CPPA Fines Data Brokers for Registration Violations

CA CPPA Newsroom

Filed January 8th, 2026

Detected February 27th, 2026

Summary

The California Privacy Protection Agency (CPPA) has issued enforcement actions against two data brokers, Rickenbacher Data LLC (d/b/a Datamasters) and S&P Global, Inc., for failing to register as required by California's Delete Act. Datamasters was fined $45,000 and ordered to stop selling personal information, while S&P Global was fined $62,600.

View original document View source feed page

What changed

The California Privacy Protection Agency (CPPA) has finalized two enforcement actions against data brokers for violations of the state's privacy laws, specifically the Delete Act. Rickenbacher Data LLC (d/b/a Datamasters) received a $45,000 fine and an order to cease selling all personal information of Californians for failing to register as a data broker. S&P Global, Inc. was fined $62,600 due to an administrative error that led to its failure to register. Both actions stem from the Data Broker Enforcement Strike Force's efforts to ensure compliance with data broker registration requirements.

These decisions highlight the CPPA's active enforcement posture and the potential consequences for non-compliance with data broker regulations. Regulated entities, particularly those operating in California and dealing with personal information, must ensure they are properly registered and compliant with all requirements of the Delete Act. Failure to do so can result in significant fines and operational restrictions. Companies should review their internal processes to prevent registration errors and ensure ongoing compliance with consumer privacy laws.

What to do next

Verify data broker registration status with the CPPA
Review and update internal processes to ensure compliance with California's Delete Act registration requirements
Assess business practices related to the sale of personal information to ensure adherence to privacy regulations

Penalties

Rickenbacher Data LLC (d/b/a Datamasters) fined $45,000 and ordered to stop selling personal information. S&P Global, Inc. fined $62,600.

Source document (simplified)

Newsroom

CalPrivacy Brings New Round of Enforcement Actions Against Data Brokers

Marketing firm that sold lists of people with serious health conditions must pay fine and stop selling Californians’ personal information

January 8, 2026

SACRAMENTO, CA — The California Privacy Protection Agency Board has issued two new decisions following settlements reached by the Enforcement Division’s Data Broker Enforcement Strike Force.

The first decision requires Rickenbacher Data LLC, d/b/a Datamasters, a Texas-based reseller of personal information for targeted advertising, to pay a $45,000 fine for failing to register as a data broker in violation of California’s Delete Act. The decision also orders the company to stop selling all Californians’ personal information.

According to the decision, Datamasters bought and resold the names, addresses, phone numbers, and email addresses of millions of people with Alzheimer’s disease, drug addiction, bladder incontinence, and other health conditions for targeted advertising. In addition, Datamasters bought and resold lists of people based on age and perceived race, offering “Senior Lists” and “Hispanic Lists,” as well as lists based on political views, grocery store purchases, banking activity, and health-related purchases. The company engaged in these activities in 2024 without registering with the California Data Broker Registry.

As a result of the Board’s decision, Datamasters will stop selling all forms of personal information about Californians, effectively removing it from the marketplace in California.

“Reselling lists of people battling Alzheimer’s disease is a recipe for trouble,” said Michael Macko, the head of enforcement at CalPrivacy. “In the wrong hands, these lists could be used to target people for more than just advertising. The same risks apply to selling lists of seniors, people who identify as conservative or liberal, or people who purchase sensitive health products. History teaches us that certain types of lists can be dangerous.”

“Californians have a clear way to push back and regain control now that CalPrivacy’s DROP system is live,” said Tom Kemp, the agency’s executive director. “If you are concerned about data brokers selling your personal information, I highly recommend that you sign up for DROP.”

The second decision requires S&P Global, Inc., a New York-based provider of data and technology, to pay a $62,600 fine for failing to register as a data broker due to an administrative error. In addition to the fine, the decision requires S&P Global to adopt procedures for registration and compliance auditing to prevent similar errors in the future.

The Delete Act requires data brokers to register with CalPrivacy annually in January and pay a fee that funds the Data Broker Registry and the Delete Request and Opt-out Platform (DROP). DROP is a first-of-its-kind deletion mechanism that allows consumers to direct all data brokers to delete their personal information in a single request.

CalPrivacy’s Recent Enforcement Actions to Protect Californians

CalPrivacy is actively enforcing California’s cutting-edge privacy laws. Recent actions include:

Issuing a decision requiring Tractor Supply Company, the nation’s largest rural lifestyle retailer, to pay a $1.35 million fine and change its business practices for CCPA violations.
Issuing a decision requiring a nationwide clothing retailer, Todd Snyder, Inc., to change its business practices and pay a $345,178 fine for CCPA violations.
Issuing a decision requiring American Honda Motor Co. to change its business practices and pay a $632,500 fine for CCPA violations.
Securing a settlement agreement requiring data broker Background Alert — which promoted its ability to dig up “scary” amounts of information about people — to shut down or pay a steep fine.
Bringing more than ten enforcement actions against additional unregistered data brokers.
Launching the bipartisan Consortium of Privacy Regulators to collaborate with states across the country to implement and enforce privacy laws nationwide.
Partnering with the data protection authorities in Korea, France, and the United Kingdom to share information and advance privacy protections for Californians.

About Us

The California Privacy Protection Agency (CalPrivacy) is committed to promoting the education and awareness of consumers’ privacy rights and businesses’ responsibilities under the California Consumer Privacy Act, Delete Act, and Opt Me Out Act.

Consumers can visit Privacy.ca.gov to access helpful and up-to-date information and tips on how to exercise their rights, protect their personal information, and learn about the Delete Request and Opt-out Platform (DROP). In addition, CalPrivacy’s website provides important information about Board Meetings, announcements, and the rulemaking process.