Last year, we discussed the growing focus and increased regulation on data brokers nationwide, including bills in California, Delaware, Massachusetts, Oregon, and Washington. Now, California has a new bill (S.B. 362) that would revamp its requirements on data brokers and provide California residents new rights over their personal information. The bill is now on California Governor Gavin Newsom’s desk for signature. The purpose of this bill is to address differences between existing data broker requirements and the California Consumer Privacy Act (CCPA).

California, as required by its Data Broker Registration Law, has previously required that data brokers register with the California Attorney General each year and pay an annual registration fee. A “data broker” was defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The new bill keeps the same definition of a “data broker” but requires data brokers to register with the California Privacy Protection Agency instead.

The bill’s new requirements include, but are not limited to:

  • Registration Information Requirements. When registering, a data broker will need to provide the following information:
    • The name of the data broker and its primary physical, email, and internet website addresses.
    • The number of consumer requests (under the CCPA) received, compiled, or denied in the previous calendar year.
    • The median and mean number of days in which the data broker substantively responded to such CCPA consumer requests in the previous calendar year.
    • Whether the data broker collects the personal information of minors.
    • Whether the data broker collects consumers’ precise geolocation.
    • Whether the data broker collects consumers’ reproductive health care data.
    • A link to the data broker’s website.

A data broker must also disclose the metrics compiled pursuant to (2) and (3) above within the data broker’s privacy policy posted on its internet website.

  • Website/Privacy Policy. In addition to disclosing the metrics compiled pursuant to (2) and (3) above, the data broker’s website must include details on how a consumer can exercise their rights under the CCPA, including but not limited to, the right to delete, correct, opt-out of the sale or sharing of personal information, and limit the use of sensitive personal information.
  • Third-Party Audit. Beginning January 1, 2028, and every three years thereafter, a data broker shall undergo an audit by an independent third party to determine the data broker’s compliance with the new bill’s requirements. These audits must be maintained for at least six years.

To note, a “data broker” does not include an entity that is regulated by the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, the Insurance Information and Privacy Protection Act, or the Health Insurance Portability and Accountability Act (to the extent they are exempt under the CCPA).

Taft will continue to monitor developments in this area and will provide updates here and on all our Taft platforms. As always, seek qualified legal counsel whenever making determinations about your company’s legal or compliance obligations. Taft’s Privacy and Data Security Practice (PDS) stands ready to assist you with a risk-based, common-sense approach to your data governance needs. Stay tuned to Privacy and Data Security Insights and don’t forget to download our free mobile app, to give you quick, real-time access to Taft PDS content and updates like this one.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Zenus Franklin Zenus Franklin

Zenus has wide-ranging experience with data governance and information technology, which brings a unique and vital perspective to his practice. He advises clients on data privacy matters, such as risk management, policy development, training, audits, website privacy policies and terms of use, website…

Zenus has wide-ranging experience with data governance and information technology, which brings a unique and vital perspective to his practice. He advises clients on data privacy matters, such as risk management, policy development, training, audits, website privacy policies and terms of use, website cookies, M&A due diligence, and data breach and incident response management. His expertise spans federal privacy regulations such as HIPAA, GLBA, FCRA, TCPA, FERPA, and COPPA, along with state laws governing the processing of personal information, such as the California Consumer Privacy Act and state Data Broker laws.  Additionally, Zenus provides guidance to clients on global data privacy matters, including the GDPR.

Read more about Zenus FranklinZenus's Linkedin Profile
Show more Show less
Photo of Scot Ganow Scot Ganow

Scot is a partner at Taft and is chair of the firm’s Privacy, Security, and Artificial Intelligence Practice.  As a former chief privacy officer leveraging more than 10 years of management and compliance experience in Fortune 500 companies prior to law school, Scot…

Scot is a partner at Taft and is chair of the firm’s Privacy, Security, and Artificial Intelligence Practice.  As a former chief privacy officer leveraging more than 10 years of management and compliance experience in Fortune 500 companies prior to law school, Scot brings a diverse business background to his practice at Taft.  Scot represents clients in a variety of sectors, including consumer reporting, construction, healthcare, broadband services, and manufacturing.

Read more about Scot GanowScot's Linkedin Profile
Show more Show less
Related Posts
New CCPA Risk Assessment Requirements Now In Effect
February 3, 2026
New App Store Accountability Laws in 2026: If Your Business Has an App, Read On
December 1, 2025
California’s SB 361: Updated Data Broker Requirements
November 17, 2025