On October 8, 2025, Governor Gavin Newsom signed SB 361 into law. Introduced by Senator Josh Becker, the bill amends California’s Data Broker Registration Law (and amendments to the law under the Delete Act) with additional disclosure requirements for data brokers.
Becker’s press release states that SB 361 addresses concerns about “mass surveillance and enforcement actions against vulnerable populations”, following investigations “that data brokers routinely sell sensitive personal data to federal agencies like Immigration and Customs Enforcement (ICE) and other law enforcement entities.”
Newsom’s press release accompanying the signing of SB 361 and other data privacy bills describes the bill as part of a broader consumer protection agenda focusing on giving consumers more control of their data. SB 361 is sponsored by Oakland Privacy and supported by civil society groups such as Electronic Frontier Foundation, Electronic Privacy Information Center (EPIC), and Privacy Rights Clearinghouse.
SB 361’s amendments go into effect on January 1st, 2026.
Current Data Broker Registration Law
Currently, the Data Broker Registration Law defines a data broker as a business that knowingly collects and sells to third parties the personal information of consumers with whom it does not have a direct relationship. Such data brokers are required to register with the California Privacy Protection Agency (CPPA). Such registration requires data brokers to disclose their collection practices to the CPPA, which are then disclosed by the CPPA on its data broker registry web page.
The law has additional requirements regarding data brokers’ handling of data subject rights. First, data brokers must disclose metrics regarding requests to exercise data subject rights under the California Consumer Privacy Act (“CCPA”) and the Data Broker Registration Law.
Second, beginning August 1, 2026, the CPPA will provide a “one-stop” shop deletion mechanism for consumers to submit a single personal information deletion request which all data brokers must process and complete at least once every 45 days. The law also requires that such requests which are unable to be verified be treated as requests to opt-out of sale or sharing under the CCPA, but it does not provide a deadline for processing such unverifiable requests. See our blog post for more details on prior Delete Act amendments to California’s Data Broker Registration Law.
SB 361 New Data Broker Law Requirements
SB 361 amends the data broker law to clarify that data brokers have 45 days to comply with the Delete Act requirement to treat unverifiable deletion requests as opt-out of sale or sharing requests under the CCPA.
In addition to existing registration disclosure requirements [1], SB 361 requires data brokers to also disclose whether they collect the following data types from consumers:
Names, dates of birth, ZIP codes, email addresses, or phone numbers
Account login or account number in combination with any required security code, access code, or password that would permit access to a consumer’s account with a third party
Drivers’ license number, California identification card number, tax identification number, social security number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual
Mobile advertising identification numbers, connected television identification numbers, or vehicle identification numbers (VIN)
Citizenship data, including immigration status
Union membership status
Sexual orientation status
Gender identity and gender expression data
Biometric data
These additional data types along with existing data types under the data broker law largely track the elements under the CCPA definition of sensitive data except for the first bullet point (name, etc.) and fourth bullet point (mobile advertising identification numbers, etc.). Notably, of the types of sensitive personal information under the CCPA, SB 361 does not require disclosure of the collection of personal data revealing consumers’ racial or ethnic origin, religious or philosophical beliefs; genetic data; neural data; or the contents of a consumer’s mail, email, and text messages where the business is not the intended recipient.
If information in the non-sensitive categories (i.e., the first or fourth bullet points) is not collected, data brokers are instead required to inform the CPPA of up to three, but no fewer than one, of the most common types of personal information collected.
Finally, SB 361 requires data brokers to inform the CPPA whether they have shared or sold consumers’ data to the following parties in the past year:
A foreign actor, defined as either the government of a covered nation or a “partnership, association, corporation, organization, or other combination of persons organized under the laws of or having its principal place of business in a [covered nation].”
The federal government
Other state governments
Law enforcement, unless that data was shared pursuant to a subpoena or a court order
A developer of a generative artificial intelligence system or model
CPPA is required to list these new categories of data and parties to whom data is disclosed on its public data broker registry webpage with some restrictions. SB 361 restricts publishing information in the non-sensitive categories (or the most common types of personal information collected). The reason for this restriction on categories of non-sensitive data is unclear but may be intended to avoid diluting focus on sensitive information disclosures, which is the main focus of the law, as noted, in the bill’s analysis.
Key Takeaways
The Data Broker Registration Law already requires registration by data brokers with the CPPA on or before January 31st following each year a business meets the definition of data broker. Data brokers should review their data collection, sale, and sharing practices for the year to ensure they make the proper disclosures to CPPA including the requirements under the Delete Act detailed in our prior blog post and, under SB 361, the new data and third party recipient disclosure requirements as well as a process to treat unverified deletion requests as opt-out of sell/share requests within the 45 day deadline.
Data brokers should also review the CPPA’s proposed regulations (i.e., Delete Request and Opt-out Platform (“DROP”)) under the Delete Act which contain detailed instructions for implementing the data broker registrations and deletion mechanisms. The CPPA announced at its board meeting on September 26, 2025, that it had finalized the DROP regulations and submitted those to the California Office of Administrative Law for final approval.
[1] The Data Broker Registration Law currently requires data brokers to disclose their name; their primary physical, email, and internet website addresses; metrics about their processing of data subject rights requests; whether the data broker collects the personal information of minors; whether the data broker collects consumers’ precise geolocation; and whether the data broker collects consumers’ reproductive health care data.
Hansenard Piou is an Associate at Hintze Law PLLC with experience in global data protection issues, including kids’ global privacy laws, AADC, privacy impact assessments, GDPR, and privacy statements.
Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.