SB 361: Defending Californians’ Act – Expanding Requirements for Data Brokers

December 18, 2025

California Senate Bill 361 (SB 361), the Defending Californians’ Act (DCA), was signed into law in October 2025, ushering in new obligations for data brokers that will be phased in over the next two years, with some obligations beginning as soon as January 2026. The DCA builds on the Delete Act, which allowed consumers to request deletion of their information from data brokers. The new law establishes expanded disclosure requirements and mandatory audits for data brokers, and it imposes significant fines for noncompliance. These new obligations and enhanced enforcement efforts are intended to increase transparency around sales of highly sensitive personal information by data brokers.

Below, we review key thresholds, requirements, and enforcement under this expanding regulatory framework for data brokers in California.

Definition of “Data Broker”

A data broker is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”

Key Compliance Requirements

Expanded Reporting (Beginning January 31, 2026)

Under the DCA, data brokers must make mandatory disclosures regarding the collection of highly sensitive data and specific sharing relationships with foreign actors, federal and state government, law enforcement, and generative AI developers. Effective for the annual registration covering 2025 activities and due by January 31, 2026, data brokers must publicly disclose the collection of several new data categories and detail who the data is shared with.

The registration now will require disclosure of the collection of (1) high-risk, (2) constitutionally protected, or (3) financial data. This includes the following types of information:

  • Civil rights and status information: Including citizenship, immigration status, union membership, sexual orientation, and gender identity.
  • Financial and identity credentials: Including government-issued identification numbers, and account login credentials.
  • Physical and health data: Including biometric data, precise geolocation, and reproductive health care data.

Mandatory Audits (Starting January 1, 2028)

Additionally, beginning January 1, 2028, data brokers are required to engage an independent third party for a compliance audit every three years. The audit report and materials must be retained for at least six years and submitted to the California Privacy Protection Agency (CPPA) upon written request. Furthermore, beginning in January 2029, brokers must publicly report their audit status in their annual registration.

Enforcement

Under the DCA, the CPPA serves as the exclusive enforcement authority and oversees the Data Removal and Opt-Out Platform (DROP), a centralized system created by the Delete Act. DROP must be operational by August 1, 2026, enabling consumers to submit a single deletion or opt-out request to all registered data brokers. The DCA strengthens this framework by requiring brokers to process and document every request—including those denied under statutory exceptions—within 45 days and review DROP on a recurring basis. Failure to comply can result in administrative fines of up to $200 per day for each unfulfilled request, reinforcing the integration of DROP into the DCA’s enforcement structure.

***

Wiley’s Privacy, Cyber & Data Governance team has broad experience in navigating compliance issues around cutting-edge technology and the evolving legal landscape, and handling enforcement and litigation matters. For questions about this alert, please contact the authors.

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek