CalPrivacy's Data Broker Enforcement Surge: Eight Fines and Counting

The California Privacy Protection Agency (CalPrivacy) is dramatically escalating enforcement against unregistered data brokers, with eight fines issued since 2024 and a new Strike Force signaling even more aggressive action ahead.

Executive Summary

CalPrivacy's formation of a specialized Data Broker Enforcement Strike Force in November 2025, combined with expanding regulatory definitions and significantly higher penalties coming in 2026, represents a fundamental shift in how California regulates the data broker industry. The agency has now fined eight entities for failing to register as data brokers, with penalties ranging from $34,400 to $56,600—but these amounts pale in comparison to what's coming once the Delete Request and Opt-out Platform (DROP) becomes operational in August 2026.

The Latest Action: ROR Partners

On December 3, 2025, CalPrivacy announced its eighth fine against an entity failing to register as a data broker—a $56,600 penalty against Nevada-based marketing firm ROR Partners LLC. The decision comes just days after the agency announced its Data Broker Enforcement Strike Force and provides crucial insight into how CalPrivacy interprets what constitutes a data broker.

According to the Stipulated Final Order, ROR Partners operates in the fitness and wellness marketing space, collecting personal information from various sources including clients and third-party health and fitness companies. The firm uses what it describes as "billions of data points" to build detailed consumer profiles across more than 262 million Americans, creating what CalPrivacy called a "rich repository" of demographic, socioeconomic, and behavioral data.

The marketing agency advertises its use of "first-party data and third-party data, AI driven audience modeling, and predictive analytics to reach the right people – at the right time." As part of its services, it discloses inferences about consumers, such as whether they're likely to be interested in fitness activities based on their health club attendance patterns.

The $56,600 fine comprises a $50,000 penalty (calculated at $200 per day for 250 days of non-compliance from February 1 to October 8, 2025) plus the $6,600 data broker registration fee for 2025.

Critical Takeaway: "A Sale is a Sale"

Perhaps most significantly, the CalPrivacy decision states: "A business cannot bypass the CCPA's and the Delete Act's requirements by selling personal information as part of a larger suite of products and services it offers."

This language should alarm many companies in the advertising technology, marketing analytics, and audience targeting sectors who may have believed that bundling data sales into broader service offerings provided protection from data broker classification.

California’s SB 361: New Data Broker Transparency Requirements and What They Mean for Your Business

On October 8, 2025, California Governor Gavin Newsom signed Senate Bill 361 into law, marking another significant expansion of the state’s already stringent data broker regulations. Known as the “Defending Californians’ Data Act,” this legislation dramatically increases disclosure requirements for data brokers while introducing new enforcement mechanisms that could cost

Compliance Hub WikiCompliance Hub

The Full Enforcement Record: Eight Actions Since 2024

CalPrivacy has systematically pursued unregistered data brokers since launching its investigative sweep in October 2024. Here's the complete record:

2024 Actions

1. Growbots, Inc. - $35,400 fine for failing to register between February 1 and July 26, 2024 (177 days of non-compliance)
2. UpLead LLC - $34,400 fine for failing to register between February 1 and July 21, 2024 (172 days of non-compliance)
3. PayDae, Inc. (d/b/a Infillion) - $54,200 fine for failing to register between February 1 and November 4, 2024
4. The Data Group, LLC - Settlement terms not publicly disclosed

2025 Actions

5. Jerico Pictures, Inc. (d/b/a National Public Data) - $46,000 fine (the maximum penalty available) for registering 230 days late, only after enforcement contact. This Florida-based data broker suffered a massive breach in 2024 that exposed 2.9 billion records including Social Security numbers.
6. Background Alert, Inc. - Rather than a monetary fine, CalPrivacy reached a unique settlement requiring this California-based data broker to shut down operations through 2028 or face a $50,000 fine. Background Alert had promoted its ability to dig up "scary" amounts of information about people by searching billions of public records and drawing inferences to create consumer profiles.
7. Accurate Append, Inc. - $55,400 fine for the Washington-based data broker's failure to register by the January 31, 2024 deadline, registering only after enforcement contact on November 4, 2024
8. ROR Partners LLC - $56,600 fine as detailed above

Total Financial Impact

These eight actions have generated approximately $331,600 in fines and registration fees—money that directly funds the California Data Broker Registry and the development of DROP.

The Data Broker Enforcement Strike Force

Announced on November 19, 2025, the Data Broker Enforcement Strike Force represents a major escalation in CalPrivacy's enforcement capabilities. Unlike the initial investigative sweep that focused primarily on registration compliance, the Strike Force has a dual mandate:

1. Investigating data broker registration requirements under the Delete Act
2. Investigating broader CCPA compliance by data brokers

Michael Macko, CalPrivacy's head of enforcement, made this clear: "For decades, strike forces have been a mainstay at U.S. Attorney offices and state Attorney General offices across the United States. We intend to bring the same level of intensity to our investigations into the data broker industry."

Executive Director Tom Kemp emphasized the rationale: "Data brokers pose unique risks to Californians through the industrial-scale collection and sale of our personal information. The widespread availability of digital dossiers makes it easier for our personal information to be weaponized against us, and even well-meaning data brokers can be victims of data breaches that leave all of us vulnerable."

The Reality of CCPA Compliance: What a UC Irvine Study Reveals About Data Broker Non-Compliance

A groundbreaking study exposes widespread violations and the “privacy paradox” plaguing consumer rights When a UC Irvine PhD student decided to exercise her basic consumer rights under the California Consumer Privacy Act (CCPA), she unknowingly embarked on what would become the most comprehensive study of data broker compliance ever conducted.

Compliance Hub WikiCompliance Hub

What Constitutes a Data Broker? The Definition Is Broader Than You Think

The California Delete Act defines "data broker" as "a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship."

However, CalPrivacy's implementing regulations (recently amended) define "direct relationship" in ways that can capture many entities that don't consider themselves data brokers:

"A consumer does not have a 'direct relationship' with a business if the purpose of their engagement is only to exercise any rights described under Civil Code section 1798, or for the business to verify the consumer's identity. A business does not have a 'direct relationship' with a consumer simply because it collects personal information directly from the consumer; the consumer must intend to interact with the business. A business is still a data broker and does not have a relationship with a consumer as to personal information it sells about the consumer it collected outside of a 'first party' interaction with the consumer."

The final sentences of this definition could ensnare:

• Marketing agencies that collect first-party data from one client but use it to target audiences for other clients
• AdTech companies that collect data through one publisher but use it across multiple advertisers
• Analytics firms that aggregate customer data from multiple sources
• Audience segmentation platforms that create custom audiences across client bases

The Dramatic Increase in Risk Starting August 2026

While current fines of $200 per day for failing to register may seem manageable, the risk profile changes dramatically once DROP goes live on August 1, 2026.

The DROP Requirements

Data brokers must:

• Access the DROP platform at least once every 45 days
• Process all deletion requests from California residents who have registered with the system
• Comply within the timeframes specified

The Penalty Structure

Failure to comply is subject to a $200 fine "for each deletion request for each day the data broker fails to delete information."

Let's do the math on what this means:

• If DROP receives 10,000 deletion requests in its first year (a conservative estimate given California has 39 million residents)
• And a data broker fails to process these requests for just 30 days
• That's 10,000 requests × 30 days × $200 = $60,000,000 in potential fines

Even a small-scale data broker that receives just 100 deletion requests and is 30 days late faces $600,000 in fines.

This penalty structure dwarfs the current registration fines and creates existential risk for data brokers who fail to build robust compliance systems.

Enhanced Registration Requirements for 2025 and Beyond

California has repeatedly amended its data broker law to require increasingly detailed disclosures. For 2025 registration (due by January 31, 2025), data brokers must disclose:

1. Standard information requirements:
   • What personal information they collect
   • Categories of sources
   • Purposes for collection and sale
   • Consumer privacy rights request metrics from the previous year
2. Enhanced disclosure requirements about whether, in the past year, the data broker shared or sold consumer data to:
   • A foreign actor
   • The federal government
   • Other state governments
   • Law enforcement (unless pursuant to subpoena or court order)
   • A developer of a GenAI system or model
3. Website privacy policy requirements (by July 1, 2025):
   • Summary of the number and outcomes of key consumer privacy requests
   • Average and median response times
4. Third-party audit requirement (by January 1, 2028):
   • Independent verification of compliance

The Broader CCPA Enforcement Context

CalPrivacy isn't just targeting unregistered data brokers—the agency has also issued massive fines for CCPA violations by well-known companies:

Record-Breaking CCPA Penalties

• Tractor Supply Company - $1.35 million (September 2025) - CalPrivacy's largest fine to date for failing to provide effective opt-out mechanisms, inadequate privacy notices to job applicants, and insufficient service provider contracts
• American Honda Motor Co. - $632,500 (March 2025) for requiring consumers to verify their identity to opt out of data sales/sharing (verification should only be required for access, deletion, and correction requests)
• Todd Snyder, Inc. - $345,178 (May 2025) for failing to oversee its third-party consumer request portal and requiring excessive information for privacy requests

These cases demonstrate that CalPrivacy will scrutinize:

• How businesses facilitate consumer rights requests
• Privacy notices provided to job applicants (not just customers)
• Third-party vendor management and contract compliance
• Opt-out preference signal implementation (like Global Privacy Control)
• Annual privacy policy updates

Key Insight: The Strike Force Will Pursue Both Issues

When announcing the Data Broker Enforcement Strike Force, CalPrivacy explicitly stated it will investigate both Delete Act compliance and CCPA violations. Given that CCPA violations carry penalties of $2,663 per violation ($7,988 per intentional violation), data brokers could face combined penalties reaching millions of dollars.

Who Should Be Worried?

Based on CalPrivacy's enforcement pattern, the following business types should urgently assess whether they qualify as data brokers:

High Risk Categories

1. Marketing and advertising agencies that:
   • Create custom audience segments from aggregated data
   • Use client data to target campaigns for other clients
   • Build lookalike audiences across multiple customer bases
   • Provide "data enrichment" services
2. AdTech platforms that:
   • Collect data through publisher integrations
   • Sell audience targeting across multiple advertisers
   • Provide programmatic advertising with customer data matching
   • Create and license audience segments
3. Analytics and measurement companies that:
   • Aggregate data across multiple clients
   • Provide competitive intelligence services
   • Sell access to benchmarking data
   • License aggregated consumer insights
4. Lead generation businesses that:
   • Collect consumer information through various sources
   • Sell leads to third parties
   • Provide list rental or licensing services
   • Aggregate and enrich consumer profiles
5. Data enrichment services that:
   • Append third-party data to client records
   • Provide identity resolution services
   • Link online and offline identities
   • Offer consumer scoring or profiling

Medium Risk Categories

6. SaaS platforms that:
   • Allow customers to share data with other users
   • Provide marketplace features for data exchange
   • Offer analytics across customer bases
   • Enable benchmarking using aggregated customer data
7. Healthcare and wellness companies that:
   • Aggregate patient or member data
   • Provide population health analytics
   • License de-identified datasets
   • Offer pharmaceutical market research

Practical Steps for Compliance

Immediate Actions (Before January 31, 2025)

1. Conduct a data broker assessment
   • Map all sources of personal information collection
   • Identify where you sell/share personal information to third parties
   • Determine whether you have "direct relationships" with those consumers
   • Document your analysis with legal counsel
2. If you qualify as a data broker, register immediately
   • Complete registration at CalPrivacy's website
   • Pay the $6,600 annual fee
   • Submit all required disclosures
   • Don't wait—each day of delay costs $200
3. Review and update contracts
   • Ensure service provider and third-party contracts include CCPA-required provisions
   • Pay special attention to advertising technology agreements
   • Document your contract review process
4. Assess opt-out mechanisms
   • Verify that opt-out links are functional
   • Implement Global Privacy Control and other opt-out preference signals
   • Ensure opt-outs apply to both CRM data and tracking technologies
   • Test the entire opt-out process regularly

Preparing for August 2026 DROP Launch

5. Develop DROP integration plan
   • Assign technical resources now
   • Plan for 45-day access cadence
   • Build systems to process deletion requests at scale
   • Establish processes to verify deletions across all systems
6. Audit data inventory and deletion capabilities
   • Document all systems containing California resident data
   • Identify technical barriers to deletion
   • Address legacy systems that can't support automated deletion
   • Test deletion processes end-to-end
7. Create deletion request workflows
   • Define roles and responsibilities
   • Establish SLAs for processing requests
   • Build monitoring and alerting systems
   • Prepare escalation procedures

Ongoing Compliance

8. Update privacy policies
   • Annual review minimum (CalPrivacy is watching this)
   • Include all required CCPA disclosures
   • Add privacy request metrics by July 1, 2025
   • Ensure job applicant notices are compliant
9. Train staff and monitor changes
   • Ensure marketing, sales, and product teams understand data broker rules
   • Monitor business model changes that could trigger data broker status
   • Stay informed about regulatory updates
   • Document compliance efforts
10. Consider independent audit preparation
    • The 2028 audit requirement is coming
    • Start building documentation now
    • Conduct internal compliance assessments
    • Address gaps systematically

The Bigger Picture: Multi-State Enforcement

California isn't alone in pursuing data brokers:

• Texas notified over 100 businesses in 2024 about potential violations of the Texas Data Broker Law
• Oregon has ramped up scrutiny of data broker compliance
• Vermont maintains an active data broker registry with enforcement
• Federal legislation (Protecting Americans' Data From Foreign Adversaries Act of 2024) prohibits data brokers from licensing "personally identifiable sensitive data" to foreign adversaries

CalPrivacy is also building enforcement networks:

• Launched the bipartisan Consortium of Privacy Regulators to collaborate with other states
• Partnered with data protection authorities in Korea, France, and the United Kingdom
• Sharing information and enforcement strategies across jurisdictions

Companies that qualify as data brokers may face compliance obligations in multiple states, each with different requirements and deadlines.

Looking Ahead: What to Expect in 2026

Based on CalPrivacy's statements and actions, expect:

1. Significantly more enforcement actions - The Strike Force has additional resources and explicit focus on the data broker industry
2. Higher fines - Once DROP launches, penalties will increase exponentially for non-compliance
3. Broader interpretations - CalPrivacy is willing to challenge companies that "walk and talk like a data broker" even if they don't consider themselves one
4. Focus on inferences and profiling - The Background Alert case established that inferences based on public records constitute personal information under CCPA
5. Joint investigations - Expect coordination between CalPrivacy, other state regulators, and potentially federal agencies
6. Industry-specific sweeps - The marketing agency focus suggests CalPrivacy may target specific sectors

The Bottom Line

CalPrivacy's eight enforcement actions against unregistered data brokers, combined with the formation of the Data Broker Enforcement Strike Force and the pending launch of DROP, represent a watershed moment for data privacy regulation in the United States.

The message is clear: CalPrivacy is serious about bringing transparency to the data broker industry, and it has the tools, resources, and political will to pursue aggressive enforcement. Companies that collect and sell personal information must urgently assess whether they qualify as data brokers and take immediate steps to comply.

The relatively modest fines of $34,400 to $56,600 for registration failures are just the beginning. Once DROP goes live in August 2026, the penalty structure becomes severe enough to threaten the viability of non-compliant businesses. A single month of failing to process deletion requests could generate fines exceeding the annual revenue of smaller data brokers.

Michael Macko's statement bears repeating: "We will scrutinize any business that walks and talks like a data broker to make sure it's registered, and we will continue to examine businesses that create inferences about consumers to profile them."

Don't wait to be contacted by the Enforcement Division. By then, the fines are already accruing at $200 per day—and you'll have much bigger problems when DROP launches.

Registration Information

2025 Data Broker Registration Deadline: January 31, 2025

• Registration window: January 1-31, 2025
• Annual fee: $6,600
• Required for any business that operated as a data broker in 2024
• Registration at: CalPrivacy Data Broker Registry

Questions about whether your business qualifies as a data broker?

Contact qualified privacy counsel immediately. The cost of an assessment is trivial compared to the penalties for non-compliance—and the January 31 deadline is firm.