ARTICLE
27 October 2025

California Continues To Expand Data Broker Requirements

SM
Sheppard, Mullin, Richter & Hampton LLP

Contributor

Sheppard, Mullin, Richter & Hampton LLP logo
Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.
Explore Firm Details
Companies are become increasingly concerned about being viewed as "selling" personal data. In the midst of these worries, California's governor signed SB 361, which will change the California...
United States California Privacy
Liisa M. Thomas and Kathryn Smith
Your Author LinkedIn Connections
Liisa M. Thomas’s articles from Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • with readers working within the Consumer Industries industries
Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • within Insolvency/Bankruptcy/Re-Structuring and Cannabis & Hemp topic(s)

Companies are become increasingly concerned about being viewed as "selling" personal data. In the midst of these worries, California's governor signed SB 361, which will change the California Delete Act starting January 1, 2026. The law applies to those who sell personal information about consumers with whom they do not have a direct relationship. For covered entities, the amendment will add to compliance complexities.

The bill adds more disclosure obligations when a data broker registers with the state. Currently, data brokers must disclose when registering if they collected five different kinds of information. These include children's information or reproductive health information. That list has now been almost tripled. New elements to disclose as part of registering include if the broker collects biometric data and mobile advertising IDs. As amended, data brokers will also need to state if they sell information to foreign actors or US governmental bodies or law enforcement. They will also have to state if they sell any of the listed identifiers to GenAI models.

Separately, the California Privacy Protection Agency finalized its DROP regulations. That tool, the "Delete Request and Opt-Out Platform," will go live for consumers on January 1, 2026. Once live, consumers can go to the registry and opt out of brokers' sale of their information. Brokers will need to start regularly scrubbing against the platform August 1, 2026. "Regularly" defined as every 45 days. These finalized regulations have been modified from the last round. Specifically, to change the percentage matching threshold between what is in the DROP platform and what the broker holds before opting someone out. The final regulations call for a 100% match, not the previous 50% threshold.

Putting It Into Practice: This amendment (and final rule) is a reminder of US state regulators' concerns about the sharing personal information. The requirements suggest that covered companies could be well served if they use their organizations' broader risk and compliance frameworks to address these obligations, while keeping in mind the legal exposure incorrect reports might create.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Liisa M. Thomas
Liisa M. Thomas
Photo of Kathryn Smith
Kathryn Smith
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More