California’s SB 361: New data broker requirements mean better consumer data protections

on November 24, 2025

Who Is a Data Broker?

Under California law, a data broker is ANY business that knowingly collects and sells personal information about consumers with whom it has no direct relationship.

Expanded Disclosure Requirements

Data brokers must now provide more detailed information in their registration applications, including:

• Names

• Dates of birth

• Contact details

• Account login credentials

• Government-issued IDs (e.g., SSN, driver’s license, passport)

• Mobile advertising IDs, connected TV IDs, VINs

• Citizenship/immigration status

• Union membership

• Sexual orientation, gender identity/expression

• Biometric data (fingerprints, facial recognition, etc.)

Transparency on Data Sharing

Brokers must report if they sold or shared personal data in the past year with:

• Foreign actors (including adversary nations)

• U.S. federal or state governments

• Law enforcement (outside court orders)

• Developers of generative artificial systems

Deletion Requests

Data brokers must comply with consumer deletion requests within 45 days and treat unverifiable requests as opt-out requests under the California Privacy Protection Agency (CCPA).

Compliance Deadlines & Penalties

• Effective January 1, 2026.

• Beginning August 1, 2026, Brokers must scrub data against the state’s Delete Request and Opt-Out Platform (DROP) every 45 days and within 45 days of receiving any request.

• Penalties for non-compliance are $200 per day.

Agency Limitations

The CPPA, is required to create a page on its website where registration information provided by Brokers is accessible to the public. SB 361 prohibits the CCPA from making accessible to the public details regarding whether the Data Broker collects consumers’ names, dates of birth, zip codes, email addresses, phone numbers, mobile advertising, connected television, or vehicle identification numbers, and the most common types of personal information that it collects.