California Expands Data Broker Transparency | Delete Act

California’s privacy updates represent a major shift in how personal information is managed and shared. SB 361 and the Delete Act work together to promote transparency and consumer empowerment, setting a national example for data privacy reform. These new laws and consumer protection attorneys will help consumers take charge of their data and hold companies accountable for responsible data practices. Call our firm to discuss taking legal action when data brokers and other entities misuse your data. 

Overview of New California Privacy Laws

California is continuing to strengthen its privacy and consumer protection laws. On October 8, 2025, Governor Gavin Newsom signed Senate Bill 361, which adds new requirements for data brokers operating in the state.

This law expands California’s existing data broker registration process, requiring companies to share more details about how they collect, use, and sell personal data. These changes come shortly after the California Privacy Protection Agency (CPPA) approved new regulations under the 2023 Delete Act, which will create a statewide system allowing residents to request deletion of their personal information. That system is set to launch in August 2026.

Together, SB 361 and the Delete Act create one of the strongest data transparency frameworks in the country. Businesses that buy or sell consumer data will face tighter reporting obligations, while consumers gain more control over their personal information.

What Is the Delete Act?

The Delete Act, passed in 2023, is a groundbreaking privacy law that gives Californians a simple way to remove their personal data from hundreds of data broker databases at once.

Under the Act, the CPPA will build a central online deletion portal where residents can file a single request to have their information deleted by every registered data broker. Once submitted, all brokers must erase the consumer’s data and stop collecting it unless another law allows retention.

The Delete Act also requires brokers to disclose the categories of data they collect, explain how they process deletion requests, and update their registration each year. Enforcement begins in August 2026, giving businesses time to adjust their systems.

When combined with SB 361, the Delete Act not only improves transparency but also strengthens consumer privacy rights statewide.

What’s Changing for Data Brokers

Previously, California required data brokers to disclose only limited information when registering annually with the CPPA—such as whether they collected data on minors, precise location details, or reproductive health information. SB 361 significantly broadens that list. Now, companies must report if they collect any of the following:

• Names, dates of birth, ZIP Codes, email addresses, or phone numbers

• Account login credentials, such as usernames and passwords

• Government-issued IDs, including driver’s licenses, Social Security numbers, or passports

• Digital identifiers like mobile ad IDs, connected TV IDs, or vehicle identification numbers

• Citizenship or immigration data

• Union membership information

• Sexual orientation, gender identity, or gender expression data

• Biometric data such as fingerprints or facial recognition

If a data broker does not collect these identifiers, it must list up to three of the most common data types it does collect.

This expanded disclosure gives regulators a clearer picture of what types of data are circulating among brokers while preventing sensitive company details from being made public on the CPPA’s website.

New Rules About Sharing and Selling Data

SB 361 also introduces new requirements about who data brokers share information with. Companies must now disclose whether they have sold or shared personal data within the past year to:

1. A foreign government or organization

2. The U.S. federal government

3. Another state government

4. Law enforcement (unless under subpoena or court order)

5. A developer of a generative AI (GenAI) system or model

A “GenAI developer” is any person or company that designs or modifies artificial intelligence systems that generate text, images, or other content. The law does not yet define what counts as a “substantial modification,” leaving room for future clarification.

What Does This Change for Consumers?

For California residents, SB 361 and the Delete Act together offer more transparency and stronger privacy protections than ever before. Here’s how consumers benefit from the new rules:

• Greater visibility: People can now learn what types of personal data are being collected and which organizations are handling it.

• More control: Once the Delete Act’s statewide portal is launched in 2026, residents can easily request that their data be deleted from every registered data broker’s system with one submission.

• Accountability for data brokers: Companies will be held responsible for sharing and selling data to third parties, especially AI developers or foreign entities.

• Increased privacy safeguards: By requiring detailed disclosures, the state reduces the chance of sensitive data being misused or sold without consent.

• Empowered decision-making: Consumers can make more informed choices about the companies and services they interact with based on how their data is handled.

In short, these updates give Californians clearer insight into the data marketplace and practical tools to protect their privacy.

Why Hire The Lyon Firm

The Lyon Firm represents individuals and organizations in data privacy, cybersecurity, and consumer protection matters nationwide. With California’s evolving privacy laws, understanding what SB 361 and the Delete Act mean for your rights can be complex. Our firm’s attorneys can help clients:

• Navigate data deletion requests and privacy disputes

• Review whether companies are following CPPA reporting standards

• Address possible violations or breaches involving consumer information

• Pursue legal action when data rights are ignored

The Lyon Firm offers free consultations and remains committed to protecting privacy rights while guiding clients through the fast-changing landscape of data protection law.