California Thinks You Might Be – and Enforcement Is Escalating.
California Thinks You Might Be – and Enforcement Is Escalating.January 8, 2026
By: Linda Goodman
Many companies assume “data broker” means someone else — a shadowy list seller or an ad-tech middleman. California regulators disagree. And they are no longer waiting for companies to self-identify correctly.
California has shifted from education to active enforcement, and the consequences for getting this wrong are growing rapidly.
If your business collects, aggregates, analyzes, or monetizes personal data about individuals with whom you do not have a direct consumer relationship, you may already fall squarely within California’s data broker definition — whether you intended to or not.
The Compliance Risk Is No Longer Hypothetical.
The California Consumer Privacy Act (“CCPA”), as expanded by the CPRA and the Delete Act, requires data brokers to register annually with the California Privacy Protection Agency (CPPA). Failure to register is now a clear enforcement trigger.
The California Privacy Protection Agency has publicly stated that it is dedicating resources, staffing, and investigative authority to identifying unregistered data brokers — including companies that never considered themselves part of the data broker industry.
This is no longer about theoretical exposure. It is about regulatory visibility.
Why So Many Companies Are Misclassified.
Most compliance failures we see stem from one core misunderstanding:
“We don’t sell data — therefore, we’re not a data broker.”
Under California law, that assumption is dangerously incomplete.
You may be a data broker if you:
- Collect personal data from websites, apps, SDKs, pixels, APIs, or third-party sources.
- Aggregate or enrich data across multiple sources.
- Use data to build profiles, segments, scores, audiences, or insights.
- Provide analytics, targeting, attribution, fraud detection, identity resolution, or modeling.
- Enable third parties to make decisions about individuals they do not directly know.
Monetization does not require a traditional “sale.” Sharing, licensing, enabling downstream use, or deriving independent commercial value can all trigger data broker status.
Registration Is Not Optional — and It’s Not a Safe Harbor.
If you qualify as a data broker, registration is mandatory. But registration alone does not insulate your business from enforcement.
Registration places your company directly on the CPPA’s radar. Regulators can — and do — cross-check registration data against:
- Privacy policies.
- Contractual relationships.
- Data flows.
- Technical implementations.
- Consumer complaints.
- Public representations about products and services.
In other words, registering without understanding your obligations increases risk, not reduces it.
The Delete Act Raises the Stakes.
The Delete Act fundamentally changes the compliance landscape by:
- Expanding who qualifies as a data broker
- Requiring participation in centralized deletion mechanisms
- Increasing coordination between agencies
- Elevating penalties for noncompliance
This law was designed to surface hidden data brokers — not just regulate the obvious ones. If your compliance posture has not been revisited since these changes, you are likely operating on outdated assumptions.
What Businesses Should Do — Now.
A prudent, business-friendly approach focuses on clarity, not panic:
- Conduct a Data Broker Status Assessment. Map how data enters your systems, how it is used, who benefits, and whether individuals have a direct relationship with you.
- Review Product and Revenue Models. Analytics, insights, audience products, and “internal use” claims deserve heightened scrutiny.
- Align Registration With Reality. If registration is required, ensure disclosures, contracts, and technical practices are consistent with what regulators will examine.
- Prepare for Deletion and Access Obligations. Delete Act compliance is operational, not theoretical. Processes must exist — and work.
The Bottom Line.
California has made one thing clear: If you touch personal data at scale, regulators expect you to understand your role in the ecosystem. Misclassification is no longer an innocent mistake. It is a compliance failure.
Companies that act now — thoughtfully and strategically — can control the narrative, reduce exposure, and demonstrate accountability. Those that wait may find themselves answering questions they were unprepared to face.
If your organization has not formally evaluated whether it qualifies as a data broker under California law, now is the time to do so — before regulators do it for you.
Explore our comprehensive CLIClaw Data Broker Compliance Library for in-depth resources and insights.
© 2026 CLIClaw.com
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.