The California Privacy Protection Agency has fined Datamasters $45,000 and banned it from selling the data of California residents after the firm failed to register as a data broker. The agency also penalized S&P Global $62,600 for a similar registration delay, highlighting a crackdown on companies that bypass the mandatory reporting requirements established by the California Delete Act.

The California Privacy Protection Agency recently took enforcement action against Rickenbacher Data LLC, which operates as Datamasters, for selling the personal and health information of millions of consumers without legal registration. Under the California Delete Act, any business that buys and sells consumer data must register as a data broker by January 31st of each year. Datamasters failed to comply with this requirement and initially denied conducting business in the state, only admitting to the activity after being confronted with evidence by regulators.

As a result of these violations, CalPrivacy imposed a $45,000 fine and issued a permanent injunction blocking the Texas-based company from selling personal information belonging to Californians. The agency's investigation revealed that Datamasters traded in highly sensitive information, including lists of millions of individuals with medical conditions such as Alzheimer’s disease, drug addiction, and bladder incontinence. The company also marketed data based on political views, grocery purchases, and demographics, including specifically labeled senior and Hispanic lists.

The scope of the data collection was vast, involving hundreds of millions of records that contained full names, physical addresses, email addresses, and phone numbers. Beyond the financial penalty, the agency ordered Datamasters to delete all previously acquired personal information of California residents by the end of December. Moving forward, the company is required to delete any California resident data it receives within 24 hours and must submit to privacy practice monitoring and reporting for the next five years.

This enforcement push coincides with the upcoming 2026 launch of the Delete Request and Opt-out Platform, also known as DROP. This online tool is designed to allow consumers to submit a single request to all registered data brokers to have their personal information removed. By penalizing unregistered firms like Datamasters, the agency ensures that companies cannot bypass this consumer protection system by staying off the official registry.

In a separate but related action, CalPrivacy also fined S&P Global Inc. $62,600 for failing to register for the 2024 period by the January 31, 2025, deadline. While S&P Global’s failure was attributed to an administrative error rather than intentional resistance, the company remained unregistered for 313 days. The agency emphasized that even in cases where corrective actions are taken quickly, significant fines will be applied to ensure total compliance with state data brokerage laws.

Source: California Bans Data Brokers From Reselling Health Data Of Millions