CPPA Enforces Fines and Injunctive Orders Against Data Brokers Who Failed to Register!

January 13, 2026

By: Linda Goodman

Last month two cases treat the companies as data brokers because they buy and resell large‑scale consumer data, including Californians’ personal information, for targeted marketing or other downstream use, and they failed to timely register with the CPPA under the Delete Act.

Datamasters (Rickenbacher Data, LLC)

Facts / Why it is a Data Broker:

  • Datamasters buys and resells personal information on millions of people, including detailed lists keyed to health conditions (e.g., Alzheimer’s, drug addiction, bladder incontinence), demographics (age, ethnicity, “Senior List,” “Hispanic Lists”), financial status (high‑interest mortgage lists), and behavioral models (political views, grocery and retail purchase patterns, investment activity).
  • It licenses large national consumer databases (over 114 million households and 231 million individual names and addresses) and offers bulk database purchases and data feeds for telemarketers, call centers, resellers, and bulk email users, including sample files showing more than 200,000 California students.
  • The order finds Datamasters is a for‑profit entity that determines purposes and means of processing and “annually buys, sells, or shares” personal information of 100,000+ consumers/households, and that it conducted business as a data broker in 2024 by knowingly collecting and selling personal information of consumers with whom it had no direct relationship.

CPPA Decision and Violations:

  • The CPPA asserts jurisdiction under Civil Code section 1798.99.82(c) to enforce the Delete Act’s data broker registration requirement and finds Datamasters failed to register by the January 31, 2025 deadline for 2024 data broker activity.
  • The factual findings also emphasize inconsistent statements to the Agency (initially denying California business despite hosted CA‑student records) and imperfect, largely manual efforts to screen out Californians without sufficient written policies or procedures.

Remedies and Final Award:

  • Administrative fine: $45,000 dollars under Civil Code section 1798.99.82(e), payable within 30 days after the Board’s order.
  • Substantive remedies:
    • Cease and desist selling Californians’ personal information starting December 31, 2025, and permanently delete all California personal information previously purchased by that date.
    • Within 30 days, adopt and implement written policies and procedures to prevent collection/sale of Californians’ personal information; if CA data is received as part of larger buys, delete it within 24 hours, instruct senders not to include it, track how many entities sent CA data, and be able to report that number to the Agency on request for five years.
    • Within 30 days, add clear and conspicuous statements on the website and order/consultation forms that Datamasters does not buy or sell Californians’ personal information and clarify “national database” descriptions accordingly.
    • Maintain for five years records of: (a) transactions/communications where customers requested California data, and (b) transactions/communications with suppliers that included California personal information, to be produced to the Agency on request (with limited redaction if CA data was not actually sold).
    • One year after the effective date, submit a written summary of privacy practices, including the written policy and procedure to prevent purchase and sale of Californians’ personal information, and respond to any further Agency inquiries.

Compliance Tips / Implications:

  • High‑risk verticals: Businesses selling health, ethnicity, financial, and behavioral data – even if “compiled” from multiple sources – will be treated as data brokers if they sell at scale, even without direct consumer relationships.
  • “No California” positioning is not sufficient: Simply refusing some California‑specific orders or adding a generic “we don’t sell California data” notice is inadequate if operational controls do not actually exclude Californians from national datasets.
  • Expect structural obligations beyond fines: In addition to a monetary penalty, the CPPA can and will impose ongoing obligations – data deletion, technical and written controls, recordkeeping, and periodic reporting – effectively redesigning the broker’s California‑facing program.
  • Documentation and auditability: Written policies, automated or robust screening mechanisms, supplier instructions, and transaction logs are critical both to maintain a “no California data” posture and to defend it in an investigation.

S&P Global Inc.

Facts / Why it is a Data Broker:

  • S&P Global is described as a publicly traded provider of “data, insights, technology, and innovation” that collects consumers’ personal information for certain products and determines the purposes and means of processing that information.
  • The order finds S&P Global is a for‑profit entity with annual gross revenue exceeding 26.625 million dollars and that it annually buys, sells, or shares personal information for 100,000 or more consumers or households, and “conducts business as a data broker by knowingly collecting and selling to third parties the personal information of consumers with whom the business does not have a direct relationship.”
  • S&P Global conducted business as a data broker during the 2024 calendar year but was not registered by the January 31, 2025 deadline, notwithstanding its intention to register.

CPPA Decision and Violations:

  • The CPPA asserts jurisdiction under Civil Code section 1798.99.82(c) and finds that S&P Global met the statutory definition of a data broker and failed to register for 2024 by the statutory deadline.
  • The order notes S&P Global believed registration had been completed but, after the Agency’s inquiry, discovered the process had not been finished; it promptly registered once it learned of the issue but remained unregistered for 313 days.

Remedies and Final Award:

  • Administrative fine: $62,600 dollars, calculated at 200 dollars per unregistered day for 313 days, payable within 60 days.
  • Prospective obligations:
    • Timely register as a data broker in all future years in which S&P Global operates as a data broker, or notify the Agency in writing before the registration deadline if it ceases data broker operations.
    • Within 90 days, adopt written policies and procedures to ensure timely data broker registration under the Delete Act and review and update its internal audit procedures to identify missing or incomplete registrations.
  • The order expressly states that any business – parent or subsidiary – that independently meets the data broker definition for any period of the prior year must itself register via the Agency’s website.

Compliance Tips / Implications:

  • Registration failures are strict and daily: Even where the company intended to register and promptly corrected the omission after contact, the CPPA applied a full 200‑dollars‑per‑day fine for the unregistered period, emphasizing the statutory per‑day framework and the perceived public harm from operating unregistered.
  • “We thought we registered” is not a defense: The case shows the Agency will penalize incomplete or failed registrations, not just outright refusals, and expects internal controls to prevent admin/operational slip‑ups.
  • Governance and entity scoping: Multinational and multi‑entity groups must track which specific entities independently qualify as data brokers, since each registrable entity must register, regardless of corporate structure.
  • Build registration into compliance cycles: Annual Delete Act registration should be embedded into formal calendars, checklists, and automated monitoring (e.g., confirming payment and status on the CPPA registry), with documented policies that can be shown to regulators.

 

Find out if you are a Data Broker

Lots of companies don't know that they are considered a data broker and are at risk. Find out with this 5 minute quiz!
Take the Data Broker Test
5 MIN TEST

 

Cross‑Case Takeaways for Programs:

  • Both orders reinforce that “data broker” status turns on scale and business model – buying, selling, or sharing large volumes of consumer data, including Californians’, without a direct relationship – not on whether California is explicitly targeted.
  • The CPPA is using stipulated orders to: (a) impose fines keyed to daily non‑registration; and (b) require forward‑looking governance work: written policies, internal audits, recordkeeping, and public‑facing disclosures.
  • For your frameworks, these cases support clear controls around: precise data‑broker scoping, annual registration workflows, technical and contractual measures to exclude or handle California data, and documenting remediation steps and ongoing oversight in anticipation of CPPA review.

 

Explore our comprehensive CLIClaw Data Broker Compliance Library for in-depth resources and insights.

© 2026 CLIClaw.com

(Image Credit: iStock Photo)

This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.

Stay Ahead of What's Coming Next

CLIClaw helps you see regulations early, understand what it means, and act before it becomes a problem. Members get plain-English analysis, practical guidance, and early warnings on privacy and compliance issues that directly impact your business. If you work with consumer data, waiting is the riskiest option.
Become a CLIClaw Member
JOIN TODAY

Are you a Data Broker?

Take the Quiz