直 Japanese PDF Font
  • Our Professionals
  • Our Work
  • Our Insights
  • Offices
  • Firm
  • Careers
Finnegan
  • Articles & Books
    • Ad Law Buzz Blog
    • At the PTAB Blog
    • European IP Blog
    • Federal Circuit IP Blog
    • INCONTESTABLE® Blog
    • Prosecution First Blog
  • Events & Webinars
  • IP Updates
  • Podcasts
    • AI + Finnegan
    • AI + Copyright
    • AI + Patent
    • AI + Privacy
    • AI + Trade Secrets
    • AI + Trademark
  • Unified Patent Court (UPC) Hub

Article

Unlocking Transparency: What You Need to Know About California’s Defending Californians’ Data Act

January 20, 2026

By Lynn Parker Dupree; LaQuan N. Bates

  1. Expanded Data Disclosure Requirements: SB 361 significantly broadens the categories of personal and sensitive information that data brokers must report to the CPPA, increasing transparency around what consumer data is collected.

  2. New Obligations for Identifying Data Recipients: The law requires data brokers to disclose whether they have shared or sold consumer information to AI developers, foreign adversaries, or government entities within the past year.

  3. Higher Compliance and Audit Standards: SB 361 implements stricter regulatory expectations, including expanded disclosures by January 31, 2026, and mandatory third‑party audits beginning in 2028, to strengthen oversight of data brokers’ collection and deletion practices. Starting January 2029, data brokers are required to publicly report their audit status as part of their annual registration.

On October 8, 2025, California Governor Gavin Newsom signed into law Senate Bill 361 (SB 361), officially known as the “Defending Californians’ Data Act.” This act represents a significant step in California's comprehensive approach to data privacy and regulation of the data broker industry. The legislation amends the state’s data broker registration requirements, building on the foundational consumer rights established by the Delete Act (SB 362) of 2023. 

SB 361 is designed to increase transparency and accountability, requiring data brokers, which are businesses that knowingly collect and sell the personal information of Californians with whom they lack a direct relationship, to provide substantially more detail to the California Privacy Protection Agency (CPPA) about the nature of the data they handle and the ultimate recipients of that data.  

Expanded Disclosure of Collected Information 

A core mandate of SB 361 requires data brokers to provide more detailed information in their annual registration with the California Privacy Protection Agency (CCPA). This enhanced transparency aims to provide the public with a clearer understanding of the personal information being bought and sold.  

Data brokers must now disclose whether they collect any of the following categories of information on California consumers: 

Credentials and Identifiers 

  • Account login or account number when paired with any security code or password that permits access to a consumer’s account with a third party.  
  • Government-issued ID numbers, including Social Security, driver's license, passport, or tax ID numbers.  

The mandatory disclosure list for data brokers has been significantly expanded to include whether they collect new sensitive categories of personal information. The Delete Act already required disclosure of precise geolocation and reproductive health data, and the disclosure list has been expanded to include:  

Sensitive Data 

  • Citizenship data, including immigration status.  
  • Union Membership. 
  • Sexual orientation and gender identity.  

Device and Biometric Data 

  • Biometric data, such as fingerprints, facial recognition, or voice prints.  
  • Vehicle Identifier Number (VIN), Mobile ad ID, and Connected TV ID.  

SB 361 recognizes that some data brokers may not collect the typical high-volume identifiers. If data brokers do not collect any commonly required identifiers (such as names, dates of birth, ZIP Codes, email addresses, phone numbers, mobile advertising IDs, Connected TV IDs, or vehicle identification numbers), SB 361 requires an alternative disclosure.  

In this circumstance, data brokers must instead disclose up to three, but no fewer than one, of the most common types of personal information that the data broker collects. 

Who is Buying Your Data? New Mandates for Recipient Reporting  

A requirement established by SB 361 focuses on geopolitical and technological transfer risks by requiring disclosures about entities that receive data. Data brokers must now disclose if, in the past year, they have sold or shared a consumer’s personal information with the following parties: 

  • Developers of AI Systems: A developer of Artificial Intelligence (AI) or Generative (GenAI) systems or models.  
  • Foreign Actors: The government of a “foreign adversary country” (defined to include China, North Korea, Russia, and Iran) or any organization whose principal place of business is located in such country.  
  • Government Entities: The federal government, other state governments, and law enforcement, unless the disclosure was made pursuant to a legally required subpoena or court order.  

Effective Date of Amendments 

  • The changes introduced by SB 361 to the data broker registration and disclosure requirements took effect on January 1, 2026. This means that the new, expanded disclosures regarding collected data and its recipients must be incorporated into the annual registration filing submitted to the CPPA by January 31, 2026, for any businesses that qualified as data brokers in 2025. 
  • To strengthen the enforcement of the Delete Act, SB 361 introduces a mandatory periodic audit requirement for data brokers. Beginning January 1, 2028, and every three years thereafter, a data broker must undergo an independent third-party audit to confirm compliance with data deletion requirements. 
  • Data brokers must submit the resulting audit report to the CPPA within five business days of receiving a written request and are required to maintain the audit report for a minimum of six years. The Defending Californians’ Data Act significantly raises the compliance requirements for data brokers, requiring them to review and adjust their data collection, sale, sharing, and deletion practices to align with California’s enhanced regulatory standard.  

Related Practices

Appeals, Issues, and Legal Strategy

Diligence, Licensing, and Opinions

Privacy

Global IP Enforcement, Litigation, and Trials

Related Industries

AI, Electronics, and Information Technology

Communications

Related Offices

Washington, DC

Related Professionals

Lynn Parker Dupree
Partner
Washington, DC
+1 202 408 4462
Email
LaQuan N. Bates
Associate
Washington, DC
+1 202 408 4479
Email

Copyright © Finnegan, Henderson, Farabow, Garrett & Dunner, LLP. This article is for informational purposes, is not intended to constitute legal advice, and may be considered advertising under applicable state laws. This article is only the opinion of the authors and is not attributable to Finnegan, Henderson, Farabow, Garrett & Dunner, LLP, or the firm’s clients.

Related Insights

Conference

ChIPs Global Summit 2026

October 21-23, 2026

Los Angeles

Hybrid Conference

Intellectual Property Law Institute 2026 – California

October 19-20, 2026

San Francisco

Conference

IAM Live: SEP Summit Global 2026

September 9-10, 2026

London

Lecture

Resolving Patent Suits Without Settlement Payments

September 3, 2026

Virtual

Conference

Singapore IP Week 2026

August 26-27, 2026

Conference

Georgia Life Sciences Summit 2026

August 25-26, 2026

Sandy Springs

Conference

13th Annual Summit for Women Leaders in Life Sciences Law

July 29-30, 2026

Boston

Webinar

U.S. Patent Case Law Update 2026

July 23, 2026

Webinar

Webinar

Successful Strategies to Win Alice Motions and Fee Awards in Patent Cases Against Non-Practicing Entities

July 22, 2026

Webinar

Due to international data regulations, we’ve updated our privacy policy. Click here to read our privacy policy in full.

  • Privacy
  • Disclaimer
  • Legal Notices
  • Fraud Alert
  • EEO Statement
  • Cookies
  • Contact Us

© 2026 Finnegan, Henderson, Farabow, Garrett & Dunner, LLP