On October 8, 2025, Governor Gavin Newsom signed SB 361, amending the state’s existing data broker registration statute to expand obligations for data brokers. We previously discussed California’s data broker requirements here.
The law takes effect January 1, 2026.
Who Is a Data Broker?
Under California law, a data broker is any business that knowingly collects and sells personal information about consumers with whom it has no direct relationship.
Key Changes Under SB 361.
Expanded Disclosure Requirements. When registering with the California Privacy Protection Agency (CPPA), data brokers must now disclose whether they collect additional information, including:
- Names, dates of birth, contact details.
- Account login credentials.
- Government-issued IDs (e.g., SSN, driver’s license, passport).
- Mobile advertising IDs, connected TV IDs, VINs.
- Citizenship/immigration status.
- Union membership.
- Sexual orientation, gender identity/expression.
- Biometric data (fingerprints, facial recognition, etc.).
Transparency on Data Sharing. Brokers must report if they sold or shared personal data in the past year with:
- Foreign actors (including adversary nations).
- U.S. federal or state governments.
- Law enforcement (outside court orders).
- Developers of generative artificial systems.
Compliance Deadlines & Penalties.
- Effective January 1, 2026.
- Beginning August 1, 2026, Brokers must scrub data against the state’s Delete Request and Opt-Out Platform (DROP) every 45 days and within 45 days of receiving any request.
- Penalties for non-compliance are $200 per day.
Agency Limitations. The CCPA is required to create a page on its website where registration information provided by Brokers is accessible to the public. SB 361 prohibits the CCPA from making accessible to the public details regarding whether the Data Broker collects consumers’ names, dates of birth, zip codes, email addresses, phone numbers, mobile advertising, connected television, or vehicle identification numbers, and the most common types of personal information that it collects.
As with all privacy regulations, Taft’s Privacy & Data Security team will continue to monitor updates and guidance regarding data brokers. For more data privacy & security-related updates, please visit Taft’s Privacy & Data Security Insights blog.