Privacy & Information Security Law Blog

On October 8, 2025, California Governor Gavin Newsom signed into law SB-361, which amends the California Delete Act (“Delete Act”) to require data brokers to provide significantly more information in their registration applications with the California Privacy Protection Agency (“CPPA”), including whether they collect California consumers’:

• Name;
• Date of birth;
• ZIP code;
• Email address;
• Phone number;
• Account login or account number in combination with any required password, access code or security code that would permit access to a consumer’s account with a third party;
• Government ID number (i.e., driver’s license number, California ID card number, Social Security number, Tax ID number, passport number, military ID number, other unique government ID number);
• Vehicle Identifier Number (VIN);
• Mobile ad ID number;
• Connected TV ID number;
• Citizenship data (including immigration status);
• Union membership status;
• Sexual orientation;
• Gender identity/expression;
• Biometric data;
• Precise geolocation data*;
• Personal information of minors*; and
• Reproductive health care data.*

*The Delete Act as currently enacted already requires data brokers to provide the starred categories of data.

SB-361 requires data brokers that do not collect name, date of birth, ZIP code, email address, phone number, mobile ad ID, connected TV ID or VIN to disclose the most common types of personal information collected (a minimum of one category and a maximum of three categories).

Additionally, SB-361 requires data brokers to disclose in their CPPA registrations whether, in the past year, they shared or sold California consumers’ personal information with or to:

• a “foreign actor” (i.e., the government of a “foreign adversary country” (China, North Korea, Russia or Iran)) or organization with its principal place of business in a foreign adversary country);
• the federal government;
• other state governments;
• law enforcement (unless the data was shared pursuant to a subpoena or court order); or
• a developer of an AI or GenAI system or model.

SB-361 will increase data brokers’ compliance obligations at a time of increased regulatory scrutiny of the industry. Over the past year, the CPPA has announced

a number of enforcement actions against data brokers, as part of the agency’s investigative sweep of data brokers’ compliance with the Delete Act. With the upcoming data broker registration deadline of January 31, 2026, companies should analyze whether they are subject to the Delete Act and ensure compliance with the law’s new registration requirements.