ARTICLE
21 November 2025

California's SB 361: Updated Data Broker Requirements

TS
Taft Stettinius & Hollister

Contributor

Taft Stettinius & Hollister logo
Established in 1885, Taft is a nationally recognized law firm serving individuals and businesses worldwide, in both mature and emerging industries.
Explore Firm Details
Under California law, a data broker is any business that knowingly collects and sells personal information about consumers with whom it has no direct relationship.
United States Privacy
Zenus Franklin
Your Author LinkedIn Connections
Zenus Franklin’s articles from Taft Stettinius & Hollister are most popular:
  • with readers working within the Technology and Retail & Leisure industries
Taft Stettinius & Hollister are most popular:
  • within Strategy topic(s)

On October 8, 2025, Governor Gavin Newsom signed SB 361, amending the state's existing data broker registration statute to expand obligations for data brokers. We previously discussed California's data broker requirements here.

The law takes effect January 1, 2026.

Who Is a Data Broker?

Under California law, a data broker is any business that knowingly collects and sells personal information about consumers with whom it has no direct relationship.

Key Changes Under SB 361.

Expanded Disclosure Requirements. When registering with the California Privacy Protection Agency (CPPA), data brokers must now disclose whether they collect additional information, including:

  • Names, dates of birth, contact details.
  • Account login credentials.
  • Government-issued IDs (e.g., SSN, driver's license, passport).
  • Mobile advertising IDs, connected TV IDs, VINs.
  • Citizenship/immigration status.
  • Union membership.
  • Sexual orientation, gender identity/expression.
  • Biometric data (fingerprints, facial recognition, etc.).

Transparency on Data Sharing. Brokers must report if they sold or shared personal data in the past year with:

  • Foreign actors (including adversary nations).
  • U.S. federal or state governments.
  • Law enforcement (outside court orders).
  • Developers of generative artificial systems.

Compliance Deadlines & Penalties.

  • Effective January 1, 2026.
  • Beginning August 1, 2026, Brokers must scrub data against the state's Delete Request and Opt-Out Platform (DROP) every 45 days and within 45 days of receiving any request.
  • Penalties for non-compliance are $200 per day.

Agency Limitations. The CCPA is required to create a page on its website where registration information provided by Brokers is accessible to the public. SB 361 prohibits the CCPA from making accessible to the public details regarding whether the Data Broker collects consumers' names, dates of birth, zip codes, email addresses, phone numbers, mobile advertising, connected television, or vehicle identification numbers, and the most common types of personal information that it collects.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Zenus Franklin
Zenus Franklin
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More