California Privacy Agency Fines Data Brokers Selling Health Data in Delete Act Crackdown

Summary

The California Privacy Protection Agency (CPPA) issued two enforcement decisions on January 8, 2026, fining data brokers Datamasters (Rickenbacher Data LLC) and S&P Global a combined $107,600 for failing to register under California's Delete Act. Datamasters was additionally ordered to stop selling all Californians' personal information.

Key Details

The CPPA's Data Broker Enforcement Strike Force, launched in November 2025, brought both cases. Datamasters, a Texas-based company, paid a $45,000 fine for operating as an unregistered data broker while buying and reselling the names, addresses, phone numbers, and email addresses of millions of people with Alzheimer's disease, drug addiction, bladder incontinence, and other health conditions for targeted advertising purposes.

S&P Global paid $62,600 after an administrative error caused the company to miss its data broker registration requirement. The company registered promptly after discovering the oversight and agreed to implement procedures to maintain ongoing compliance.

Related reading: 20 US States Enforce Privacy Laws in 2026 After Indiana, Kentucky, and Rhode Island Go Live explains the next step for teams working on this workflow.

These actions follow the CPPA's December 2025 enforcement advisory highlighting data broker registration obligations and represent the agency's escalating use of the Delete Act, which requires data brokers operating in California to register with the CPPA and will eventually enable consumers to request deletion of their data from all registered brokers through a single mechanism.

The CPPA has now issued penalties in multiple enforcement tracks: the $632,500 Honda settlement in March 2025 for CCPA opt-out violations, and these data broker registration actions. Combined with the California Attorney General's record $1.55 million CCPA settlement in July 2025, California privacy enforcement exceeded $2.2 million in penalties within 12 months.

Why This Matters

The Datamasters case signals that regulators are specifically targeting companies trafficking in sensitive health data. As 20 US states now enforce comprehensive privacy laws and 12 states require recognition of Global Privacy Control signals, companies that collect, process, or share personal information face compliance obligations across multiple jurisdictions simultaneously. The absence of a federal privacy law means each state enforcement action sets its own precedent.

For businesses collecting health-related information through intake forms, consent workflows, or patient registrations, the CPPA's focus on sensitive health data underscores why consent documentation must clearly specify how personal information will be used and shared-and why digital consent workflows need to capture granular, purpose-specific authorization.

Sources

• CPPA - CalPrivacy Brings New Round of Enforcement Actions Against Data Brokers
• Hunton Andrews Kurth - CPPA Enforces against Two Data Brokers
• Crowell & Moring - California Privacy Agency Launches Data Broker Strike Force