Navigating California’s Data Broker Requirements in 2026

California’s data broker regulations continue to evolve, raising important compliance questions for businesses that compile and license personal data, including what constitutes a data broker and what obligations attach to those businesses. Those questions are often not straightforward, especially where personal information is collected through publicly available databases. Companies operating in B2B data markets should review and assess their obligations under the California Consumer Privacy Act (CCPA) and California’s Data Broker Law as updated by SB 362 and SB 361.

SB 362 and SB 361 amended California’s Data Broker Law by adding new obligations for businesses that qualify as data brokers: SB 362 (the “Delete Act”) established a centralized deletion mechanism and new operational requirements, including the Delete Request and Opt-out Platform (“DROP”) system, while SB 361 (the “Defending Californians’ Data Act”) expanded registration disclosure and transparency obligations.

When Does a Business Qualify as a Data Broker?

A “data broker” is a business that knowingly collects and sells personal information about consumers with whom it does not have a direct relationship. This definition incorporates key terms from the CCPA, including “personal information” and “sale.”

A critical threshold issue is whether the data being collected and sold qualifies as “personal information.” “Sale,” here and under the CCPA, means to sell, rent, disclose, make available, or otherwise disseminate a consumer’s personal information in exchange for monetary or other valuable consideration. And “personal information” is information that identifies, relates to, or could reasonably be linked with a consumer or a consumer’s household.

The CCPA excludes certain publicly available information from the definition of personal information, including information lawfully made available from federal, state, or local government records, certain information made available to the general public by the consumer or from widely distributed media, and certain information made available by a person to whom the consumer disclosed the information, if the consumer has not restricted it to a specific audience.

As a result, a business that collects and sells only publicly available information may not be handling “personal information” for purposes of the data broker definition. However, there is no categorical exemption for businesses that rely on public records. The analysis turns on whether the data retains its status as publicly available information or is transformed through the business’s aggregation, enhancement, or licensing practices.

For companies that compile professional contact data from licensing boards or government registries, this distinction can be outcome-determinative. While the CCPA excludes certain publicly available information from the definition of personal information, the analysis may become more complex where that data is aggregated, enhanced, or combined with other sources, raising questions as to whether the resulting dataset continues to qualify as publicly available information.

Do Data Brokers Have to Delete Public Record Data?

An important nuance is that DROP changes how consumers submit deletion requests, but it does not eliminate existing statutory limitations on consumer rights under the CCPA.

Upon receiving a DROP request, a data broker must delete the consumer’s personal information in its possession. Critically, however, under the CCPA, publicly available information is excluded from the definition of personal information for certain purposes. As a result, CCPA consumer rights, including the right to deletion, generally do not apply to such information.

CalPrivacy guidance reinforces this point, stating that businesses may deny consumer requests, including deletion requests, where the information at issue is “publicly available information” or otherwise exempt from the CCPA. More broadly, data brokers may retain personal information if an applicable CalPrivacy deletion exception applies. These
exceptions include, among others, completing transactions, security and fraud prevention, legal compliance, and internal operational uses. When an exception applies, the business must limit use of retained data to the purpose justifying retention.

At the same time, businesses should avoid treating this as a blanket exemption. Whether information qualifies as publicly available is a fact-specific inquiry, particularly where data is aggregated, enhanced, or combined with other datasets. If a business holds both exempt publicly available information and non-exempt personal information about a consumer, the non-exempt data may still need to be deleted in response to a request.

In addition, even where a deletion request is denied, other obligations may still apply. For example, if a business sells or shares personal information, it must still inform consumers of their right to opt out of such sale or sharing.

Accordingly, while DROP introduces new operational requirements for processing deletion requests, it does not expand the scope of what information must ultimately be deleted under the CCPA. Depending on the volume and type of data collected, this process could take time, so businesses may want to start categorizing their data now, ahead of the August 1 deadline to begin processing deletion requests.

“Direct Relationship” Interpretation

The Data Broker Law also requires that the business lack a “direct relationship” with consumers. The recent Delete Act regulations add crucial context defining a
direct relationship as one in which the “consumer has intentionally interacted with a business for the purpose of accessing, purchasing, using, requesting, or obtaining information about the business’s products or services.”

This definition is important for businesses that collect data through indirect or passive means, including third-party tracking technologies, data append services, or third-party datasets. A business should not assume that collecting data directly from a consumer necessarily creates a direct relationship. The consumer’s interaction must be intentional and
directed to the business’s own products or services.

Even with this definition, important questions remain. For example, businesses may still need to assess how the concept applies in attenuated B2B contexts, whether particular interactions with individual business representatives are sufficient, and how data obtained outside a first-party interaction should be treated. These issues require careful, fact-specific analysis.

2026 Compliance Timeline and Requirements

While determining whether a company is a data broker can be complicated, once that determination has been made, the compliance timeline and requirements are more straightforward. Businesses that qualify as data brokers face several key obligations beginning in 2026:

Registration: Data brokers must register annually with CalPrivacy (formerly the CPPA) by January 31 following each year in which they meet the definition.
DROP System: As part of registration, businesses must create an account on CalPrivacy’s Delete Request and Opt-Out Platform (DROP), which took effect on January 1, 2026. Then, beginning August 1, 2026, data brokers must access the DROP system at least once every 45 days and process verified deletion requests through it, subject to statutory exceptions. While this obligation does not affect whether the Company must register for 2026, it is a new material operational compliance requirement after registration.
Metrics Reporting: By July 1 each year, data brokers must publish detailed metrics in their privacy policies regarding consumer requests, including the number of requests received, fulfilled, and denied, and response times.
Audits: Starting January 1, 2028, data brokers must undergo independent third-party audits every three years and maintain audit records for six years.

SB 362 and SB 361 expand disclosure and operational requirements, including more detailed reporting on the categories of personal information collected and consumer request handling.

Enforcement Risk and Prior-Year Exposure

CalPrivacy has made data broker compliance a clear enforcement priority. The agency has conducted enforcement sweeps and entered into settlements with data brokers for violations of the Delete Act, signaling increased scrutiny.

Failure to comply with registration requirements can result in:

Administrative fines of $200 per day of non-compliance;
Payment of unpaid registration fees; and
Recovery of CalPrivacy’s investigative and enforcement costs.

Separate penalties may apply for failure to comply with deletion requirements, including fines of $200 per day per unfulfilled deletion request.

In addition, CalPrivacy and the California Attorney General may seek civil penalties of up to $2,663 per violation and $7,988 per intentional violation, including for violations involving minors. Importantly, these penalties may apply not only to current violations, but also to prior-year conduct within the applicable statute of limitations.

Key Takeaways

For B2B businesses that license or monetize data, several takeaways emerge:

Public record sourcing does not automatically resolve data broker status.
Whether data qualifies as “publicly available” under the CCPA is a critical threshold issue.
The meaning of “direct relationship” requires careful, fact-specific legal analysis.
2026 introduces significant new operational obligations, including DROP-based deletion workflows.
Enforcement is active, and non-compliance carries meaningful financial and operational risk.

Given these developments, businesses should evaluate their data practices now to determine whether they may qualify as data brokers and to prepare for upcoming registration and compliance requirements.

If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com for further information or assistance.