California Continues to Expand Data Broker Requirements | Sheppard Mullin Richter & Hampton LLP

Companies are become increasingly concerned about being viewed as “selling” personal data. In the midst of these worries, California’s governor signed SB 361, which will change the California Delete Act starting January 1, 2026. The law applies to those who sell personal information about consumers with whom they do not have a direct relationship. For covered entities, the amendment will add to compliance complexities.

The bill adds more disclosure obligations when a data broker registers with the state. Currently, data brokers must disclose when registering if they collected five different kinds of information. These include children’s information or reproductive health information. That list has now been almost tripled. New elements to disclose as part of registering include if the broker collects biometric data and mobile advertising IDs. As amended, data brokers will also need to state if they sell information to foreign actors or US governmental bodies or law enforcement. They will also have to state if they sell any of the listed identifiers to GenAI models.

Separately, the California Privacy Protection Agency finalized its DROP regulations. That tool, the “Delete Request and Opt-Out Platform,” will go live for consumers on January 1, 2026. Once live, consumers can go to the registry and opt out of brokers’ sale of their information. Brokers will need to start regularly scrubbing against the platform August 1, 2026. “Regularly” defined as every 45 days. These finalized regulations have been modified from the last round. Specifically, to change the percentage matching threshold between what is in the DROP platform and what the broker holds before opting someone out. The final regulations call for a 100% match, not the previous 50% threshold.

Putting It Into Practice: This amendment (and final rule) is a reminder of US state regulators’ concerns about the sharing personal information. The requirements suggest that covered companies could be well served if they use their organizations’ broader risk and compliance frameworks to address these obligations, while keeping in mind the legal exposure incorrect reports might create.