January 9, 2026
By: Linda Goodman
The California Privacy Protection Agency (“Agency/CPPA”) has used 2024–2025 to build an aggressive, registration‑focused enforcement program against data brokers under the Delete Act, with a growing set of monetary penalties and, in some cases, orders limiting or shutting down operations.
Enforcement Focus and Tools.
- The Delete Act (SB 362) shifted the data broker registry from the AG to the CPPA and empowered the Agency to impose per‑day fines, seek injunctive relief, and recover its enforcement costs.
- Data brokers that fail to register face administrative fines of up to 200 dollars per day, plus back registration fees and the CPPA’s investigative/enforcement expenses.
- Registration (and fee payment) is annual and tied to business conducted in the prior year; late registration after Agency contact is treated as an aggravating factor in enforcement resolutions.
2024 Investigative Sweep and Early Cases.
- In October 2024, CalPrivacy launched an investigative sweep of data broker compliance with the Delete Act’s registration requirement, which has produced a “record‑setting number” of enforcement actions that remained ongoing into 2025.
- 2024 settlements included data brokers such as Growbots, Inc. and UpLead LLC, each paying roughly 35,000 dollars for failing to register by the 2024 deadline.
- One Florida‑based data broker that registered 230 days late was assessed a proposed 46,000‑dollar fine based on the 200‑dollars‑per‑day formula, illustrating how quickly exposure escalates.
2025 Enforcement Actions and Penalties – Go After Hybrid Businesses.
- On July 29, 2025, the CPPA announced a stipulated order against Accurate Append, Inc. (Washington‑based data broker) for failure to register and pay the annual fee, requiring payment of a 55,400‑dollar fine plus the Agency’s fees and injunctive relief to comply with all Delete Act obligations.
- The Accurate Append action is described as part of the same data broker “investigative sweep” begun in October 2024 and is cited by practitioners as signaling a “new era” of data broker‑specific enforcement.
- By late 2025, CalPrivacy reported “a half‑dozen” additional enforcement actions against unregistered data brokers, beyond the named companies, emphasizing that the sweep is generating multiple parallel cases.
Structural initiatives: Strike Force and Advisory.
- On November 18, 2025, CalPrivacy announced creation of a dedicated Data Broker Enforcement Strike Force within its Enforcement Division to investigate alleged CCPA/Delete Act violations, expand review of the data broker industry, and support rollout of the Delete Request and Opt‑Out Platform (“DROP”).
- The Strike Force explicitly builds on the 2024 sweep, with the Agency highlighting prior actions such as Accurate Append and “nearly a half‑dozen” additional unregistered data broker cases as its foundation.
- On December 17, 2025, the Agency issued Enforcement Advisory No. 2025‑01, reiterating registration obligations (including trade names and websites) and warning that unregistered data brokers are subject to 200‑dollars‑per‑day fines plus costs.
Practical Compliance Implications for 2024–2025.
- The pattern of cases shows that the CPPA is primarily targeting: (1) failure to register or late registration; and (2) associated failures to pay fees and provide required disclosures, with remedies including fines, forward‑looking compliance obligations, and in some instances orders limiting or suspending California‑facing operations.
- Enforcement materials emphasize the need for brokers to: (a) determine if their activities qualify as “data broker” under California law; (b) register by January 31 for the prior year’s broker activities; (c) pay all required fees; and (d) prepare for DROP‑enabled deletion requests starting in 2026.
- Please remember that even out‑of‑state entities (e.g., Washington and Florida‑based brokers) are being targeted when they sell Californians’ personal information without timely registration, underscoring the extraterritorial reach of these enforcement actions.
Entities doing business in California should immediately assess whether their data practices trigger obligations under the data broker registration laws. Failure to do so can and will result in significant consequences. Penalties for failure to register can quickly escalate, and CalPrivacy has demonstrated an increasing willingness to use its enforcement authority to impose injunctive type orders on top of the fines. The Agency itself has repeatedly expressed its authority that compliance is not merely technical, but a priority enforcement area with material business risks.
Explore our comprehensive CLIClaw Data Broker Compliance Library for in-depth resources and insights.
© 2026 CLIClaw.com
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.