CalPrivacy Fines ROR Partners for Data Broker Violations

CA CPPA Newsroom

Filed December 3rd, 2025

Detected February 27th, 2026

Summary

The California Privacy Protection Agency has fined ROR Partners LLC $56,600 for failing to register as a data broker as required by the Delete Act. The marketing firm was found to have collected and sold extensive consumer data without proper registration, highlighting the agency's focus on data broker compliance.

View original document View source feed page

What changed

The California Privacy Protection Agency (CalPrivacy) has issued a decision fining ROR Partners LLC, a Nevada-based marketing firm, $56,600 for violating California's Delete Act by failing to register as a data broker. The firm collected and sold detailed consumer profiles and custom audience lists, involving billions of data points and affecting over 262 million Americans, without registering in the California Data Broker Registry. The decision clarifies that selling personal information as part of a larger service package still constitutes a sale under CCPA and Delete Act requirements.

This enforcement action signals CalPrivacy's commitment to scrutinizing advertising and marketing firms that operate as data brokers. Businesses engaged in collecting and selling personal information, or trafficking in consumer profiles, must ensure they are properly registered with CalPrivacy. The agency emphasizes that failure to register is a violation, and upcoming deadlines for data broker registration and the implementation of the consumer deletion mechanism (DROP) in 2026 underscore the urgency for businesses to review their data practices and ensure compliance with California's privacy laws.

What to do next

Review data collection and sales practices to determine if data broker registration is required under California law.
If operating as a data broker, ensure timely registration with the California Data Broker Registry.
Update business practices to comply with CCPA and Delete Act requirements regarding the sale of personal information and consumer data.

Penalties

$56,600 in fines and past-due fees

Source document (simplified)

Newsroom

CalPrivacy Fines Marketing Firm for Selling Custom Audiences Without Data Broker Registration

December 3, 2025

SACRAMENTO, CA — The California Privacy Protection Agency Board has issued a decision requiring ROR Partners LLC, a Nevada-based marketing firm catering to fitness and wellness brands, to pay $56,600 in fines and past-due fees for failing to register as a data broker in violation of California’s Delete Act. The Enforcement Division brought the case as part of its Data Broker Enforcement Strike Force, announced a few weeks ago.

According to the decision, ROR Partners used “billions of data points” to build detailed consumer profiles and custom audience lists that its clients could use for targeted advertising. Its activities resulted in a “rich repository” of demographic, socioeconomic, and behavioral data about more than 262 million Americans. ROR Partners then used the data to draw inferences about consumers and their expected behaviors. For example, ROR Partners might identify consumers who frequently attend health clubs, place those consumers into a custom audience segment related to fitness, and sell that information to health clubs for targeted advertising. The company engaged in these activities in 2024 without registering in the California Data Broker Registry.

The decision underscores that advertising and marketing firms can operate as data brokers if they collect and sell Californians’ personal information, regardless of whether the firms bundle the personal information into something bigger. “A sale is a sale,” the decision states. “A business cannot bypass the CCPA’s and the Delete Act’s requirements by selling personal information as part of a larger suite of products and services it offers.”

“Businesses need to take seriously the privacy risks of collecting personal information, especially when they use it for targeted advertising,” said Michael Macko, the head of enforcement at CalPrivacy. “We will scrutinize any business that walks and talks like a data broker to make sure it’s registered, and we will continue to examine businesses that create inferences about consumers to profile them. Consumer profiles are protected personal information under the CCPA, and you could be a data broker by trafficking in them.”

The Delete Act requires data brokers to register with CalPrivacy annually in January, and pay a fee that funds the Data Broker Registry and the Delete Request and Opt-Out Platform (DROP). DROP is a first-of-its-kind deletion mechanism that will allow consumers to direct all data brokers to delete their personal information in a single request. DROP will be available to consumers in 2026.

“With next year’s registration deadline approaching, now is the time for businesses to evaluate whether they engaged in data broker activity over the past year. If they did, they must register with us,” said Tom Kemp, CalPrivacy’s Executive Director. “And in less than a month, Californians will be able to request that data brokers delete their personal information by using DROP.”

CalPrivacy’s Recent Enforcement Actions to Protect Californians

CalPrivacy continues to actively enforce California’s cutting-edge privacy laws. Recent actions include:

Issuing a decision requiring Tractor Supply Company, the nation’s largest rural lifestyle retailer, to pay a $1.35M fine and change its business practices for CCPA violations.
Issuing a decision requiring a nationwide clothing retailer, Todd Snyder, Inc., to change its business practices and pay a $345,178 fine for CCPA violations.
Issuing a decision requiring American Honda Motor Co. to change its business practices and pay a $632,500 fine for CCPA violations.
Securing a settlement agreement requiring data broker Background Alert — which promoted its ability to dig up “scary” amounts of information about people – to shut down or pay a steep fine.
Bringing a half-dozen enforcement actions against additional unregistered data brokers.
Launching the bipartisan Consortium of Privacy Regulators to collaborate with states across the country to implement and enforce privacy laws nationwide.
Partnering with the data protection authorities in Korea, France, and the United Kingdom to share information and advance privacy protections for Californians.

About Us

The California Privacy Protection Agency (CalPrivacy) is committed to promoting the education and awareness of consumers’ privacy rights and businesses’ responsibilities under the California Consumer Privacy Act, Delete Act, and Opt-Me Out Act.

Consumers can visit Privacy.ca.gov to access helpful and up-to-date information on how to exercise their rights, protect their personal information, and learn about the Delete Request and Opt-out Platform (DROP). In addition, CalPrivacy’s website provides important information about Board Meetings, announcements, and the rulemaking process.