This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Technology Law

| 5 minute read

New Law and Regulations Expand California's Data Broker Oversight

California continues to lead the nation in regulating the data brokerage ecosystem. On October 8, 2025, Governor Gavin Newsom signed SB 361 to expand disclosure and penalty requirements for data brokers in violation of California's Delete Act. At the same time, the California Privacy Protection Agency (now re-branded as "CalPrivacy") advanced its long-awaited regulations to operationalize the Delete Act’s one-stop deletion platform, known as the Data Removal and Opt-Out Platform, or DROP. 

Together, these developments impose substantial new compliance obligations on data brokers and businesses indirectly handling consumer data. Companies should review their data collection relationships, disclosure practices, and technical readiness for DROP integration ahead of the January 2026 effective date. 

The Delete Act, Amended

SB 361 passed both chambers of the California Legislature unanimously and was signed into law on October 8, 2025.

Policy Rationale

Lawmakers cited growing concern that federal agencies were circumventing state privacy and sanctuary protections by purchasing data from brokers, and sought to restrict such backdoor access, particularly where data sales could endanger immigrants, LGBTQ+ individuals, union members, and other vulnerable populations. Legislators also emphasized the rising use of commercially brokered data to train AI systems, framing the law as a transparency measure for both privacy and algorithmic accountability. 

Transparency Mandates

SB 361 broadens California’s statutory disclosure obligations for registered data brokers. Brokers must now indicate whether they collect the following categories of personal information: 

  • Identifiers such as name, date of birth, ZIP code, email address, and phone number. 
  • Login credentials or account information.
  • Government identification numbers.
  • Mobile advertising or connected television identifiers.
  • Vehicle identification numbers.
  • Citizenship or union membership data.
  • Sexual orientation, gender identity, or gender expression data,
  • Biometric information.

Additionally, data brokers must disclose whether, within the prior year, they sold or shared data to: 

  • Foreign actors, broadly defined to include non-U.S. entities.
  • Federal or state government entities. 
  • Law enforcement agencies. 
  • Developers of AI systems or models. 

The inclusion of “foreign actors” echoes the federal Department of Justice’s Bulk Data Rule, which restricts large-scale transfers of sensitive U.S. person data to designated countries of concern. Despite lacking a national security mandate, California intends to protect residents’ personal information from exploitation, particularly for surveillance or AI training purposes. 

Penalty Enhancements 

SB 361 also strengthens the Delete Act’s enforcement provisions, doubling the daily fine from $100 to $200 per day and extending penalties beyond registration lapses to encompass failures to process consumer deletion requests. Additionally, a broker found in violation may be liable for all registration fees owed during any unregistered period, CalPrivacy's investigative and administrative costs, and daily fines for each unprocessed or improperly handled deletion request. 

Notably, the amended law introduces California’s first per-request, per-day penalty tied to consumer deletion rights. As a result, noncompliant brokers may face significant exposure, as each unprocessed deletion request can trigger an independent fine of $200 per day until the broker fulfills its statutory obligations or demonstrates a valid exemption. 

DROP Regulations: Operationalizing the Delete Act 

On September 26, 2025, CalPrivacy submitted final regulations refining the Delete Act’s definitions and operational rules. 

The Dynamic Definition of Data Broker

Under the California Delete Act, a business is not considered a data broker if it has a “direct relationship" with the consumer. The new regulations clarify, however, that merely collecting personal information directly from a consumer does not establish such a relationship. To qualify as “direct,” the consumer must intend to interact with the business. While the regulations do not define intent, they explain that a direct relationship exists where there is a “first party” interaction. Under the CCPA regulations, “first party” refers to “a consumer-facing business with which the consumer intends and expects to interact.” 

Illustrative examples may be helpful here: 

  • A consumer that uses a fitness app would likely not have a first party relationship with an analytics SDK provider incorporated within that app that collects personal health information from the consumer via the app. This SDK provider may be considered a data broker if it sells or licenses that health information. 
  • A consumer that signs up for a social media platform and agrees to provide profile and account information likely intends and expects to interact with that platform.

Uncertain edge cases remain, however: 

  • A brand's loyalty program powered by an external marketing vendor, which is stated in disclosures. Is the consumer’s intent directed at the brand or the vendor? 
  • A consumer signs up for a sweepstakes sponsored by a marketing company on behalf of a brand. The consumer knows they are entering the sweepstakes, but is their intent directed to the sponsor or the brand? 

Essentially, businesses with any separation between the consumer-facing brand and the data-collecting entity will need to carefully examine a consumers intent and expectations. If the consumer wouldn’t reasonably know or expect to interact with a business, regulators may classify the client as a data broker.  

Deus Ex Mechanism 

In operational terms, the DROP regulations build infrastructure around the Delete Act's registration and one-stop shop deletion mechanism. 

As a reminder, the Delete Act requires all registered data brokers to file annual disclosures with CalPrivacy and directs the agency to create a centralized deletion mechanism through which consumers can request, via a single verifiable submission, that every registered data broker delete their personal information. 

To comply, data brokers must establish and maintain a secure DROP account through CalPrivacy’s website. Once registered, brokers must access the DROP system at least once every forty-five days to download the current list of verified consumer deletion requests. These lists will contain hashed identifiers representing consumers’ personal information, which brokers must match against their own records. 

When a match is found, the broker must delete the corresponding personal information unless an exemption applies, such as if the broker has a direct relationship with the consumer or retention is necessary for legal compliance. If no match is found, the broker must retain and maintain the request and compare all newly collected records against the deletion lists before selling or sharing that new information. If the consumer’s data cannot be verified, the broker must instead treat the record as an opt-out of sale or sharing. The broker must also direct all service providers to delete the relevant personal information. 

Following this review, the broker must report its results back to CalPrivacy through the DROP. Each record is assigned a status code indicating whether the consumer’s information was deleted, opted out, exempted, or not found. 

The regulations also create a process for a business to withdraw from its data broker status if it believes it no longer meets the statutory definition. The business must provide notice and an explanation supporting its position to CalPrivacy, which may request additional relevant information. If approved, the business must delete any data received through the DROP and deactivate its DROP account.

Takeaways for Data Brokers

  • California expands data broker transparency. SB 361 broadens disclosure obligations, requiring brokers to report not only the categories of data they collect but also whether they have shared or sold information to foreign actors, government entities, law enforcement, or AI developers.
  • New, per-request penalties heighten enforcement risk. Each unprocessed deletion request may now incur an independent fine of $200 per day until resolved, in addition to registration and investigative costs—creating significant cumulative exposure for noncompliance.
  • “Direct relationship” narrowly defined. CalPrivacy clarifies that merely collecting data directly from a consumer does not establish a direct relationship; consumers must both intend and expect to interact with the business. Indirect data collectors may therefore fall within the “data broker” definition.
  • DROP system mandates ongoing engagement. Beginning January 1, 2026, registered brokers must maintain a secure account on the Data Removal and Opt-Out Platform (DROP), log in at least every 45 days, and process all verified deletion requests using hashed-identifier matching.
  • Compliance preparation should start now. Brokers should review their data maps, update disclosure statements, build auditable deletion workflows, and ensure technical readiness for DROP integration ahead of the effective date.

 

Tags

california, regulations, newsom, administrative law, data brokers, data broker, delete act, deletion mechanism, disclosures, calprivacy, cppa, technology law