whom it has no direct relationship.
Expanded Disclosure Requirements
Data brokers must now provide more detailed information in their registration applications, including:- Names
- Dates of birth
- Contact details
- Account login credentials
- Government-issued IDs (e.g., SSN, driver’s license, passport)
- Mobile advertising IDs, connected TV IDs, VINs
- Citizenship/immigration status
- Union membership
- Sexual orientation, gender identity/expression
- Biometric data (fingerprints, facial recognition, etc.)
Transparency on Data Sharing
Brokers must report if they sold or shared personal data in the past year with:
- Foreign actors (including adversary nations)
- U.S. federal or state governments
- Law enforcement (outside court orders)
- Developers of generative artificial systems
Deletion Requests
Data brokers must comply with consumer deletion requests within 45 days and treat unverifiable requests as opt-out requests under the California Privacy Protection Agency (CCPA).
Compliance Deadlines & Penalties
- Effective January 1, 2026.
- Beginning August 1, 2026, Brokers must scrub data against the state’s Delete Request and Opt-Out Platform (DROP) every 45 days and within 45 days of receiving any request.
- Penalties for non-compliance are $200 per day.