Enforcement of California’s Delete Act is accelerating. The California Privacy Protection Agency (CPPA) recently sent a clear message to data brokers: register, pay the required fee, and be prepared to defend your data practices, especially when they involve sensitive populations.
CPPA announced recent settlements with two data brokers totaling more than $100,000 for failing to register as required under the Delete Act:
- Datamasters (Texas-based reseller): $45,000 settlement; and
- S&P Global (New York-based market intelligence company): $62,600 settlement.
Datamasters was also ordered to stop selling all personal information about Californians, effectively preventing it from operating as a data broker in the state.
The Datamasters case was not only about a registration failure, but also about the nature of the data involved. According to the decision, in 2024, Datamasters:
- Bought and resold names, addresses, phone numbers, and email addresses of millions of people with certain health conditions, including Alzheimer’s disease, drug addiction, and bladder incontinence;
- Marketed audience segments for targeted advertising based on sensitive or potentially discriminatory categorizations, including “Senior Lists” and “Hispanic Lists”; and
- Maintained additional lists based on political views, banking activity, and grocery- and health-related purchases.
Enforcement head Michael Macko framed the risk in terms of downstream misuse, not just advertising compliance: “Reselling lists of people battling Alzheimer’s disease is a recipe for trouble… History teaches us that certain types of lists can be dangerous.” The takeaway is that regulators are treating sensitive list-based targeting as high-risk because it can enable profiling, discrimination, manipulation, or the targeting of vulnerable individuals.
Similarly, S&P Global also failed to register and lacked certain controls. As a result, S&P Global must adopt registration and compliance auditing procedures.
The Delete Act’s core requirement is straightforward: it requires companies to register annually and pay a fee if they were data brokers in the previous year. These enforcement actions show that a failure to register can escalate quickly, particularly where the business model involves sensitive personal data or audience lists tied to health, demographics, or beliefs.
Data brokers should take note that:
- Registration is not optional. Unintentional failures can still trigger penalties and mandated process changes;
- Sensitive-data monetization invites scrutiny. Health, age, perceived race, and political views are treated as inherently higher risk;
- Controls matter. Expect pressure for durable compliance systems such as internal audits and documented procedures; and
- Enforcement can restrict operations. Consequences can extend beyond fines (like what happened to Datamasters).