California Data Broker Settlement Highlights Risks for Non-Compliance with the Delete Act
California Data Broker Settlement Highlights Risks for Non-Compliance with the Delete ActIn a recent move that continues California’s crackdown on data brokers, the California Privacy Protection Agency (“CPPA”) reached a settlement with Background Alert, Inc., a California-based data broker, for failing to register as required under the state’s Delete Act. The settlement, finalized on February 27, 2025, mandates that Background Alert cease its operations for the next three years, until 2028, or face a substantial fine of $50,000. This case is part of the CPPA’s ongoing investigation into data broker registration compliance, which began in October 2024.
Background Alert is accused of collecting billions of public records, using those records to make inferences about individuals, and creating profiles about consumers that were then sold through its website. The company promoted its business by advertising the ability to uncover “scary” amounts of information on individuals, showcasing the scale and nature of the data it was processing. However, it failed to meet the registration deadline under the Delete Act, which mandates data brokers to register with the CPPA by January 31 each year and pay an annual fee to fund the California Data Broker Registry.
For companies that deal with consumer data in this way, the implications of this case are clear: data brokers are under increasing scrutiny by the CPPA and failing to comply with the Delete Act could result in serious penalties, including hefty fines and even business shutdowns. According to the CPPA, Background Alert failed to register between February 1 and October 8, 2024, and only acted to register after being contacted by the CPPA. Now, Background Alert is required to shutter its operations for three years unless it complies with the stipulations of the settlement.
California’s Delete Act requires businesses that fit the definition of a “data broker,” those that collect and sell personal information about consumers with whom they have no direct relationship, to register with the CPPA. These businesses must also provide detailed disclosures about their data collection practices and allow consumers to request the deletion of their personal information. The CPPA has made it clear that businesses that fail to meet these obligations will face enforcement actions, as seen in this latest case.
The Delete Act also plays a significant role in funding consumer privacy protections through the creation of the Delete Request and Opt-Out Platform (“DROP”), which will be available to consumers in 2026. This platform will allow individuals to submit a single request for data brokers to delete their personal information, adding another layer of responsibility for businesses to manage.
Compliance Recommendation.
If your business deals with personal data and could be classified as a data broker under California’s CCPA or Delete Act, now is the time to ensure full compliance. Review your data practices, confirm whether your company needs to register with the CPPA, and make sure you meet all the registration requirements. Failing to comply could result in penalties, shutdowns, or legal action, as we’re seeing in the Background Alert case. Make sure your business is not caught off guard by California’s growing data privacy enforcement.
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.