SB 361 creates a statewide registry for businesses that meet California’s definition of “data broker,” obligating them to register with the California Privacy Protection Agency (CPPA) and provide detailed disclosures about their data-collection practices. The bill also requires an accessible consumer-facing mechanism — hosted by the broker and supported by the registry program — to let Californians exercise deletion and other privacy rights.
The measure gives the CPPA enforcement authority including administrative fines and collection of fees into a dedicated Data Brokers’ Registry Fund. The statute targets modern risks such as transfers to developers of generative AI systems and cross-border sharing, and it aims to make brokers’ practices discoverable to regulators and consumers.
At a Glance
What It Does
SB 361 requires every business that qualifies as a data broker to register annually with the CPPA and disclose, in a prescribed format, what categories of personal information it collects and whether it shares that information with particular third parties, including certain governments and AI developers. The statute also obliges brokers to provide a public web page explaining how consumers exercise deletion, correction, access, and opt-out rights and to avoid dark-pattern design on that page.
Who It Affects
The law applies to companies that meet California’s data-broker definition under the title — essentially firms that collect and sell or share consumer data without a direct consumer relationship. Buyers of brokered data, developers that consume such datasets (including makers of GenAI systems), and the CPPA (as the enforcing agency) will also be affected.
Why It Matters
SB 361 fills a transparency gap between consumer-facing platforms and behind-the-scenes data brokers by forcing public registration and consumer-facing controls; it also brings modern concerns — like AI training and foreign transfers — into routine regulatory oversight. Compliance teams, privacy officers, and risk professionals should view the bill as a new operational compliance layer for any business trading in consumer profiles.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill establishes a recurring registration obligation: when a business meets the title’s definition of a data broker, it must sign up with the California Privacy Protection Agency and keep that registration current on an annual basis. Registration is more than a name-and-address filing: the statute requires brokers to report metrics compiled under related registry provisions, certify whether they collect a range of categories of personal information, and link to an explanatory consumer page on the broker’s own website.
That consumer-facing page must provide actionable instructions for exercising established privacy rights — deletion, correction, access, disclosures about sale or sharing, opting out, and limiting sensitive-use — and the bill expressly prohibits the use of dark patterns on that page. Brokers who do not collect some enumerated identifiers can instead report up to three of the most common data types they do gather, which keeps the registry useful while recognizing differences in business models.SB 361 also builds enforcement and funding mechanics into the program.
The CPPA will set and collect registration fees to support the public registry website and the deletion mechanism; penalties and recovered fees feed a Data Brokers’ Registry Fund intended to offset program and court costs. The statute adds reporting hooks for certain modern vectors — the text asks brokers to disclose whether they have shared data with specified recipients, including developers of generative AI systems — and defines key terms so that the new obligations apply to contemporary data flows.Finally, the statute creates an audit and documentation expectation: brokers will have to indicate whether they have undergone a legislatively described audit and, if so, provide the most recent report and related materials to the CPPA.
The combination of public registry entries, an accessible deletion path, and recordkeeping aims to make broker activity auditable by regulators and discoverable to consumers without forcing regulators to micromanage business models.
The Five Things You Need to Know
Registration is annual: a broker must register with the CPPA on or before January 31 following each year in which it meets the data-broker definition.
The CPPA may set a registration fee but it cannot exceed the reasonable costs of establishing and maintaining the registry website and the accessible deletion mechanism; collected fees go into a dedicated Data Brokers’ Registry Fund.
The registration form specifically requires disclosure about whether the broker shared or sold consumer data in the past year to foreign actors, the federal government, other state governments, law enforcement (outside subpoenas/court orders), or developers of GenAI systems.
Beginning January 1, 2029, registrants must report whether they have undergone the statute’s required audit and, if so, supply the most recent audit report and related materials to the CPPA.
Failure to register triggers an administrative fine of $200 per day and recovery of unpaid fees; failure to comply with deletion obligations triggers an administrative fine of $200 for each deletion request per day, with penalties deposited into the Data Brokers’ Registry Fund.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Annual registration timing and scope
This paragraph creates the core duty: a business that meets the law’s data-broker definition must register with the CPPA annually after the year it qualifies. Practically, registrars will need internal processes to detect the triggering year, capture the registry submission on schedule, and update filings if business activity changes during subsequent years.
Fee authority and dedicated fund
The CPPA gets authority to set and collect a registration fee, limited by the statute to the reasonable costs of running the registry website and deletion mechanism. Fees and recovered penalties are earmarked to the Data Brokers’ Registry Fund in the State Treasury; that link creates a self-funding mechanism but ties program resources to fee-setting choices and collections.
Detailed disclosure obligations
The registration form requires contact information plus a series of yes/no disclosures covering whether the broker collects certain identifiers or sensitive categories (from names and account credentials to biometric, geolocation, reproductive health, and more). It also asks about the broker’s sharing relationships — including sales or transfers to foreign actors, federal and state governments, law enforcement, and GenAI developers — and requires a link to a consumer-facing page that explains rights and how to exercise them without dark patterns.
Audit reporting hook
The statute builds in an audit reporting milestone: registrants must indicate whether they have undergone a specified audit and provide the latest audit report and materials to the agency. That creates a compliance footprint that regulators can use to prioritize follow-up and signals that the legislature expects brokers to be subject to independent review of their deletion and disclosure processes.
Enforcement, fines, and use of recovered amounts
SB 361 authorizes the CPPA to seek administrative fines and reimbursement of fees and investigative costs when brokers fail to register or to comply with deletion obligations; recovered amounts are deposited into the Data Brokers’ Registry Fund to offset the agency’s and courts’ costs. That structure centralizes enforcement within the agency and finances operational overhead via a dedicated fund rather than general appropriations.
Definitions for foreign actor and GenAI
The bill defines 'foreign actor' by cross-reference to the federal definition of a 'covered nation' and defines 'developer of a GenAI system' and 'GenAI system' to capture entities that design or substantially modify systems that generate synthetic content. These definitions matter because they determine the reach of disclosure questions and whether sharing relationships trigger heightened scrutiny.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- California consumers seeking to exercise privacy rights: the required consumer-facing page and accessible deletion mechanism make it easier for individuals to find and act on deletion, correction, access, and opt-out rights without needing detailed knowledge of broker identities.
- Privacy and consumer-advocacy organizations: public registry entries and audit materials create a structured data source for oversight, research, and enforcement referrals.
- State regulators and courts: the registry centralizes information, which helps regulators prioritize investigations and makes litigation or administrative action more targeted.
Who Bears the Cost
- Data brokers and firms that buy or resell consumer profiles: they must build or update registry processes, create and maintain a compliant consumer webpage (without dark patterns), and potentially undergo audits and provide documentation.
- Developers and users of GenAI systems that rely on purchased training data: increased transparency may prompt data provenance scrutiny and contractual or operational changes to avoid disfavored data sources.
- The CPPA and state administrative apparatus: although the statute creates a fee-funded model, the agency must design forms, run the registry, adjudicate enforcement actions, and manage audits — work that will require up-front implementation resources and ongoing administration.
Key Issues
The Core Tension
The bill’s central dilemma is between increasing transparency and consumer control over opaque data flows, and imposing compliance and operational costs on an industry that includes both large, sophisticated brokers and smaller firms with thin margins; improving consumer protection may require intrusive oversight and costly audits, but a lighter touch risks leaving dangerous data transfers — to foreign actors or AI developers — effectively unchecked.
The bill increases transparency but also raises practical implementation questions. Tying the fee cap to the 'reasonable costs' of the registry and deletion mechanism gives the CPPA discretion but leaves open disagreement about what counts as reasonable; if fees are set too low the program could be under-resourced, and if set high they could impose disproportionate burdens on smaller brokers.
The deposit of fines and fees into a dedicated fund helps shore up program costs, but it also creates an incentive dynamic — reliance on fee and fine revenue can shape enforcement priorities in unpredictable ways.
The statute’s inclusion of modern vectors (GenAI developers and 'foreign actors') is forward-looking but conceptually tricky. Cross-referencing the federal 'covered nation' definition imports national-security language into a consumer-protection context and may produce interpretive disputes.
The GenAI definition is broad — capturing entities that 'substantially modify' systems — and could require rulemaking or case-by-case interpretation to determine whether a particular model developer falls within the disclosure regime. Finally, the per-deletion-request exposure to administrative fines risks producing high aggregate penalties if a broker’s deletion process is slow or automated in ways that trigger mass noncompliance; calibrating enforcement to avoid punishing technical failures rather than bad-faith conduct will be an early regulatory challenge.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.