What Data Brokers Need to Know by 2026: California’s SB 361 Brings Big Changes

California has once again raised the bar for data privacy. With the passage of SB 361, businesses that operate as data brokers will soon face a set of new obligations that go far beyond what the CCPA and CPRA previously required. While some changes do not take effect until 2026 and others until 2028, the planning, coordination, and system updates needed to comply take time. Many organizations underestimate this.

If your company collects or uses information from people you don’t interact with directly, you are almost certainly considered a data broker under California law. And because California tends to influence national trends, these requirements may soon ripple outward. Understanding what is coming will help you prepare, avoid penalties, and maintain the trust of your partners and clients.

‍

1. A New Level of Disclosure Is Now Required

Beginning with the upcoming 2026 registration cycle, the State of California will require data brokers to be more transparent about the types of personal information they collect. This includes basic identifiers such as names, emails, phone numbers, ZIP Codes, and dates of birth. It also extends to more sensitive areas such as citizenship and immigration status, union membership information, details about sexual orientation or gender identity, biometric data, geolocation data, and reproductive health-related information.

In addition to data categories, brokers will need to state whether they have shared or sold personal information to any of the following within the past year:
a. foreign entities,
b. government agencies,
c. law enforcement (outside of official legal orders), or
d. companies involved in developing generative AI systems.

This is a substantial expansion compared to prior years, and many organizations will need to re-evaluate their internal data classification and documentation practices.

‍

2. A Statewide Deletion System Will Be Active in 2026

A major operational change begins on January 1, 2026, when the California Privacy Protection Agency launches a centralized deletion system. This system will allow a consumer to make one request that applies to every registered data broker at once. Starting on August 1, 2026, data brokers will be expected to log into this system at least once every 45 days and take several actions.

First, they will need to delete all personal information tied to each verified request within 45 days of receiving it. If a request cannot be verified, the broker must still treat it as a request to opt out of the sale or sharing of personal data. Second, the broker will need to instruct any service providers or contractors they rely on to also delete or suppress the consumer’s information. Finally, brokers must continue deleting any new data that they gather about consumers who have already submitted a deletion request.

This is not a simple “one-and-done” operation. It becomes an ongoing responsibility that requires reliable systems, clear data flows, and coordinated vendor management.

‍

3. Independent Audits Will Begin in 2028

Another long-term requirement involves independent compliance audits every three years, beginning in 2028. When the California Privacy Protection Agency asks for the audit results, brokers will need to provide them within five business days. This means that documentation, governance practices, and policy enforcement must all be strong enough to withstand outside review.

For businesses that have not historically built detailed privacy documentation, this requirement will take time to prepare for.

‍

4. Noncompliance Will Be Expensive

The law establishes daily fines for brokers who fail to register and daily fines for each deletion request not processed correctly. California also reserves the right to recover its investigative and administrative costs. These penalties can add up quickly, especially for companies that handle large amounts of data.

‍

5. What Data Brokers Should Focus On Now

Although some requirements start in 2026 and others later, the practical preparation should begin immediately. Companies will need to review the kinds of information they collect, understand how it is stored and used, reconsider how deletion requests move through their systems, and update any public-facing information about consumer rights. Integrating with a statewide deletion portal will require technical and administrative planning. And for the upcoming audits, organizations will need consistent documentation practices that demonstrate compliance, not just policies on paper.

The sooner these preparations begin, the smoother the transition will be. Waiting until 2026 will likely result in rushed efforts, gaps in compliance, and avoidable risk.

‍

Let PriCyai Advisory Support Your Next Steps

Regulations like SB 361 can feel overwhelming, but with the right guidance, they become manageable. At PriCyai Advisory, we work closely with data brokers and data-driven organizations to help them understand what these new rules mean for their operations. We assist with data mapping, compliance planning, workflow design for deletion requests, and preparation for independent audits. Our goal is to make compliance clear, achievable, and aligned with your business needs.

If you’re unsure where to begin, or if you’d like support building a plan for 2026, we would be glad to help.

‍

Contact PriCyai Advisory at info@pricyaiadvisory.com to schedule a consultation and prepare your organization for the changes ahead.

‍