New Calif. Law Means Data Brokers Must Disclose More and Face Higher Fines, Say Lawyers

SB-361 by Sen. Josh Becker (D) requires data brokers to disclose to the California Privacy Protection Agency (CPPA) more types of personal information in their state registrations, including email addresses, login or account information, government ID numbers and citizenship data (see 2508270041). The new law is set to take effect Jan. 1.

Together with the CPPA's recently finalized rules for an accessible data deletion mechanism under the California Delete Act (see 2509260039), “these developments impose substantial new compliance obligations on data brokers and businesses indirectly handling consumer data,” Frankfurt Kurnit privacy attorney Andrew Folks wrote Wednesday.

SB-361 also amends the Delete Act to extend “penalties beyond registration lapses to encompass failures to process consumer deletion requests,” as well as doubling the daily fine for noncompliance to $200, noted Folks. “Additionally, a broker found in violation may be liable for all registration fees owed during any unregistered period, [CPPA’s] investigative and administrative costs, and daily fines for each unprocessed or improperly handled deletion request.”

Folks added that “the amended law introduces California’s first per-request, per-day penalty tied to consumer deletion rights. As a result, noncompliant brokers may face significant exposure, as each unprocessed deletion request can trigger an independent fine of $200 per day until the broker fulfills its statutory obligations or demonstrates a valid exemption.

Meanwhile, privacy lawyers David Stauss and TK Lively wrote in a Troutman blog post that with SB-361 becoming law and the CPPA approving new Delete Act rules, “California data brokers will need to engage in additional compliance measures in the coming months.”