California’s Data Broker Crackdown: $55K Fine Signals Big Changes Ahead for Consumer Privacy
California’s Data Broker Crackdown: $55K Fine Signals Big Changes Ahead for Consumer PrivacyThe California Privacy Protection Agency (“CPPA”) is taking a hard stance on data brokers who fail to comply with the state’s data privacy laws. On January 29, 2025, the CPPA announced a settlement with Key Marketing Advantage, LLC (“KMA”), a Connecticut-based data broker, over violations of the California Delete Act. This marks the fifth settlement of its kind, highlighting the growing importance of compliance for businesses that handle consumer data.
KMA faced allegations of failing to register as a data broker with the CPPA, as required by the Delete Act. As part of the settlement, KMA agreed to pay $55,800, covering both the penalties for non-compliance and the CPPA’s attorney fees. Additionally, KMA is now subject to injunctive terms, which require the company to adhere to new compliance standards moving forward.
This settlement is part of a broader investigation by the CPPA into data broker registration compliance. Under the Delete Act, data brokers must register annually with the CPPA and pay an associated fee. These settlement funds contribute to maintaining the California Data Broker Registry and support the development of the Delete Request and Opt-Out Platform (DROP), a tool that will allow California consumers to request that their data be deleted from data brokers with a single request starting in 2026.
Since taking on responsibility for the Data Broker Registry in 2024, the CPPA has enforced strict registration deadlines. Businesses that were data brokers in 2024 had until January 31, 2025, to register with the agency, or they would risk penalties of $200 per day.
Importantly, new regulations governing data broker registration took effect in December 2024. These updates significantly impact businesses that handle consumer data. One major change is the increase in the annual registration fee, which has risen from $400 to $6,600. Additionally, the revised regulations now clarify the definition of a data broker, including businesses that have direct relationships with consumers but sell personal information they didn’t collect directly from the individual. This broader definition means more businesses could be subject to registration requirements than they might have anticipated.
For businesses in California or those dealing with California residents, it’s crucial to stay up-to-date on these regulations. Failing to comply could lead to significant fines and other penalties. The CPPA is clearly committed to enforcing data privacy laws and will continue to crack down on violations.
Compliance Recommendation.
If your business handles personal data in any capacity, particularly if you sell or trade consumer data, ensure that you’re fully compliant with the California Delete Act. Register with the CPPA before the deadline, pay the updated registration fees, and review your data practices to ensure you’re not inadvertently falling under the data broker definition. It’s also a good idea to review the new data broker regulations and update your internal procedures to stay in line with the latest requirements. Non-compliance not only risks fines but also puts your reputation at risk with both consumers and regulators.
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.