Skip to Content
Client Payment

Events In the News

California Brings New Enforcement Actions Against Data Brokers

on Tuesday, 27 January 2026 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

On January 8, 2026, the California Privacy Protection Agency Board (the “Board”) issued two decisions against data providers for failure to register as data brokers under California’s Delete Act (“Act”).

The Act includes a broad definition of “data broker.”  The Act defines a data broker as any “business that knowingly collects and sells the personal information of a consumer with whom the business does not have a direct relationship.”  A business that does not identify as a data broker may nevertheless fall within the scope of the Act’s definition if they “sell” or “share” personal information collected outside a direct relationship or rely on data sourced from third parties.

Recall, however, that the Delete Act regulations clarify that businesses should not assume they are exempt from registration since even consumer-facing businesses may qualify as data brokers if the business “also sells personal information about the consumer that the business did not collect directly from the consumer.”

The first decision requires S&P Global, Inc., a New York-based provider of data and technology, to pay a $62,600 fine for failing to register as a data broker due to an administrative error. In addition to the fine, the decision requires S&P Global to adopt procedures for registration and compliance auditing to prevent similar errors in the future.

The Delete Act requires data brokers to register with the California Privacy Protection Agency annually in January and pay a fee that funds the Data Broker Registry and the Delete Request and Opt-out Platform (“DROP”).  DROP is a first in the nation mechanism that allows consumers to direct all data brokers to delete their personal information through a single request.  DROP was signed into law in October 2023, and requires data brokers to register annually, to provide enhanced disclosures to consumers, and (effective January 1, 2025) mandatorily participate in a centralized deletion-request platform administered by the agency.

The second decision requires Datamasters, a Texas-based reseller of personal information for targeted advertising, to pay a $45,000 fine for failing to register as a data broker in violation of the Delete Act. The decision also orders the company to permanently stop selling the personal information of California residents. 

Pursuant to the decision, Datamasters bought and resold the information of millions of people with Alzheimer’s disease, drug addiction, bladder incontinence, and other health conditions for targeted advertising without registering with the California Data Broker Registry.  The enforcement action also states that Datamasters sold lists based on age and perceived race, offering “Senior Lists” and “Hispanic Lists,” as well as lists based on political views, grocery store purchases, banking activity, and health-related purchases.  The data consisted of hundreds of millions of records including names, email addresses, physical addresses, and phone numbers.

Grayson J. Derrick
back

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design