SB 635, titled the Street Vendor Business Protection Act, restructures how California local authorities and enforcement agencies may regulate sidewalk vendors and compact mobile food operations by narrowing permissible data collection and curbing immigration-related uses of local resources. The bill sets new limits on inquiries in licensing and permit processes and replaces criminal penalties for vending violations with administrative sanctions.
For professionals: the measure reallocates compliance priorities. Local permitting and health departments must change application forms and records practices, contracting officers must rewrite vendor-enforcement contracts, and enforcement staff must adopt new operational constraints — all while preserving the ability to act under certain federal-law exceptions.
The change aims to increase vendor participation in the formal economy by reducing immigration-related exposure, but it creates operational and legal trade-offs for agencies charged with public health and safety oversight.
At a Glance
What It Does
Imposes statutory limits on the collection, disclosure, and use of personally identifiable information (PII) about sidewalk vendors and compact mobile food operators. It bars specified immigration-related investigations or uses of local funds and personnel when enforcing vendor rules and replaces criminal penalties with a structured administrative fine regime.
Who It Affects
City and county governments and their enforcement agencies (including contracted nonpublic entities), local public health departments that issue food permits, contracting officers who manage vendor-enforcement agreements, and sidewalk vendors and operators of compact mobile food operations.
Why It Matters
The bill changes core compliance mechanics: what data jurisdictions may collect, how they must protect it, which enforcement activities they may fund or staff, and what to include in contracts. That alters litigation risk, records management, and vendor onboarding practices across California municipalities.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB 635 renames itself the Street Vendor Business Protection Act and contains three interlocking strands: definitions and findings, operational limits on local authority behavior, and new procedures for permitting compact mobile food businesses. The bill enumerates a broad list of personally identifiable information (PII) and defines “immigration enforcement” in expansive terms.
Those definitions frame the rest of the statutory obligations and prohibitions.
Under the changes to the Government Code, local authorities that regulate sidewalk vendors must design programs consistent with a set of standards. A central feature is a bar on voluntarily providing third parties access to records containing vendor PII unless compelled by a subpoena or valid judicial warrant.
Local personnel are likewise prohibited from disclosing such PII except under those compelled circumstances. The statute keeps room for narrow, objective time, place, and manner rules tied to health, safety, or welfare — but it forbids residency‑area quotas, broad numerical caps, or preconditions requiring private-party consent.On permitting and intake, the Health and Safety Code amendments require enforcement agencies to accept alternative identification numbers (California driver’s license/ID, an individual taxpayer identification number, or a municipal ID) in place of a Social Security number when a number is otherwise required; the collected number must remain confidential.
The bill removes the ability for enforcement bodies to ask about immigration or citizenship status, place of birth, or criminal history in permit applications and prohibits fingerprinting, LiveScan processes, and background checks for that purpose. Importantly, the bill mandates that certain records previously collected — specifically, place-of-birth and criminal-history records and fingerprinting/LiveScan records gathered before January 1, 2026 — be destroyed by a fixed deadline unless another law requires retention.SB 635 also constrains enforcement practice.
It forbids local agencies and contracted nonpublic entities from using local funds or personnel to carry out immigration-enforcement activities while enforcing vendor rules. Contracts entered into or modified on or after January 1, 2026 must contain explicit compliance obligations; breach triggers immediate termination.
Finally, the statute locks in administrative fines as the exclusive penalty scheme for vendor violations (with a tiered schedule and ability-to-pay accommodations) and displaces criminal prosecution for vending-related offenses, including retroactive dismissal mechanisms for many pending cases. The bill preserves a narrow exception that allows mandatory sharing or requests that federal law requires (e.g., under certain federal statutes) but otherwise limits voluntary cooperation and public disclosure.
The Five Things You Need to Know
SB 635 supplies a broad statutory definition of “personally identifiable information” that includes names, business names, home and business addresses, birthdate, telephone number, California driver’s license or ID numbers, ITINs, municipal ID numbers, social media identifiers, seller’s permit numbers, and income/tax information.
A local authority or enforcement agency may not voluntarily give any individual access to records containing vendor PII without a subpoena or judicial warrant; agency personnel similarly cannot disclose that PII except under the same compelled process.
Any place-of-birth records, criminal-history information, fingerprint or LiveScan submissions, or background-check documentation collected prior to January 1, 2026 must be destroyed on or before March 1, 2026 unless another law expressly requires retention.
Contracts with nonpublic entities for vendor enforcement entered into or modified on or after January 1, 2026 must include an explicit promise to comply with these restrictions; a finding of violation requires immediate contract termination.
The bill makes vending violations administrative only, establishes a tiered fine schedule (up to $100–$500 for routine violations and higher amounts where permits are required), bars criminal prosecution for compliant local rules, and requires adjudicators to consider ability to pay and offer remedies such as reduced payment or community service.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Statement of purpose and statewide concern
The act opens with legislative findings emphasizing sidewalk vending's economic role for low-income and immigrant communities and frames the statute as protecting entrepreneurship and public safety by limiting data collection and disclosure. These findings are used later to support a constitutionally required limitation on public access to certain records.
Key definitions: 'sidewalk vendor,' 'personally identifiable information,' and 'immigration enforcement'
This section expands definitional language. The PII definition is intentionally broad and lists many identity and business identifiers; it also defines 'immigration enforcement' to include civil and criminal immigration investigations and assistance. The practical effect is to make subsequent prohibitions operate against a wide range of data and activities that agencies might previously have considered peripheral.
Limits on record disclosure, permitted local regulation, and intake prohibitions
Local authorities retain the ability to adopt time, place, and manner rules tied to health, safety, or welfare, but the statute bars a number of common regulatory levers: caps on vendor numbers, preapproval by private entities, and geographic restrictions not tied to objective public-safety findings. Critically, it forbids voluntary consent to release records with vendor PII and prohibits agency personnel from disclosing such data unless compelled by subpoena or warrant. The subdivision also makes PII collected under the sidewalk vendor program exempt from public records disclosure, narrowing transparency for those specific datasets.
Administrative-only penalties, operational limits on enforcement, and contractor clause
SB 635 codifies a civil fine schedule and removes criminal penalties for compliant local vending rules; pending criminal prosecutions for vending offenses are to be dismissed. It also forbids agencies — including contracted nonpublic entities — from using local funds or personnel to perform immigration-enforcement activities in the course of vendor enforcement. Contracts for enforcement entered or modified on/after January 1, 2026 must include express adherence and are subject to immediate termination upon violation.
Parity for compact mobile food operations and nonuse of enforcement resources for immigration activities
The bill ensures compact mobile food operators fall under the administrative fine regime and the same operational constraints: enforcement agencies may not use their funds or staff to investigate or assist immigration enforcement while enforcing food-code provisions related to these small, nonmotorized food sellers. The provision explicitly defines enforcement agency to include nonpublic contractors, bringing contract governance and oversight into play.
Confidentiality and limits on voluntary disclosure for permit records
Permitting rules require issuance only when a proposed facility meets code; SB 635 adds a prohibition on voluntary consent to provide vendor or compact mobile operator PII to private parties. It repeats the broad PII definition for Health & Safety purposes and makes that PII exempt from disclosure under the California Public Records Act, narrowing public access to permit datasets.
ID alternatives, ban on immigration or criminal-history queries, and records destruction mandate
This new section requires enforcement agencies to accept California driver’s license/ID numbers, ITINs, or municipal IDs if an identifying number is required instead of Social Security numbers, and to keep those numbers confidential. It bars inquiries into immigration or citizenship status, place of birth, and criminal history for permit applicants, and forbids fingerprinting/LiveScan and background checks for that purpose. It also imposes the specific records-destruction deadline for pre-2026 place-of-birth and criminal-history data unless another law mandates retention.
This bill is one of many.
Codify tracks hundreds of bills on Government across all five countries.
Explore Government in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Immigrant and low-income microentrepreneurs: The prohibition on immigration‑status inquiries, background checks, and voluntary disclosure of PII reduces vendors’ exposure to immigration enforcement, lowering the practical risk of deportation when they seek permits.
- Sidewalk vendors and compact mobile food operators generally: The shift from criminal penalties to administrative fines, plus ability‑to‑pay procedures, decreases the odds of arrest, incarceration, or criminal records for vending violations and facilitates formalization.
- Municipalities seeking trust and compliance: Cities and counties may see higher permit uptake and improved regulatory compliance as vendors feel safer engaging with permitting and health inspections.
- Civil rights and privacy advocates: The law creates statutory privacy protections and clamps down on third‑party access to sensitive vendor data, aligning local practice with privacy expectations for marginalized populations.
Who Bears the Cost
- Local permitting and public-health agencies: Agencies must redesign application forms, change intake procedures, implement new confidentiality controls, destroy specified pre‑existing records, and retrain staff — all immediate operational costs.
- Contracted nonpublic enforcement entities: Third-party contractors face new compliance obligations in contracts entered or modified on/after Jan 1, 2026, and face immediate termination if found in violation, creating compliance and business‑risk exposure.
- Records and IT operations: Data-protection measures, secure storage, redaction, and systematic destruction of covered records will impose administrative and technical expenses on local governments.
- Public-safety and inspection workflows: Agencies lose a toolset (background checks, fingerprinting, place-of-birth data) that some localities used to assess risk, forcing reallocation of investigative methods and potentially complicating responses to food-safety incidents.
Key Issues
The Core Tension
The central dilemma is balancing immigrant vendors’ privacy and trust (to encourage formalization and protect against immigration enforcement) against legitimate public‑safety and transparency needs (permitting agencies to collect information they argue is necessary for health inspections, investigations, or public review). The bill privileges privacy and anti‑deportation safeguards, but doing so constrains tools that enforcement and health agencies have traditionally used to manage risk.
SB 635 tightens privacy protections for vendor PII and curtails local participation in immigration enforcement, but it raises several operational and legal questions. First, the law preserves the ability to share or request information where federal law requires it; that carve-out creates a narrow but important tension between the statute’s limits on voluntary disclosure and federal obligations or pressures (and could invite litigation over the scope of compelled versus voluntary disclosures).
Second, the records‑destruction mandate is blunt: reconciling destruction deadlines with other retention obligations (for example, records needed for criminal investigations, public-health outbreak tracing, or tax enforcement) will require granular legal review and could produce conflicting statutory duties.
Contract governance presents another implementation challenge. Requiring nonpublic contractors to agree to the restrictions and terminating contracts immediately on violation gives local authorities a strong remedy, but monitoring contractor adherence and proving a violation in practice will demand oversight resources.
Finally, the statute narrows transparency by exempting specified PII from the Public Records Act; while intended to protect vulnerable populations, that exemption reduces public visibility into vendor programs and may complicate auditing and public accountability of local enforcement decisions.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.