Unlocking Transparency: What You Need To Know About California's Defending Californians' Data Act

The Highlights

1. Expanded Data Disclosure Requirements: SB 361 significantly broadens the categories of personal and sensitive information that data brokers must report to the CPPA, increasing transparency around what consumer data is collected.
   
   
2. New Obligations for Identifying Data Recipients: The law requires data brokers to disclose whether they have shared or sold consumer information to AI developers, foreign adversaries, or government entities within the past year.
   
   
3. Higher Compliance and Audit Standards: SB 361 implements stricter regulatory expectations, including expanded disclosures by January 31, 2026, and mandatory third‑party audits beginning in 2028, to strengthen oversight of data brokers' collection and deletion practices. Starting January 2029, data brokers are required to publicly report their audit status as part of their annual registration.

On October 8, 2025, California Governor Gavin Newsom signed into law Senate Bill 361 (SB 361), officially known as the "Defending Californians' Data Act." This act represents a significant step in California's comprehensive approach to data privacy and regulation of the data broker industry. The legislation amends the state's data broker registration requirements, building on the foundational consumer rights established by the Delete Act (SB 362) of 2023.

SB 361 is designed to increase transparency and accountability, requiring data brokers, which arebusinesses that knowingly collect and sell the personal information of Californians with whom they lack a direct relationship, to provide substantially more detail to the California Privacy Protection Agency (CPPA) about the nature of the data they handle and the ultimate recipients of that data.

Expanded Disclosure of Collected Information

A core mandate of SB 361 requires data brokers to provide more detailed information in their annual registration with the California Privacy Protection Agency (CCPA). This enhanced transparency aims to provide the public with a clearer understanding of the personal information being bought and sold.

Data brokers must now disclose whether they collect any of the following categories of information on California consumers:

Credentials and Identifiers

• Account login or account number when paired with any security code or password that permits access to a consumer's account with a third party.

• Government-issued ID numbers, including Social Security, driver's license, passport, or tax ID numbers.

The mandatory disclosure list for data brokers has been significantly expanded to include whether they collect new sensitive categories of personal information. The Delete Act already required disclosure of precise geolocation and reproductive health data, and the disclosure list has been expanded to include:

Sensitive Data

• Citizenship data, including immigration status.

• Union Membership.

• Sexual orientation and gender identity.

Device and Biometric Data

• Biometric data, such as fingerprints, facial recognition, or voice prints.

• Vehicle Identifier Number (VIN), Mobile ad ID, and Connected TV ID.

SB 361recognizes that some data brokers may not collect the typical high-volume identifiers. If data brokers do not collect any commonly required identifiers (such as names, dates of birth, ZIP Codes, email addresses, phone numbers,mobile advertising IDs, Connected TV IDs, or vehicle identification numbers), SB 361 requires an alternative disclosure.

In this circumstance, data brokers must instead discloseup to three, but no fewer than one, of the most common typesof personal information that the data broker collects.

Who is Buying Your Data? New Mandates for Recipient Reporting

A requirementestablished by SB 361 focuses on geopolitical and technological transfer risks by requiring disclosures about entities that receive data. Data brokers must now disclose if, in the past year, they have sold or shared a consumer's personal information with the following parties:

• Developers of AI Systems: A developer of Artificial Intelligence (AI) or Generative (GenAI) systems or models.

• Foreign Actors: The government of a "foreign adversary country" (defined to include China, North Korea, Russia, and Iran) or any organization whose principal place of business is located in such country.

• Government Entities: The federal government, other state governments, and law enforcement, unless the disclosure was made pursuant to a legally required subpoena or court order.

Effective Date of Amendments

• The changes introduced by SB 361 to the data broker registration and disclosure requirements took effect on January 1, 2026. This means that the new, expanded disclosures regarding collected data and its recipients must be incorporated into the annual registration filing submitted to the CPPA by January 31, 2026, for any businesses that qualified as data brokers in 2025.

• To strengthen the enforcement of the Delete Act, SB 361 introduces a mandatory periodic audit requirement for data brokers. Beginning January 1, 2028, and every three years thereafter, a data broker must undergo an independent third-party audit to confirm compliance with data deletion requirements.

• Data brokers must submit the resulting audit report to the CPPA within five business days of receiving a written request and are required to maintain the audit report for a minimum of six years. The Defending Californians' Data Act significantly raises the compliance requirements for data brokers, requiring them to review and adjust their data collection, sale, sharing, and deletion practices to align with California's enhanced regulatory standard.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.