CalPrivacy Brings New Round of Enforcement Actions Against Data Brokers

SACRAMENTO, CA — The California Privacy Protection Agency Board has issued two new decisions following settlements reached by the Enforcement Division’s Data Broker Enforcement Strike Force.

The first decision requires Rickenbacher Data LLC, d/b/a Datamasters, a Texas-based reseller of personal information for targeted advertising, to pay a $45,000 fine for failing to register as a data broker in violation of California’s Delete Act. The decision also orders the company to stop selling all Californians’ personal information.

According to the decision, Datamasters bought and resold the names, addresses, phone numbers, and email addresses of millions of people with Alzheimer’s disease, drug addiction, bladder incontinence, and other health conditions for targeted advertising. In addition, Datamasters bought and resold lists of people based on age and perceived race, offering “Senior Lists” and “Hispanic Lists,” as well as lists based on political views, grocery store purchases, banking activity, and health-related purchases. The company engaged in these activities in 2024 without registering with the California Data Broker Registry.

As a result of the Board’s decision, Datamasters will stop selling all forms of personal information about Californians, effectively removing it from the marketplace in California.

“Reselling lists of people battling Alzheimer’s disease is a recipe for trouble,” said Michael Macko, the head of enforcement at CalPrivacy. “In the wrong hands, these lists could be used to target people for more than just advertising. The same risks apply to selling lists of seniors, people who identify as conservative or liberal, or people who purchase sensitive health products. History teaches us that certain types of lists can be dangerous.”

“Californians have a clear way to push back and regain control now that CalPrivacy’s DROP system is live,” said Tom Kemp, the agency’s executive director. “If you are concerned about data brokers selling your personal information, I highly recommend that you sign up for DROP.”

The second decision requires S&P Global, Inc., a New York-based provider of data and technology, to pay a $62,600 fine for failing to register as a data broker due to an administrative error. In addition to the fine, the decision requires S&P Global to adopt procedures for registration and compliance auditing to prevent similar errors in the future.

The Delete Act requires data brokers to register with CalPrivacy annually in January and pay a fee that funds the Data Broker Registry and the Delete Request and Opt-out Platform (DROP). DROP is a first-of-its-kind deletion mechanism that allows consumers to direct all data brokers to delete their personal information in a single request.

CalPrivacy’s Recent Enforcement Actions to Protect Californians

CalPrivacy is actively enforcing California's cutting-edge privacy laws. Recent actions include:

• Issuing a decision requiring Tractor Supply Company, the nation’s largest rural lifestyle retailer, to pay a $1.35 million fine and change its business practices for CCPA violations.
• Issuing a decision requiring a nationwide clothing retailer, Todd Snyder, Inc., to change its business practices and pay a $345,178 fine for CCPA violations.
• Issuing a decision requiring American Honda Motor Co. to change its business practices and pay a $632,500 fine for CCPA violations.
• Securing a settlement agreement requiring data broker Background Alert — which promoted its ability to dig up “scary” amounts of information about people — to shut down or pay a steep fine.
• Bringing more than ten enforcement actions against additional unregistered data brokers.
• Launching the bipartisan Consortium of Privacy Regulators to collaborate with states across the country to implement and enforce privacy laws nationwide.
• Partnering with the data protection authorities in Korea, France, and the United Kingdom to share information and advance privacy protections for Californians.

ABOUT US

The California Privacy Protection Agency (CalPrivacy) is committed to promoting the education and awareness of consumers' privacy rights and businesses' responsibilities under the California Consumer Privacy Act, Delete Act, and Opt Me Out Act.

Consumers can visit Privacy.ca.gov to access helpful and up-to-date information and tips on how to exercise their rights, protect their personal information, and learn about the Delete Request and Opt-out Platform (DROP). In addition, CalPrivacy's website provides important information about Board Meetings, announcements, and the rulemaking process.