Privacy & Information Security Law Blog

A bill making its way through the California legislature (S.B. 361) (the “Bill”) would amend the California Delete Act (“Delete Act”) to require data brokers to provide significantly more information in their registration applications with the California Privacy Protection Agency (“CPPA”), including whether the data broker collects California consumers’:

• Name;
• Date of birth;
• Zip code;
• Email address;
• Phone number;
• Account login in combination with password/security code;
• Government ID (i.e., driver’s license number, California ID card number, SSN, Tax ID number, passport number, military ID number, other unique government ID number);
• Vehicle Identifier Number (VIN);
• Mobile ad ID number;
• Connected TV identification number;
• Citizenship data (including immigration status);
• Union membership status;
• Sexual orientation;
• Gender identity/expression;
• Biometric data;
• Precise geolocation data*; and
• Reproductive health care data.*

*The Delete Act as currently enacted already requires data brokers to provide the starred categories of data.

The Bill also would require data brokers that do not collect name, date of birth, zip code, email address, phone number, mobile ad ID, connected TV ID or VIN to indicate the most common types of personal information the data broker collects (a minimum of one category, a maximum of three categories).

Additionally, the Bill would a require data broker to disclose in its registration with the CPPA whether, in the past year, the data broker has “shared” (for cross-context behavioral advertising) or “sold” (for monetary or other valuable consideration) California consumers’ personal information to:

• A “foreign actor” (i.e., the government of a “foreign adversary country” (i.e., China, North Korea, Russia or Iran) or organization with its principal place of business in a foreign adversary country);
• The federal government;
• Other state governments;
• Law enforcement (unless the data was shared pursuant to a subpoena or court order); or
• A developer of an AI or GenAI system or model.

The Bill further would require data brokers to process California Consumer Privacy Act opt-out of sale or sharing requests (where deletion requests cannot be verified) within 45 days of receipt.

The Bill has passed the California Senate and recently was ordered to the consent calendar (which is used to hear uncontroversial bills) for a third reading. September 12, 2025 is the deadline for the Legislature to pass bills, and California Governor Gavin Newsom has until October 12, 2025 to sign or veto bills passed by the Legislature.

Over the past year, the CPPA has issued a number of enforcement actions against data brokers, as part of the agency’s investigative sweep of data brokers’ compliance with the Delete Act. If passed, the Bill would increase data brokers’ compliance obligations at a time of increased scrutiny of the industry by the CPPA. Data brokers should closely monitor this law and ensure compliance with all of the Delete Act’s requirements.