California SB 361: Data Brokers Face AI Disclosure Rules & Doubled Penalties by January 2026

Official Name: Senate Bill 361 - Data Broker Transparency and Accountability Act of 2025 Signed: October 8, 2025 by Governor Gavin Newsom Effective Date: January 1, 2026 Amends: California Civil Code Section 1798.99.82 (original Data Broker Registry law from 2020) Primary Impact: Expands disclosure requirements for data brokers operating in California

Who Must Comply: Defining "Data Broker"

Under California law, a data broker is any business that:
• Knowingly collects and sells (or licenses) personal information of California consumers
• Has no direct relationship with those consumers
• Operates for commercial purposes (not just internal business use)

Examples of Data Brokers:
• People search sites: Spokeo, BeenVerified, Whitepages, Intelius
• Marketing data providers: Acxiom, Experian Marketing, Epsilon, LiveRamp
• Credit reporting agencies: Experian, Equifax, TransUnion (when selling data beyond credit reports)
• Data aggregators: Oracle Data Cloud, Axciom, Neustar
• Ad tech platforms: Companies selling audience segments, lookalike modeling data
• Risk assessment vendors: LexisNexis Risk Solutions, CoreLogic
• Employment screening companies: When selling data beyond direct screening services

Who Is NOT a Data Broker (Important Exemptions):
• Consumer reporting agencies (when acting solely as CRAs under FCRA)
• Financial institutions subject to Gramm-Leach-Bliley Act
• HIPAA-covered entities (healthcare providers, insurers) using data for treatment/payment/operations
• Companies with direct consumer relationships (e.g., retailer selling customer data to partners—covered under CCPA, not data broker law)

The Gray Area: When You Might Be a Data Broker Without Realizing It

Scenario 1: Website Selling Lead Lists
• You operate a B2B website collecting contact forms
• You sell those leads to third parties
• Consumers never directly agreed to have their data sold
• Verdict: Likely a data broker under SB 361

Scenario 2: App Developer Selling User Data
• You develop a free mobile app
• App collects location, device data, usage patterns
• You sell anonymized (or de-identified) data to advertisers
• Users have no direct business relationship with you beyond app download
• Verdict: Potentially a data broker (depends on whether data is truly de-identified)

Scenario 3: SaaS Company Licensing Customer Insights
• You provide a CRM platform
• You aggregate and anonymize customer data across clients
• You license aggregated insights to market research firms
• Verdict: Likely NOT a data broker (direct relationship with customers whose data you're using)

When in Doubt, Consult Legal Counsel California's Attorney General has broad enforcement discretion. If your business model involves collecting and monetizing personal data of individuals you don't directly serve, assume you're a data broker until a qualified attorney advises otherwise.

SB 361 adds three new mandatory disclosure categories to California's annual data broker registration. Every registered data broker must now explicitly state whether they have shared personal information with:

1. Foreign Governments or Foreign Persons Acting on Behalf of Foreign Governments

What this means:
• Foreign governments: Any non-U.S. governmental entity (China, Russia, EU member states, etc.)
• Acting on behalf of: Contractors, agencies, state-owned enterprises directed by foreign governments
• Shared personal information: Sold, licensed, transferred, or provided access to data about California residents

Why California added this requirement:
• National security concerns about foreign adversaries accessing U.S. citizen data
• TikTok/ByteDance controversy highlighting data flows to China
• European GDPR adequacy decisions creating reciprocal transparency expectations
• Growing awareness of foreign intelligence operations leveraging commercial data

Real-world examples requiring disclosure:
• Data broker sells marketing lists to company owned by Chinese government
• Broker provides data access to European government agency for law enforcement
• Broker licenses data to research firm contracted by Russian ministry
• Broker sells data to multinational with headquarters in adversarial nation

Compliance challenge: Many data brokers sell to intermediaries—how do you verify the ultimate end-user isn't a foreign government? SB 361 requires "reasonable efforts" to determine downstream use, but doesn't define what's "reasonable." Expect litigation to clarify this.

2. Government Entities (Domestic - Federal, State, Local)

What this means:
• Federal agencies: FBI, ICE, DEA, IRS, Department of Defense, etc.
• State agencies: California DMV, EDD, state police, regulatory agencies
• Local government: County sheriffs, city police, municipal agencies
• All data sharing: Whether sold, provided via contract, or given for free

Why California added this requirement:
• Law enforcement agencies increasingly purchase data instead of obtaining warrants
• Supreme Court cases (Carpenter v. United States) establishing Fourth Amendment protections for digital data
• Civil liberties concerns about warrantless surveillance via commercial data purchases
• Transparency into government data acquisition practices

Real-world examples requiring disclosure:
• Data broker sells location data to ICE for immigration enforcement
• Broker provides cell phone records to local police investigating crime
• Broker sells financial transaction data to IRS for tax investigations
• Broker licenses social media data to FBI for national security investigations

Why this is controversial: Law enforcement agencies argue that purchasing data from commercial brokers is legal and doesn't require warrants (public information, third-party doctrine). Privacy advocates argue it's an end-run around Fourth Amendment protections. SB 361 doesn't prohibit these sales—it just requires disclosure. But transparency is the first step toward regulation.

Compliance nuance: If you provide data to government pursuant to legal process (subpoena, warrant, court order), that may not constitute "sharing" under SB 361—but if you sell or license data to government agencies, disclosure is mandatory.

3. Artificial Intelligence Developers or Providers

What this means:
• AI developers: Companies building large language models (LLMs), machine learning systems, generative AI
• AI providers: Companies offering AI-as-a-service, AI tools, AI platforms
• Personal information: Data used to train models, fine-tune algorithms, or improve AI systems

Why California added this requirement (GROUNDBREAKING):
• California is the FIRST state to require disclosure of data sharing with AI companies
• Addresses growing concerns about AI training data sourced without consent
• Responds to lawsuits against OpenAI, Meta, Google for training on scraped data
• Establishes transparency before implementing potential future regulations on AI training data

Real-world examples requiring disclosure:
• Data broker sells customer service chat logs to OpenAI for ChatGPT training
• Broker licenses social media posts to Anthropic for Claude training
• Broker provides medical records to Google DeepMind for health AI research
• Broker sells scraped website content to Meta for LLaMA model development

The AI training data controversy: AI companies argue:
• Public data is fair game for AI training (fair use doctrine)
• Training data is transformed into model weights (not direct copying)
• AI benefits society and innovation should be encouraged

Privacy advocates argue:
• Individuals never consented to their data training AI systems
• AI models can memorize and regurgitate sensitive personal information
• Data brokers profit from selling data for AI without compensating data subjects

Why SB 361's AI disclosure requirement matters:
• First step toward AI training data regulation: Can't regulate what you can't see
• Public awareness: Consumers will learn their data is training AI without consent
• Market pressure: AI companies may face backlash when disclosures reveal their data sources
• Future litigation: Disclosure creates paper trail for class action lawsuits
• Federal preemption risk: If federal AI regulation emerges, California's law may influence it

Compliance challenge for data brokers: Many AI companies are secretive about training data sources. How do you verify whether your customer is an "AI developer"? What if they resell your data to AI companies? SB 361 requires disclosure of direct sharing, but the AI training data supply chain is opaque. Expect significant compliance confusion in Q1 2026.

Existing Penalty (Pre-SB 361):
• Failure to register as data broker: $100 per day
• Failure to provide required disclosures: $100 per day
• Maximum penalty: No statutory cap (theoretically unlimited)
• Enforcement: California Attorney General

New Penalties Under SB 361 (Effective January 1, 2026):
• Failure to register: $200 per day (doubled from $100)
• Failure to disclose foreign government sharing: $200 per day
• Failure to disclose domestic government sharing: $200 per day
• Failure to disclose AI company sharing: $200 per day
• Failure to process deletion requests: New per-request penalties (amount TBD by regulations)
• Cumulative penalties: Multiple violations = multiple $200/day penalties simultaneously

Penalty Math: How Fast Costs Escalate

Scenario 1: Failure to Register Entirely
• Days 1-30: $200/day × 30 days = $6,000
• Days 1-90: $200/day × 90 days = $18,000
• Days 1-365: $200/day × 365 days = $73,000
• Multi-year violation: $200/day × 1,095 days (3 years) = $219,000

Scenario 2: Registered But Missing All 3 New Disclosures
• Foreign government disclosure failure: $200/day
• Domestic government disclosure failure: $200/day
• AI company disclosure failure: $200/day
• Total daily penalty: $600/day
• One quarter (90 days): $600/day × 90 = $54,000
• One year: $600/day × 365 = $219,000

Scenario 3: Registered But Ignoring Deletion Requests
• Existing daily penalty: $200/day for non-compliance
• New per-request penalty: Additional fine for each unprocessed deletion request (regulations pending)
• Hypothetical: If 100 consumers request deletion and you ignore them, you face $200/day PLUS 100 × per-request penalty
• Projected annual cost: $73,000 (daily) + per-request fines = $100,000+

Real-World Enforcement Precedent

California Attorney General's Data Broker Enforcement (2022-2025):
• 2022: AG sent warning letters to 40+ unregistered data brokers
• 2023: First penalties assessed: $50,000-$200,000 settlements
• 2024: Ongoing investigations into non-compliance with deletion requests
• 2025: SB 361 passed after AG testified that existing penalties were "insufficient deterrent"

Why Penalties Doubled: California legislators found that $100/day penalties were too low to deter non-compliance. Data brokers were doing cost-benefit analysis: "We make $500K/year selling California data, so even if we get caught and fined $36,500 ($100/day for a year), we still profit $463,500." Doubling penalties to $200/day changes the math—but more importantly, it signals California's intent to aggressively enforce data broker transparency.

Who Enforces SB 361?
• Primary enforcement: California Attorney General
• Investigation triggers: Consumer complaints, AG audits, media reports
• Enforcement priorities: Large data brokers, repeat offenders, high-profile cases
• No private right of action: Consumers cannot sue for SB 361 violations (only AG can enforce)
• CCPA overlap: Some conduct may violate both SB 361 and CCPA (which DOES allow private lawsuits)

Penalty Mitigation Strategies

What WON'T Save You:
• "We didn't know about the law" (ignorance is not a defense)
• "We're working on compliance" (deadline is hard: January 1, 2026)
• "It's technically difficult" (compliance complexity doesn't excuse violations)
• "Other companies aren't complying either" (AG loves making examples)

What MIGHT Help:
• Good faith effort: Demonstrate you attempted compliance before deadline
• Self-reporting: Proactively notify AG of compliance gaps and remediation plan
• Rapid remediation: Fix violations immediately upon AG notice
• Cooperation: Provide requested documentation, meet with investigators
• Industry advocacy: Work with trade groups to seek regulatory clarification (but don't delay compliance)

The Deletion Request Penalty: A New Enforcement Tool

SB 361 adds penalties for failure to honor consumer deletion requests—a longstanding complaint about data brokers. While California's CCPA already required deletion rights, enforcement was limited. Now:
• Data brokers must process deletion requests within 45 days (existing CCPA requirement)
• Failure to delete = new penalties (regulations pending on exact amounts)
• AG can audit deletion compliance (send test deletion requests, check if data actually deleted)
• Repeat violations = escalating penalties (pattern of non-compliance = higher fines)

Why This Matters: Data brokers have historically ignored deletion requests because there was no real enforcement. Now, with per-request penalties PLUS daily penalties, the cost of ignoring deletion requests could exceed the revenue from keeping the data. Economic incentives finally align with privacy rights.

Core Question: Do you buy, sell, or share personal information of people you don't directly serve?

If you answer YES to all three of these questions, you're likely a data broker:

Question 1: Do you collect personal information about California residents?
• Personal information includes: names, addresses, emails, phone numbers, device IDs, IP addresses, browsing history, purchase records, location data, social media activity, demographic data, inferred characteristics
• California residents: Anyone physically located in California OR who provided a California address
• Collection methods: Web scraping, purchasing from other brokers, public records, user-generated content, app data, third-party cookies, data partnerships

Question 2: Do you sell, license, or share that data with third parties for commercial purposes?
• Sell: Exchange data for money
• License: Grant access to data for a fee or other valuable consideration
• Share for commercial purposes: Provide data to partners for targeted advertising, analytics, or business intelligence (even if no money changes hands, "valuable consideration" counts as a sale under CCPA)
• Third parties: Anyone other than the data subject themselves

Question 3: Do you lack a direct relationship with the individuals whose data you're monetizing?
• Direct relationship means: The person directly provided you their data in exchange for your service (e.g., they signed up for your app, bought from your store, subscribed to your newsletter)
• No direct relationship means: You obtained their data from somewhere else (scraped it, bought it, inferred it, aggregated it from public sources) and they have no idea you exist

If You Answered YES to All Three: You're a Data Broker

Your SB 361 Compliance Obligations:
• ✓ Register with California Attorney General by January 31 annually
• ✓ Pay $400 annual registration fee
• ✓ Disclose whether you share data with foreign governments
• ✓ Disclose whether you share data with domestic government entities
• ✓ Disclose whether you share data with AI developers/providers
• ✓ Provide deletion mechanism for consumers
• ✓ Honor deletion requests within 45 days
• ✓ Update registration annually (due January 31)
• ✓ Maintain records of data sources, data types, data uses
• ✓ Comply with CCPA requirements (separate from data broker registry)

Common Business Models That Are Data Brokers

1. People Search Sites
• Examples: Spokeo, BeenVerified, Intelius, PeopleFinders, Whitepages Premium
• Business model: Aggregate public records (property, court, voter, business) + social media + data broker purchases, sell individual reports or subscriptions
• SB 361 impact: Must disclose if they share data with foreign governments (do they sell to overseas investigators?), domestic law enforcement (do they provide data to police?), AI companies (do they license data for facial recognition training?)

2. Marketing Data Providers
• Examples: Acxiom, Experian Marketing, Epsilon, LiveRamp, Oracle Data Cloud
• Business model: Collect consumer data from thousands of sources, create detailed profiles, sell audience segments for targeted advertising
• SB 361 impact: Almost certainly share data with AI companies (ad tech increasingly uses AI for targeting), may share with government (some have government contracts), unlikely to share with foreign governments (national security concerns limit this)

3. Data Aggregators for Lead Generation
• Examples: ZoomInfo, Lusha, Seamless.AI, Hunter.io, RocketReach
• Business model: Scrape business contact information from websites/LinkedIn/public sources, sell to sales teams
• SB 361 impact: Likely share with AI companies (some use AI to verify/enrich data), unlikely to share with governments, unclear on foreign governments (do they have international customers?)

4. Ad Tech & Audience Data Platforms
• Examples: The Trade Desk, LiveRamp, Neustar, Stirista
• Business model: Collect browsing behavior, purchase data, app usage; create audience segments; sell to advertisers
• SB 361 impact: Increasingly share with AI companies (AI-powered ad targeting), unlikely to share with governments directly (but may share with government contractors—does that count?)

5. Risk & Fraud Assessment Vendors
• Examples: LexisNexis Risk Solutions, CoreLogic, TransUnion TruValidate, FICO
• Business model: Collect financial, criminal, property, employment data; sell risk scores to lenders, insurers, employers
• SB 361 impact: May share with government entities (law enforcement contracts), may share with AI companies (AI-powered fraud detection models), unclear on foreign governments

6. Health & Wellness Data Brokers
• Examples: Epsilon Health, Acxiom Health, Crossix (Veeva), IQVIA
• Business model: Collect health data from pharmacy loyalty programs, health apps, public records; sell to pharmaceutical companies for targeted marketing
• SB 361 impact: May share with AI companies (AI drug discovery, health research), may share with government health agencies (research partnerships), unlikely to share with foreign governments (HIPAA/national security concerns)

Common Business Models That Are NOT Data Brokers

1. E-commerce Sites Selling Customer Data to Partners
• Why NOT a data broker: Direct relationship with customers (they purchased from you)
• What law applies instead: CCPA (must disclose data sharing, honor opt-outs)

2. Social Media Platforms Selling Ad Targeting Data
• Why NOT a data broker: Direct relationship with users (they signed up for your platform)
• What law applies instead: CCPA + FTC Section 5 (unfair/deceptive practices)

3. Apps Collecting and Monetizing User Data
• Why NOT a data broker: Direct relationship with app users (they downloaded your app)
• What law applies instead: CCPA + app store privacy policies

4. SaaS Companies Aggregating Customer Data for Internal Use
• Why NOT a data broker: Direct relationship with customers + using data internally (not selling to third parties)
• What law applies instead: CCPA (if selling data to third parties, becomes subject to data broker law)

The Gray Areas: When Legal Advice Is Essential

Gray Area 1: Do you sell "de-identified" or "anonymized" data?
• Your argument: It's not personal information anymore, so data broker law doesn't apply
• California AG's argument: If data can be re-identified (and most "anonymous" data can be), it's still personal information
• Recommendation: Assume you're a data broker unless your de-identification meets CCPA's strict standards (and even then, err on the side of registration)

Gray Area 2: Do you share data with partners for "joint business purposes"?
• Your argument: We're not selling, just collaborating
• California AG's argument: If you receive "valuable consideration" (e.g., they share their data back, or provide services), it's a sale
• Recommendation: If your partner has no direct relationship with your users, you're likely a data broker

Gray Area 3: Do you only collect public information?
• Your argument: Public data is fair game, we're just aggregating what's already out there
• California AG's argument: Doesn't matter where you got the data—if you sell it to third parties without consumer relationship, you're a data broker
• Recommendation: Register as a data broker (this is not a gray area—you're definitely a data broker)

Week 1 (October 21-27): Determine If You're a Data Broker

Day 1-2: Data Flow Mapping
• Document all data collection sources: Website scraping, purchased lists, public records, APIs, partnerships, user uploads
• Identify all data recipients: Who receives your data? Customers, partners, advertisers, researchers, government?
• Map data types: What categories of personal information do you handle? (names, addresses, behavioral data, financial, health, etc.)

Day 3-4: Legal Analysis
• Engage California privacy attorney: Don't DIY this—SB 361 penalties are expensive
• Review existing CCPA compliance: Are you already registered as a data broker? Have you ignored the requirement until now?
• Assess exemptions: Do any exemptions apply? (CRA, GLBA, HIPAA—but these are narrow)

Day 5-7: Stakeholder Alignment
• Brief executive team: Explain SB 361 requirements, penalties, timeline
• Notify affected departments: Legal, compliance, IT, sales/BD (who manages customer contracts)
• Budget allocation: Registration fees ($400/year), legal costs ($10K-50K), implementation ($20K-100K depending on complexity)

Week 2-3 (October 28 - November 10): Audit Data Sharing Relationships

Foreign Government Data Sharing Audit
• Review all customer contracts: Do any customers work for foreign governments? Are any customers foreign state-owned enterprises?
• Check payment origins: Wire transfers from foreign government accounts?
• Identify high-risk jurisdictions: China, Russia, Iran, North Korea = highest scrutiny; EU = disclosure required but lower controversy
• Document findings: Create disclosure statement: "We have/have not shared data with foreign governments in the past 12 months. [If yes, specify countries/entities]."

Domestic Government Data Sharing Audit
• Search contracts for .gov/.mil email domains: Federal, state, local government customers
• Review law enforcement requests: Do you sell data to police, ICE, FBI, DEA?
• Check government vendor portals: Are you registered on SAM.gov (federal contracting), state procurement systems?
• Document findings: Create disclosure statement: "We have/have not shared data with domestic government entities. [If yes, specify agencies/purpose]."

AI Company Data Sharing Audit
• Identify AI/ML customers: Review customer list for AI developers (OpenAI, Anthropic, Google DeepMind, Meta AI, Microsoft AI, Amazon AI, startups)
• Check for AI use cases: Do any contracts mention "training data," "machine learning," "model development," "AI research"?
• Review data licensing terms: What are customers allowed to do with your data? If license permits AI training, disclosure required
• Survey major customers: Send questionnaire: "Do you use our data for AI/ML model training? If yes, please describe."
• Document findings: Create disclosure statement: "We have/have not shared data with AI developers/providers. [If yes, specify use cases but NOT specific customer names unless required]."

Week 4-5 (November 11-24): Build Compliance Infrastructure

Registration System Setup
• Access California AG Data Broker Registry portal: https://oag.ca.gov/data-brokers
• Gather required information: - Legal business name, DBA names, parent company - Primary business address - Contact information for designated agent - Description of data collection practices - Categories of data collected - Data sources - Whether you allow opt-outs - Link to your privacy policy - NEW: Foreign government sharing disclosure - NEW: Domestic government sharing disclosure - NEW: AI company sharing disclosure
• Prepare $400 registration fee payment

Deletion Request Workflow
• Create deletion request web form: Must be "easy to find" on your website
• Set up deletion processing system: - Intake: How do requests arrive? (web form, email, phone, mail) - Verification: How do you verify requester's identity? (email confirmation, ID verification for sensitive data) - Fulfillment: How do you delete data across all systems? (production DB, backups, analytics, CRM, partners) - Confirmation: How do you notify consumers deletion is complete? (email confirmation)
• Document deletion procedures: Create internal policy (AG may audit this)
• Train staff: Customer service, IT, legal must know how to process deletion requests

Ongoing Monitoring System
• Contract review process: Every new customer contract must be reviewed for SB 361 implications (AI use, government entity, foreign government)
• Quarterly audits: Review data sharing relationships every 3 months to catch changes before annual registration renewal
• Legal updates tracking: Subscribe to California AG privacy newsletters, track SB 361 implementing regulations

Week 6-8 (November 25 - December 15): Draft and Review Disclosures

Registration Disclosure Drafting
• Work with attorney to draft required disclosures: Language matters—over-disclosure creates liability, under-disclosure violates law
• Executive review: CEO, General Counsel, Chief Privacy Officer must approve disclosures
• Board notification: If publicly traded or VC-backed, brief board on SB 361 compliance and disclosures

Sample Disclosure Language (Consult Attorney Before Using)

Foreign Government Sharing: "During the preceding 12 months, [Company Name] has not knowingly shared personal information of California residents with foreign governments or persons acting on behalf of foreign governments."

OR (if you have shared):

"During the preceding 12 months, [Company Name] has shared personal information with the following categories of foreign entities: [European Union law enforcement agencies pursuant to GDPR-compliant legal process]. We have not shared data with foreign governments designated as adversaries by the U.S. government."

Domestic Government Sharing: "During the preceding 12 months, [Company Name] has provided personal information to U.S. government entities in the following contexts: [1) Compliance with legal process (subpoenas, warrants); 2) Contractual relationships with federal agencies for fraud prevention services]. We maintain records of all government data requests and comply with applicable transparency reporting requirements."

AI Company Sharing: "During the preceding 12 months, [Company Name] has not licensed or sold personal information to artificial intelligence developers or providers for the purpose of training machine learning models."

OR (if you have shared):

"During the preceding 12 months, [Company Name] has licensed aggregated and de-identified datasets to AI research organizations for the purpose of [fraud detection model development / natural language processing research]. These datasets do not contain directly identifiable personal information and are subject to contractual restrictions prohibiting re-identification."

Week 9 (December 16-22): Testing and Validation

Test Deletion Request Workflow
• Submit test deletion requests: Have team members submit requests using various methods (web form, email, phone)
• Verify processing: Confirm requests route correctly, staff follow procedures, deletions actually occur in databases
• Time the process: Ensure you can complete deletion within 45-day requirement
• Check confirmation process: Verify consumers receive confirmation of deletion

Validate Registration Information
• Accuracy check: Review all registration fields for errors, typos, outdated information
• Legal review: Attorney reviews full registration submission for legal sufficiency
• Stakeholder approval: Get final sign-off from executives before submission

Week 10 (December 23-31): Final Submission Before Deadline

Submit Registration (BEFORE January 1, 2026)
• Recommended submission date: December 20, 2025 (allows time for AG to process, request corrections)
• Pay $400 registration fee
• Submit complete registration form including all three new disclosures
• Save confirmation: Print/PDF the confirmation page, save confirmation email
• Calendar annual renewal: January 31, 2026 is the annual renewal deadline (but since you're registering in Dec 2025, your next renewal is January 31, 2027)

Final Compliance Checklist Before January 1, 2026
• ✓ Registration submitted and confirmed by California AG
• ✓ $400 fee paid
• ✓ All three new disclosures included (foreign government, domestic government, AI)
• ✓ Privacy policy updated to reflect data broker status and deletion rights
• ✓ Deletion request mechanism live and tested
• ✓ Staff trained on deletion request processing
• ✓ Ongoing monitoring system in place for new data sharing relationships
• ✓ Legal counsel on retainer for SB 361 questions
• ✓ Budget allocated for 2026 compliance costs (annual renewal, audits, potential investigations)

What Happens on January 1, 2026

If You're Compliant:
• Continue business as usual
• Process deletion requests as they arrive
• Monitor data sharing relationships for changes requiring updated disclosures
• Prepare for January 31, 2027 annual renewal

If You're Non-Compliant:
• Day 1 penalty: $200/day starts accruing immediately
• 30 days: $6,000 in penalties (likely AG sends warning letter)
• 60 days: $12,000 in penalties (AG may initiate investigation)
• 90 days: $18,000 in penalties (AG likely assesses penalties, demands compliance)
• 180 days: $36,000 in penalties + legal fees to fight AG enforcement
• 365 days: $73,000 in penalties + potential criminal referral for willful violations

Compliance Is Cheaper Than Penalties
• Estimated compliance cost: $30K-100K (legal + implementation)
• One year of penalties: $73K (registration) + $219K (missing all 3 disclosures) = $292K
• Plus: Legal fees to defend AG enforcement ($50K-200K), reputational damage (priceless)

ROI on Compliance: Avoiding $292K in penalties for $50K in compliance costs = 484% return

The Data Broker Regulation Trend

California isn't alone in targeting data brokers. As of October 2025:

States with Data Broker Laws:
• Vermont: First state with data broker registry (2018), requires registration + data security programs
• California: Data broker registry (2020), now enhanced by SB 361 (2025)
• Texas: Data Privacy and Security Act (2024) includes data broker provisions
• Oregon: Consumer Privacy Act (2024) requires data broker opt-out mechanism
• Montana: Consumer Data Privacy Act (2024) includes data broker transparency

States Considering Data Broker Legislation (2026):
• New York: Proposes data broker licensing + annual audits
• Massachusetts: Considering data broker moratorium for AI training data
• Illinois: Biometric data broker restrictions (expansion of BIPA)
• Washington: Data broker registration similar to California

Why Data Brokers Are in Regulators' Crosshairs

1. National Security Concerns
• TikTok controversy: Highlighted risks of foreign adversaries accessing U.S. citizen data
• Data broker loophole: Foreign governments can buy data from U.S. brokers instead of hacking
• Military/intelligence risk: Location data of service members, government employees sold commercially
• Response: SB 361's foreign government disclosure requirement addresses this directly

2. Law Enforcement Warrantless Surveillance
• Fourth Amendment concerns: Police buying data instead of getting warrants
• Supreme Court cases: Carpenter v. United States established digital privacy rights
• Civil liberties advocacy: ACLU, EFF pushing for transparency in government data purchases
• Response: SB 361's domestic government disclosure shines light on these practices

3. AI Training Data Ethics
• Consent gap: People's data used to train AI without permission
• Ongoing litigation: Class actions against OpenAI, Meta, Google for unauthorized data use
• Creative industry backlash: Artists, writers, musicians opposing AI training on their work
• Response: SB 361's AI disclosure requirement is first-in-nation addressing this

4. Consumer Powerlessness
• Invisible industry: Most people don't know data brokers exist
• Inability to opt out: Data brokers make it difficult/impossible to delete your data
• Accuracy problems: Incorrect data sold to employers, landlords, lenders
• Response: SB 361's enhanced deletion penalties + transparency requirements

Federal Momentum: Is National Data Broker Regulation Coming?

Congressional Activity (2024-2025):
• American Data Privacy and Protection Act (ADPPA): Proposed federal privacy law includes data broker provisions (stalled in Congress)
• Fourth Amendment Is Not For Sale Act: Bipartisan bill to ban government purchases of data (no warrant required)
• FTC investigations: Ongoing probes of data brokers (Kochava, Outlogic, InMarket settled with FTC)
• FCC actions: Fined carriers for selling location data to brokers

Likelihood of Federal Data Broker Law:
• Bipartisan support: Both parties concerned (Republicans: national security, Democrats: privacy)
• Industry resistance: Data broker lobby fighting federal regulation
• State preemption risk: Industry wants weak federal law to override strong state laws like SB 361
• Timeline: Unlikely before 2027 (post-2026 elections)

What This Means for Data Brokers: California's SB 361 is likely a preview of federal requirements. If you comply now, you'll be ahead of the curve when federal law eventually passes. If you wait, you'll face compliance whiplash.

The AI Training Data Debate: SB 361's Most Consequential Provision

Why AI Disclosure Requirement Is Groundbreaking

Before SB 361:
• No transparency: AI companies secretive about training data sources
• No accountability: Data brokers could sell to AI companies without disclosure
• No consent: People had no way to know their data was training AI

After SB 361 (January 1, 2026):
• Forced transparency: Data brokers must disclose AI data sharing
• Public accountability: Disclosures are public record (journalists can investigate)
• Market pressure: Consumers can boycott data brokers supplying AI training data
• Litigation evidence: Disclosures create paper trail for class action lawsuits

Potential Impacts on AI Industry

Scenario 1: AI Companies Stop Buying from Data Brokers
• Shift to first-party data (data they collect directly)
• Increase web scraping (until that gets regulated too)
• Focus on synthetic data (AI-generated training data)
• Partner with platforms (Reddit, Stack Overflow, news publishers) for licensed data

Scenario 2: Data Brokers Refuse to Disclose AI Sharing
• Stop selling to AI companies to avoid disclosure requirements
• Lose significant revenue stream (AI training data is lucrative)
• AI companies create their own data collection operations

Scenario 3: Market Normalizes AI Training Data Disclosure
• Disclosure becomes standard, consumers accept it
• Pressure shifts to AI companies to compensate data subjects
• New business models emerge: "Sell your data to AI companies, earn money"

Most Likely Outcome: Combination of all three—some AI companies will stop buying from brokers, some brokers will exit the AI data market, and the market will gradually normalize with increased transparency and eventual compensation models for data subjects.

What's Next: Regulations and Enforcement in 2026

California AG Implementation Timeline (Projected):
• January 2026: SB 361 takes effect, registration portal updated
• Q1 2026: AG issues guidance on disclosure requirements (what constitutes "AI provider," how to verify foreign government sharing, etc.)
• Q2 2026: First compliance audits, AG sends warning letters to obvious violators
• Q3 2026: First penalties assessed against high-profile non-compliant data brokers
• Q4 2026: First enforcement actions, settlements, media coverage

Industry Response (Projected):
• Trade associations (Interactive Advertising Bureau, Data & Marketing Association) will seek regulatory clarification
• Lobbying for amendments to narrow AI disclosure requirements
• Litigation challenging SB 361 as preempted by federal law (unlikely to succeed)
• Compliance technology vendors will offer SB 361 compliance tools

Consumer Advocacy Response (Projected):
• Investigations using public disclosures to expose data broker practices
• Media coverage of which data brokers are selling to AI companies
• Class action lawsuits based on disclosure revelations
• Legislation push for even stronger data broker restrictions

Bottom Line for Data Brokers: SB 361 is the beginning, not the end, of data broker regulation. If you think compliance is expensive and burdensome now, wait until:
• Federal law adds more requirements
• More states pass conflicting laws
• EU-style consent requirements come to the U.S.
• AI training data becomes regulated separately

The smart move: Comply now, advocate for reasonable regulations, prepare for more restrictions in the future.