
California’s privacy updates represent a major shift in how personal information is managed and shared. SB 361 and the Delete Act work together to promote transparency and consumer empowerment, setting a national example for data privacy reform. These new laws and consumer protection attorneys will help consumers take charge of their data and hold companies accountable for responsible data practices. Call our firm to discuss taking legal action when data brokers and other entities misuse your data.
California is continuing to strengthen its privacy and consumer protection laws. On October 8, 2025, Governor Gavin Newsom signed Senate Bill 361, which adds new requirements for data brokers operating in the state.
This law expands California’s existing data broker registration process, requiring companies to share more details about how they collect, use, and sell personal data. These changes come shortly after the California Privacy Protection Agency (CPPA) approved new regulations under the 2023 Delete Act, which will create a statewide system allowing residents to request deletion of their personal information. That system is set to launch in August 2026.
Together, SB 361 and the Delete Act create one of the strongest data transparency frameworks in the country. Businesses that buy or sell consumer data will face tighter reporting obligations, while consumers gain more control over their personal information.
The Delete Act, passed in 2023, is a groundbreaking privacy law that gives Californians a simple way to remove their personal data from hundreds of data broker databases at once.
Under the Act, the CPPA will build a central online deletion portal where residents can file a single request to have their information deleted by every registered data broker. Once submitted, all brokers must erase the consumer’s data and stop collecting it unless another law allows retention.
The Delete Act also requires brokers to disclose the categories of data they collect, explain how they process deletion requests, and update their registration each year. Enforcement begins in August 2026, giving businesses time to adjust their systems.
When combined with SB 361, the Delete Act not only improves transparency but also strengthens consumer privacy rights statewide.
Previously, California required data brokers to disclose only limited information when registering annually with the CPPA—such as whether they collected data on minors, precise location details, or reproductive health information. SB 361 significantly broadens that list. Now, companies must report if they collect any of the following:
If a data broker does not collect these identifiers, it must list up to three of the most common data types it does collect.
This expanded disclosure gives regulators a clearer picture of what types of data are circulating among brokers while preventing sensitive company details from being made public on the CPPA’s website.
SB 361 also introduces new requirements about who data brokers share information with. Companies must now disclose whether they have sold or shared personal data within the past year to:
A “GenAI developer” is any person or company that designs or modifies artificial intelligence systems that generate text, images, or other content. The law does not yet define what counts as a “substantial modification,” leaving room for future clarification.

For California residents, SB 361 and the Delete Act together offer more transparency and stronger privacy protections than ever before. Here’s how consumers benefit from the new rules:
In short, these updates give Californians clearer insight into the data marketplace and practical tools to protect their privacy.
The Lyon Firm represents individuals and organizations in data privacy, cybersecurity, and consumer protection matters nationwide. With California’s evolving privacy laws, understanding what SB 361 and the Delete Act mean for your rights can be complex. Our firm’s attorneys can help clients:
The Lyon Firm offers free consultations and remains committed to protecting privacy rights while guiding clients through the fast-changing landscape of data protection law.
Taking the first step doesn’t have to be complicated. In just a few minutes, you can share the basics of your case, and our team will guide you from there: