SB 361: Defending Californians' Act – Expanding Requirements For Data Brokers

California Senate Bill 361 (SB 361), the Defending Californians' Act (DCA), was signed into law in October 2025, ushering in new obligations for data brokers that will be phased in over the next two years, with some obligations beginning as soon as January 2026. The DCA builds on the Delete Act, which allowed consumers to request deletion of their information from data brokers. The new law establishes expanded disclosure requirements and mandatory audits for data brokers, and it imposes significant fines for noncompliance. These new obligations and enhanced enforcement efforts are intended to increase transparency around sales of highly sensitive personal information by data brokers.

Below, we review key thresholds, requirements, and enforcement under this expanding regulatory framework for data brokers in California.

Definition of "Data Broker"

A data broker is defined as "a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship."

Key Compliance Requirements

Expanded Reporting (Beginning January 31, 2026)

Under the DCA, data brokers must make mandatory disclosures regarding the collection of highly sensitive data and specific sharing relationships with foreign actors, federal and state government, law enforcement, and generative AI developers. Effective for the annual registration covering 2025 activities and due by January 31, 2026, data brokers must publicly disclose the collection of several new data categories and detail who the data is shared with.

The registration now will require disclosure of the collection of (1) high-risk, (2) constitutionally protected, or (3) financial data. This includes the following types of information:

• Civil rights and status information: Including citizenship, immigration status, union membership, sexual orientation, and gender identity.
• Financial and identity credentials: Including government-issued identification numbers, and account login credentials.
• Physical and health data: Including biometric data, precise geolocation, and reproductive health care data.

Mandatory Audits (Starting January 1, 2028)

Additionally, beginning January 1, 2028, data brokers are required to engage an independent third party for a compliance audit every three years. The audit report and materials must be retained for at least six years and submitted to the California Privacy Protection Agency (CPPA) upon written request. Furthermore, beginning in January 2029, brokers must publicly report their audit status in their annual registration.

Enforcement

Under the DCA, the CPPA serves as the exclusive enforcement authority and oversees the Data Removal and Opt-Out Platform (DROP), a centralized system created by the Delete Act. DROP must be operational by August 1, 2026, enabling consumers to submit a single deletion or opt-out request to all registered data brokers. The DCA strengthens this framework by requiring brokers to process and document every request—including those denied under statutory exceptions—within 45 days and review DROP on a recurring basis. Failure to comply can result in administrative fines of up to $200 per day for each unfulfilled request, reinforcing the integration of DROP into the DCA's enforcement structure.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.