CalPrivacy Data Broker Registration Enforcement Advisory

Newsroom

CalPrivacy Issues Enforcement Advisory Highlighting Data Broker Registration

December 17, 2025

SACRAMENTO, CA — CalPrivacy has issued Enforcement Advisory No. 2025-01, addressing data broker registration requirements related to trade names, websites, and parent or subsidiary relationships.

Data brokers operate in a billion-dollar industry collecting and selling consumers’ personal information. Under California’s Delete Act, businesses that operated as data brokers in the prior year must register with the agency by January 31 each year, disclose certain information, and pay an annual fee that funds CalPrivacy’s Data Broker Registry. Those fees also fund a first-of-its-kind deletion mechanism, called the Delete Request and Opt-Out Platform (DROP), which will allow consumers to direct all registered data brokers to delete their personal information with a single request. DROP will be available to consumers January 1, 2026.

According to the advisory, some data brokers may be making it difficult for consumers to identify them by using trade names or websites that do not appear on their annual registration. The advisory highlights the requirement that data brokers disclose all trade names and website addresses through which they provide services. It also emphasizes that data brokers must register independently, rather than pointing to a parent company’s or affiliated entity’s registration.

Data brokers that fail to register face administrative fines of $200 per day in addition to registration fees and expenses CalPrivacy incurs in pursuing the case.

“The rules of the road are clear, and we expect data brokers will register as required,” said Michael Macko, CalPrivacy’s head of enforcement. “We will continue using all available tools to investigate potential violations and bring enforcement actions where appropriate.”

“We want to make it as easy as possible for Californians to exercise their privacy rights,” said Tom Kemp, CalPrivacy’s Executive Director. “With the next registration deadline around the corner, this advisory serves as a reminder for data brokers to register before they hear from us.”

CalPrivacy issues periodic enforcement advisories on aspects of the California Consumer Privacy Act and the Delete Act. These advisories provide observations from the Enforcement Division to help educate the public and businesses about their rights and responsibilities.

If consumers think a business is operating as an unregistered data broker, they should report it via the agency’s complaint form. Californians can also learn more about their rights and how to exercise those rights at Privacy.ca.gov.

CalPrivacy’s Recent Enforcement Actions to Protect Californians

CalPrivacy is actively enforcing California’s cutting-edge privacy laws. Recent actions include:

• Requiring ROR Partners LLC, a Nevada-based marketing firm catering to fitness and wellness brands, to pay $56,600 in fines and past-due fees for failing to register as a data broker. The case was brought as part of CalPrivacy’s Data Broker Enforcement Strike Force.
• Issuing a decision requiring Tractor Supply Company, the nation’s largest rural lifestyle retailer, to pay a $1.35 million fine and change its business practices for CCPA violations.
• Issuing a decision requiring a nationwide clothing retailer, Todd Snyder, Inc., to change its business practices and pay a $345,178 fine for CCPA violations.
• Issuing a decision requiring American Honda Motor Co. to change its business practices and pay a $632,500 fine for CCPA violations.
• Securing a settlement agreement requiring data broker Background Alert — which promoted its ability to dig up “scary” amounts of information about people — to shut down or pay a steep fine.
• Bringing a half-dozen enforcement actions against additional unregistered data brokers.
• Launching the bipartisan Consortium of Privacy Regulators to collaborate with states across the country to implement and enforce privacy laws nationwide.
• Partnering with the data protection authorities in Korea, France, and the United Kingdom to share information and advance privacy protections for Californians.

About Us

The California Privacy Protection Agency (CalPrivacy) is committed to promoting the education and awareness of consumers’ privacy rights and businesses’ responsibilities under the California Consumer Privacy Act, Delete Act, and Opt-Me Out Act.

Consumers can visit Privacy.ca.gov to access helpful and up-to-date information on how to exercise their rights, protect their personal information, and learn about the Delete Request and Opt-out Platform (DROP). In addition, CalPrivacy’s website provides important information about Board Meetings, announcements, and the rulemaking process.

About

• About CalPrivacy
• Blog
• Subscribe
• Contact us

Businesses

• Business resources
• Data brokers
• Data broker registry Website Accessibility Certification