January 20, 2026

On October 8, 2025, California Governor Gavin Newsom signed into law Senate Bill 361 (SB 361), officially known as the “Defending Californians’ Data Act.” This act represents a significant step in California's comprehensive approach to data privacy and regulation of the data broker industry. The legislation amends the state’s data broker registration requirements, building on the foundational consumer rights established by the Delete Act (SB 362) of 2023.
SB 361 is designed to increase transparency and accountability, requiring data brokers, which are businesses that knowingly collect and sell the personal information of Californians with whom they lack a direct relationship, to provide substantially more detail to the California Privacy Protection Agency (CPPA) about the nature of the data they handle and the ultimate recipients of that data.
A core mandate of SB 361 requires data brokers to provide more detailed information in their annual registration with the California Privacy Protection Agency (CCPA). This enhanced transparency aims to provide the public with a clearer understanding of the personal information being bought and sold.
Data brokers must now disclose whether they collect any of the following categories of information on California consumers:
The mandatory disclosure list for data brokers has been significantly expanded to include whether they collect new sensitive categories of personal information. The Delete Act already required disclosure of precise geolocation and reproductive health data, and the disclosure list has been expanded to include:
SB 361 recognizes that some data brokers may not collect the typical high-volume identifiers. If data brokers do not collect any commonly required identifiers (such as names, dates of birth, ZIP Codes, email addresses, phone numbers, mobile advertising IDs, Connected TV IDs, or vehicle identification numbers), SB 361 requires an alternative disclosure.
In this circumstance, data brokers must instead disclose up to three, but no fewer than one, of the most common types of personal information that the data broker collects.
A requirement established by SB 361 focuses on geopolitical and technological transfer risks by requiring disclosures about entities that receive data. Data brokers must now disclose if, in the past year, they have sold or shared a consumer’s personal information with the following parties:
Copyright © Finnegan, Henderson, Farabow, Garrett & Dunner, LLP. This article is for informational purposes, is not intended to constitute legal advice, and may be considered advertising under applicable state laws. This article is only the opinion of the authors and is not attributable to Finnegan, Henderson, Farabow, Garrett & Dunner, LLP, or the firm’s clients.
Hybrid Conference
Intellectual Property Law Institute 2026 – California
October 19-20, 2026
San Francisco
Due to international data regulations, we’ve updated our privacy policy. Click here to read our privacy policy in full.