Update Applicable to:	Effective Date
All Businesses that meet California’s Legal Definition of a “Data Broker”	January 1, 2026

What happened?

On October 8, 2025, Governor Gavin Newsom signed Senate Bill (SB) 361 into law, creating new requirements for data brokers to improve transparency and strengthen consumer privacy protections.

Overview:

The law amends the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) and takes effect on January 1, 2026.

SB 361 expands the obligations of data brokers, defined as businesses that collect and sell personal information without a direct relationship with consumers, by requiring more detailed disclosures, stricter deletion processes, and regular audits.

Additional Information:

Registration and Disclosure (§1798.99.82)

• Annual Registration: Data brokers must register with the California Privacy Protection Agency (CPPA) by January 31 each year.

• Expanded Disclosure: Brokers must report if they collect:
  • Names, dates of birth, ZIP Codes, email addresses, phone numbers
  • Account credentials and government-issued IDs
  • Device identifiers (mobile ads, connected TVs, VINs)
  • Citizenship and immigration status
  • Union membership, gender identity, sexual orientation
  • Biometric data, precise geolocation, reproductive health data

• Data Sharing Reporting: Brokers must disclose if they sold or shared data in the past year with:
  • Foreign actors
  • Federal or state governments
  • Law enforcement (except under subpoena)
  • Generative AI developers

• Privacy Note: CPPA will not publish certain sensitive details, such as account credentials or device identifiers.

Deletion and Consumer Rights (§1798.99.86)

• DROP Integration: Data brokers must use the CPPA’s Data Removal and Opt-Out Platform (DROP), a one-stop system for consumers to request deletion of their personal data. DROP will launch on January 1, 2026.
  • Read more at: https://privacy.ca.gov/drop/.

• Timeline: beginning August 1, 2026,Brokers must process deletion requests within 45 days and continue deleting new data every 45 days unless exceptions apply.

• Denied Requests: If a request cannot be verified, it must be treated as an opt-out of sale or sharing.

Audits and Enforcement

• Audits: Mandatory compliance audits every three years starting in 2028.
• Penalties: Up to $200 per day for failure to register and $200 per day per deletion request not processed.

Public Access (§1798.99.84)

• CPPA will maintain a public registry of data brokers but will exclude certain sensitive details (e.g., names, DOB, device IDs).

Effective Date: January 1, 2026

• Registration Window: January 1–31, 2026 for brokers operating in 2025.

Source References

• California SB 361 – Data brokers: data collection and deletion

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.