SB 957, the "Stopping Harmful Information Exploitation and Lawless Data Sharing Act," asks social media companies to give California residents prompt notice when an administrative subpoena under the federal provision cited (8 U.S.C. §1225(d)(4)(A) as of Jan 1, 2026) seeks their personal information. The bill bars companies from turning over that information while the individual has a chance to challenge the subpoena, subject to limited exceptions, and identifies three statutory grounds for deeming such subpoenas invalid (unrelated purpose, irrelevance, or overbreadth/burden).
The measure creates parallel enforcement paths: the California Attorney General can seek injunctive or declaratory relief, and affected individuals can bring similar suits. For companies and compliance teams, the bill imposes a new assessment obligation when faced with that type of administrative subpoena and raises the prospect of state litigation where federal requests touch California residents’ data.
At a Glance
What It Does
The bill requires social media companies to promptly notify a California resident when an administrative subpoena under the specified federal text requests their personal information, and generally prohibits disclosure until the individual has time to respond or challenge. It lists three specific bases for treating an administrative subpoena as invalid (not related to the authorized purpose, irrelevant, or overly broad/unduly burdensome) and allows a company to comply only after determining the subpoena is not invalid.
Who It Affects
The primary duties fall on companies defined as "social media companies" by Section 22675; the statute applies whenever a subpoena under the cited federal provision targets personal information of a California resident. It also affects compliance teams, privacy counsel, state prosecutors, and federal agencies that use administrative subpoenas in immigration-related matters.
Why It Matters
This is a state-level constraint on responding to a narrow class of federal administrative subpoenas, forcing platforms to build procedures for notice, legal review, and potential delay. For privacy professionals and platform operators, it creates operational friction and litigation risk and may shift how federal actors obtain data from companies with California users.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB 957 creates a named statutory chapter that governs how ‘‘social media companies’’ must respond when an administrative subpoena of the specific federal type targets a California resident’s data. The bill explicitly defines key terms: an ‘‘administrative subpoena’’ is the one described in the cited federal provision as of January 1, 2026; an ‘‘individual’’ is a California resident; and ‘‘maintain’’ is broader than storage — the text says it includes acquiring, using, or disclosing data.
The statute also sets a broad listing of what counts as ‘‘personal information’’ (name, SSN, contact and location data, IP and browsing history, social media information, education, finances, medical and employment history, among others).
When that category of subpoena arrives, the company must promptly notify the affected California resident. The company then generally must not comply until the person has had "sufficient time" to respond to or challenge the subpoena; the bill does not set a fixed clock, leaving the timing judgment to the company or subsequent litigation.
Companies may respond earlier only if they determine the subpoena is not invalid under the bill’s standards. The statute spells out three ways a subpoena can be invalid: the data request is unrelated to the lawfully authorized purpose in the cited federal subparagraph, the requested data is irrelevant to that purpose, or the request is overly broad or unduly burdensome.SB 957 gives the California Attorney General the power to seek injunctive or declaratory relief against noncompliant companies and creates a private right for affected individuals to seek the same remedies; the text does not create a damages remedy or enumerate civil penalties.
The bill also preserves existing exceptions: it does not stop companies from obeying a court order under the companion federal subparagraph (B) or from complying with any other law that requires disclosure. Finally, the bill ties the covered companies to the definition found in Section 22675, so the scope of regulated entities will depend on that separate statutory definition.
The Five Things You Need to Know
The statute explicitly expands the meaning of "maintain" to include acquiring, using, or disclosing personal information, broadening the activities covered by the notice and noncompliance rules.
A social media company must "promptly notify" a California resident when an administrative subpoena under 8 U.S.C. §1225(d)(4)(A) (as of Jan 1, 2026) requests that resident’s personal information.
The bill lists three grounds that render such an administrative subpoena invalid: (1) the requested information is not related to an authorized purpose, (2) the information is irrelevant, or (3) the request is overly broad or unduly burdensome.
Enforcement is limited to injunctive or declaratory relief: the Attorney General can sue for those remedies, and affected individuals get a private right to seek the same relief; the text does not provide statutory damages or fines.
The statute explicitly permits compliance with a court order under 8 U.S.C. §1225(d)(4)(B) or with any other law, creating a narrow carve-out for authorized judicial processes and other legal obligations.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Chapter name
This subsection gives the chapter a short title: the "Stopping Harmful Information Exploitation and Lawless Data Sharing Act." Naming matters because enforcement actions and regulations will cite this chapter title rather than just a bill number.
Definitions: administrative subpoena, personal information, and scope
This subsection defines the key terms that control the rest of the chapter. It ties "administrative subpoena" to a specific federal provision as it reads on a set date, defines "individual" narrowly as a California resident, and intentionally broadens "maintain" to cover acquiring, using, or disclosing data. The "personal information" definition is deliberately expansive (including IP, browsing history, location, health and employment records), so compliance obligations will attach to a wide range of data types. Finally, it imports an external statutory definition of "social media company" (Section 22675), which means the scope of who must comply is determined by that separate provision and could extend beyond consumer-facing platforms.
Notice requirement and stay on compliance
This subsection requires companies to promptly notify a California resident when their data is targeted by the specified administrative subpoena and generally forbids responding until the individual has had sufficient time to challenge. The text leaves "promptly" and "sufficient time" undefined, so implementation will require internal policy-setting or judicial interpretation. There is a built-in exception that allows disclosure if the company determines the subpoena is "not invalid" under the chapter’s invalidity standards, putting the burden on platforms to assess validity before complying.
Statutory grounds for invalidating an administrative subpoena
This subsection provides three discrete legal tests for when a company must refuse to comply: the request is not tied to an authorized purpose under the cited federal subparagraph, the requested information is irrelevant, or the subpoena is overly broad or unduly burdensome. Each ground is familiar in procedural law, but the company — not a court — initially must apply them; that creates a front-line legal analysis obligation and the possibility of disagreement leading to litigation.
Enforcement: state and private suits for injunctive or declaratory relief
This subsection empowers the California Attorney General to bring injunctive or declaratory actions and allows affected individuals to do the same. The remedies are equitable—court orders to stop sharing or to clarify rights—not compensatory. The absence of statutory damages or specified civil penalties shapes the likely enforcement strategy: seek injunctions to prevent disclosure rather than monetary recovery.
Carve-outs for court orders and other laws
This subsection clarifies that nothing in the chapter prevents a social media company from obeying a court order issued under the companion federal subparagraph (B) to §1225(d)(4) or from complying with any other applicable law. Practically, that means federal judicial process and other legal obligations can override the chapter’s notice-and-delay regime.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- California residents whose data is sought by the specified administrative subpoenas — they gain a statutory notice right and an opportunity to respond or challenge before platforms usually disclose personal information.
- Privacy and civil-rights advocates — the statute arms them with a concrete legal framework to challenge nonjudicial federal data requests and to push for stricter limits on cross-border or immigration-related data sharing.
- State enforcement officials — the Attorney General obtains express authority to sue platforms for injunctive or declaratory relief, giving the office a direct tool to enforce state privacy expectations.
- Individual litigators and privacy counsel representing Californians — the bill creates a private cause of action for declaratory and injunctive relief, creating new client work and litigation strategies.
Who Bears the Cost
- Social media companies covered by Section 22675 — they must build notice processes, legal-review workflows to test subpoenas against the bill’s invalidity grounds, and likely documentation for litigation; these compliance and legal costs can be significant, especially for platforms receiving frequent federal requests.
- Federal agencies that rely on administrative subpoenas under the cited provision — they may face delays, have to narrow requests, or escalate to court orders to obtain data previously accessible through administrative process.
- Smaller platforms or third-party data processors — if the Section 22675 definition reaches them, they face the same review burden as larger companies but with fewer resources, increasing operational strain or motivation to relocate data or throttle requests.
- California courts — expect more declaratory and injunctive suits testing the statute’s standards and interface with federal law, adding caseload and creating precedent that will determine how the law operates in practice.
Key Issues
The Core Tension
The core dilemma is balancing Californians’ privacy and control over state-linked personal data against the practical needs of federal administrative investigations: protecting residents from nonjudicial data grabs requires procedural brakes and corporate discretion, but those same brakes can frustrate legitimate federal inquiries and shift the burden — and litigation costs — onto platforms and the courts.
The bill creates concrete procedural protections for residents but leaves several implementation gaps that will drive litigation. Key undefined terms—"promptly" and "sufficient time"—force companies and courts to fill the timing vacuum, and the statute places the initial validity assessment on the company rather than a neutral adjudicator.
That design encourages defensive litigation: agencies and platforms may rush to court to secure orders or declaratory judgments, while individuals and the Attorney General litigate the scope of the notice and refusal obligations.
There is also a tension between the statute’s state-level constraint and federal investigatory needs. The bill ties refusal grounds to the authorized purpose in a specific federal subparagraph, but by restricting compliance with administrative subpoenas it effectively nudges federal actors toward obtaining judicial process—explicitly preserved by the bill’s carve-out.
The statute supplies only equitable remedies (injunctions and declarations), not damages or explicit penalties, which may influence enforcement priorities and the willingness of individuals to sue. Finally, the imported definition of "social media company" (Section 22675) and the broad definition of "personal information" mean the law’s scope depends heavily on other statutory texts and on how courts interpret terms like "overly broad" and "unduly burdensome."
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.