California's SB 361: A Major Expansion of Data Broker Compliance Requirements
Key Takeaways
SB 361 expands required disclosures for data brokers registering with the CPPA, including whether they collect 17 specified categories of personal data.
Brokers must disclose if they have sold or shared data with foreign actors, law enforcement, governments, or AI developers.
Deletion obligations are stricter: brokers must process deletion/opt-out requests within 45 days and routinely delete personal data.
SB 361 introduces mandatory audits every three years starting in 2028.
Fines for non-compliance can reach $200 per day, per deletion request, plus additional costs.
The bill has already passed the California Senate and is expected to become law before October 12, 2025.
Introduction
California continues to lead the nation in consumer privacy legislation. Senate Bill 361 (SB 361), introduced by Senator Josh Becker, is the latest proposed amendment to the California Delete Act, which itself was already a landmark law designed to give consumers more control over their personal information. If enacted, SB 361 would significantly strengthens transparency, security, and accountability measures for entities collecting and monetizing consumer data—especially in the context of AI development, national security, and cross-border data sharing.
As data privacy becomes more tightly intertwined with national security, artificial intelligence governance, and consumer rights, this bill signals a clear shift in how California expects personal data to be handled, disclosed, and deleted.
What Is a Data Broker?
Under California law, a data broker is defined as a business that knowingly collects and sells personal information about consumers with whom the business does not have a direct relationship. These entities often operate largely behind the scenes, aggregating and selling consumer data to marketers, advertisers, analytics firms, and sometimes even governments.
Consumers often do not know that data brokers have their information, and may be unaware of how that information is used, making transparency and accountability key issues. The Delete Act, enacted in 2023, introduced a one-click mechanism for Californians to request the deletion of their data from all registered data brokers, and empowered the California Privacy Protection Agency (CPPA) to enforce compliance.
Understanding the Delete Act: California’s Groundbreaking Privacy Framework
Enacted in 2023 and set to take full effect in 2026, the California Delete Act was designed to give residents more control over their personal information. It required the CPPA to establish a one-click mechanism allowing consumers to request deletion of their data from all registered data brokers. The law also required brokers to register annually with the CPPA and disclose limited information about their data practices.
Key provisions of the Delete Act include:
A centralized deletion request tool launching in 2026
Mandatory data deletion every 45 days after a valid request
Annual registration and disclosure requirements for data brokers
Enforcement authority granted to the CPPA, including the power to impose penalties for non-compliance
However, the original Delete Act left several gaps—particularly around enforcement, data sharing with high-risk entities, and transparency about specific data types. SB 361 builds on these foundations—adding new transparency mandates, shorter timelines, and stricter penalties.
What SB 361 Requires from Data Brokers
SB 361 builds upon the Delete Act by adding a range of new obligations for data brokers, including enhanced registration disclosures, stricter timelines for honoring deletion requests, expanded compliance audits, and increased transparency about data sharing with sensitive entities such as foreign governments and AI developers.
1. Expanded Registration Disclosures
First, the bill significantly expands the scope of information data brokers must provide when registering with the CPPA. Brokers will need to state whether they collect specific types of personal information. Data brokers must now disclose whether they collect any of 17 specific types of personally identifiable information, including:
Name, date of birth, ZIP code
Email address, phone number
Government-issued IDs (e.g., driver’s license, SSN)
Biometric data
Gender identity, sexual orientation
Union membership
Online identifiers (e.g., mobile ad ID, connected TV ID)
If a broker doesn't collect these categories, they must list up to three types of personal data they do collect.
2. Transparency in Data Sales and Sharing
In addition to enhanced disclosures about collection practices, SB 361 mandates that data brokers must report whether, in the past 12 months, they sold or shared consumer data with:
Foreign adversaries (China, Russia, Iran, North Korea)
The U.S. federal government
Other U.S. states
Law enforcement agencies (unless under court order)
Developers of AI and generative AI systems
This is designed to increase accountability around national security and AI data practices.
3. Stricter Deletion and Opt-Out Rules
Another major component of the bill is the imposition of strict deadlines for processing opt-out and deletion requests.
Under SB 361, data brokers must:
Process deletion or opt-out requests within 45 days
Treat unverifiable requests as valid opt-outs under the California Consumer Privacy Act (CCPA)
Delete consumer data every 45 days after a valid request, unless legally exempt
Undergo third-party audits every three years, starting in 2028
Enforcement and Penalties Under SB 361
Over the past year, the CPPA has intensified enforcement against data brokers who fail to comply with the Delete Act. With the passage of SB 361, compliance obligations will only increase, raising the stakes for non-compliance even higher.
Failure to comply with SB 361 could result in:
$200 per day per deletion request not fulfilled
Additional CPPA enforcement costs
Potential public enforcement actions and reputational harm
The CPPA is ramping up enforcement, making compliance no longer optional for businesses operating in California or handling California residents’ data. Data brokers are advised to closely monitor SB 361, evaluate their data collection and sharing practices, and begin updating their CPPA registration and deletion workflows in anticipation of the bill becoming law.
Why SB 361 Matters: Consumer Data, AI, and National Security
As technologies like artificial intelligence (AI), machine learning, and behavioral analytics evolve, so do the risks surrounding personal data misuse. SB 361 reflects California’s recognition that data privacy is now a matter of national security, AI accountability, and consumer trust.
1. Consumer Trust
In an age where consumers are increasingly aware—and skeptical—of how their data is collected, sold, and used, transparency and control have become competitive advantages. SB 361 empowers Californians with greater visibility into where their personal data is going and what it’s being used for. By requiring disclosures around sensitive data categories and high-risk data transfers, the bill aims to restore public confidence in the digital ecosystem.
For companies, complying with SB 361 is no longer just about avoiding fines—it’s about earning trust and building long-term loyalty. Consumers are more likely to engage with brands that respect their privacy rights and offer genuine data control.
2. Responsible AI Development
Artificial intelligence systems often rely on large datasets, many of which are sourced from third-party data brokers. Without regulation, there’s a risk that AI models are trained on outdated, biased, or unlawfully acquired data, leading to real-world harm.
SB 361 introduces a critical layer of scrutiny by forcing transparency around the sale or sharing of consumer data with AI and generative AI developers. This provision aligns with emerging global standards around ethical AI practices and is especially important as California positions itself as a leader in tech governance.
3. Secure Cross-Border Data Flows
Foreign adversaries and state-sponsored actors have shown growing interest in U.S. consumer data, whether for surveillance, influence campaigns, or intelligence gathering. By requiring data brokers to disclose if they've sold or shared personal information with foreign actors from adversary countries (including China, Russia, Iran, and North Korea), SB 361 directly addresses national security risks.
This level of accountability around cross-border data flows is a first in U.S. state law and could set a precedent for federal policy. It signals to businesses that they must not only protect data but also know exactly where it’s going and who’s accessing it.
Next Steps for Data Brokers
To comply with SB 361 and prepare for increased oversight from the California Privacy Protection Agency (CPPA), data brokers must move quickly to operationalize privacy compliance. Here's what organizations should do now:
1. Conduct a Comprehensive Data Inventory
Begin by mapping all personal information collected, processed, stored, shared, or sold. Include sensitive data types like biometric identifiers, geolocation data, and government-issued IDs. This audit should include both first-party and third-party data sources and be continuously updated.
2. Update CPPA Registrations
Under SB 361, data brokers must disclose whether they collect any of 17 specific categories of personal data. Even if not, brokers must identify up to three common types of personal information they do collect. This update should be reflected in your annual CPPA registration, ensuring complete accuracy and consistency. Failure to comply could result in daily fines and reputational damage.
3. Streamline Deletion and Opt-Out Workflows
The law mandates processing of deletion and opt-out requests within 45 days. This includes treating unverifiable requests as opt-outs under the California Consumer Privacy Act (CCPA). Automate workflows where possible and ensure your systems can log and verify each request for auditability. Make your consumer rights portal user-friendly and CPPA-compliant.
4. Plan for Triannual Third-Party Audits
Starting in 2028, all registered data brokers will be subject to third-party compliance audits every three years. Begin documenting your policies, procedures, data maps, vendor relationships, and security controls now to reduce risk and cost later. Your audit-readiness should align with California's evolving privacy standards and withstand scrutiny from CPPA investigators.
5. Review Data Sharing Agreements
Any contract involving data sales, exchanges, or licensing, especially with foreign entities or AI companies, should be reviewed and updated. Ensure you have clear contractual language on data use, retention, security, and disclosure obligations. Focus on agreements that might trigger SB 361’s disclosure requirements—particularly those involving cross-context behavioral advertising or AI training data.
The Bottom Line
SB 361 is more than a simple regulatory update—it marks a significant transformation in California’s approach to consumer data protection. By requiring greater transparency around the sale and sharing of personal information, especially with high-risk parties like foreign governments and AI developers, California is prioritizing consumer privacy and national security above business convenience.
Data brokers should view SB 361 not as a routine compliance task but as a call to fundamentally reassess their data governance frameworks, audit preparedness, consumer rights processes, and internal transparency measures. With the bill’s expected passage and enforcement looming, immediate action is critical.
In essence, SB 361 underscores California’s growing dedication to empowering consumers with both control over their personal data and effective tools to enforce those rights in an era dominated by extensive data collection and AI technology. Data brokers that proactively adapt will be better equipped to navigate these evolving regulations and avoid significant penalties.
