CalPrivacy Fines Marketing Firm for Selling Custom Audiences Without Data Broker Registration

News:

SACRAMENTO, CA – The California Privacy Protection Agency Board has issued a decision requiring ROR Partners LLC, a Nevada-based marketing firm catering to fitness and wellness brands, to pay $56,600 in fines and past-due fees for failing to register as a data broker in violation of California’s Delete Act. The Enforcement Division brought the case as part of its Data Broker Enforcement Strike Force, announced a few weeks ago.

According to the decision, ROR Partners used “billions of data points” to build detailed consumer profiles and custom audience lists that its clients could use for targeted advertising. Its activities resulted in a “rich repository” of demographic, socioeconomic, and behavioral data about more than 262 million Americans. ROR Partners then used the data to draw inferences about consumers and their expected behaviors. For example, ROR Partners might identify consumers who frequently attend health clubs, place those consumers into a custom audience segment related to fitness, and sell that information to health clubs for targeted advertising. The company engaged in these activities in 2024 without registering in the California Data Broker Registry.

The decision underscores that advertising and marketing firms can operate as data brokers if they collect and sell Californians’ personal information, regardless of whether the firms bundle the personal information into something bigger. “A sale is a sale,” the decision states. “A business cannot bypass the CCPA’s and the Delete Act’s requirements by selling personal information as part of a larger suite of products and services it offers.”

“Businesses need to take seriously the privacy risks of collecting personal information, especially when they use it for targeted advertising,” said Michael Macko, the head of enforcement at CalPrivacy. “We will scrutinize any business that walks and talks like a data broker to make sure it’s registered, and we will continue to examine businesses that create inferences about consumers to profile them. Consumer profiles are protected personal information under the CCPA, and you could be a data broker by trafficking in them.”

The Delete Act requires data brokers to register with CalPrivacy annually in January, and pay a fee that funds the Data Broker Registry and the Delete Request and Opt-Out Platform (DROP). DROP is a first-of-its-kind deletion mechanism that will allow consumers to direct all data brokers to delete their personal information in a single request. DROP will be available to consumers in 2026.

“With next year’s registration deadline approaching, now is the time for businesses to evaluate whether they engaged in data broker activity over the past year. If they did, they must register with us,” said Tom Kemp, CalPrivacy’s Executive Director. “And in less than a month, Californians will be able to request that data brokers delete their personal information by using DROP.”

CalPrivacy’s Recent Enforcement Actions to Protect Californians

CalPrivacy continues to actively enforce California’s cutting-edge privacy laws. Recent actions include:

  • Issuing a decision requiring Tractor Supply Company, the nation’s largest rural lifestyle retailer, to pay a $1.35M fine and change its business practices for CCPA violations.
  • Issuing a decision requiring a nationwide clothing retailer, Todd Snyder, Inc., to change its business practices and pay a $345,178 fine for CCPA violations.
  • Issuing a decision requiring American Honda Motor Co. to change its business practices and pay a $632,500 fine for CCPA violations.
  • Securing a settlement agreement requiring data broker Background Alert — which promoted its ability to dig up “scary” amounts of information about people – to shut down or pay a steep fine.
  • Bringing a half-dozen enforcement actions against additional unregistered data brokers.
  • Launching the bipartisan Consortium of Privacy Regulators to collaborate with states across the country to implement and enforce privacy laws nationwide.
  • Partnering with the data protection authorities in Korea, France, and the United Kingdom to share information and advance privacy protections for Californians.

ABOUT US

The California Privacy Protection Agency (CalPrivacy) is committed to promoting the education and awareness of consumers' privacy rights and businesses' responsibilities under the California Consumer Privacy Act, Delete Act, and Opt-Me Out Act.

Consumers can visit Privacy.ca.gov to access helpful and up-to-date information on how to exercise their rights, protect their personal information, and learn about the Delete Request and Opt-out Platform (DROP). In addition, CalPrivacy's website provides important information about Board Meetings, announcements, and the rulemaking process.