The California Privacy Protection Agency has issued two new enforcement decisions that underscore its expanding focus on data broker accountability under the Delete Act. In actions announced on January 8, 2026, CalPrivacy imposed a $45,000 fine on Rickenbacher Data LLC, doing business as Datamasters, and a $62,600 fine on S&P Global, Inc., both for failing to register as data brokers by the January 31, 2025 deadline. These cases offer distinct cautionary tales: one involving a small marketing firm selling lists of individuals based on sensitive characteristics, and the other a global data and technology giant whose registration appears to have slipped through the cracks due to an administrative oversight.
Taken together, the actions provide companies with pointed lessons about what CalPrivacy expects and how quickly enforcement can escalate—timely reminders as the next data broker registration deadline on January 31, 2026 approaches..
The Datamasters Case
Datamasters, a Texas-based company, purchased and resold personal information to facilitate targeted advertising. The stipulated order shows the company bought and resold lists of millions of individuals grouped by sensitive health conditions (e.g., Alzheimer’s disease, drug addiction), perceived ethnicity (including “Hispanic Lists”), age, political affiliation, and even grocery and banking activity.
CalPrivacy opened its investigation after Datamasters failed to register as a data broker by the statutory deadline. Initially, the company claimed it did not do business in California or sell data products for California consumers. The agency pressed further, noting inconsistencies between those claims and the company’s public-facing website, which at one point included an Excel spreadsheet describing personal information of more than 200,000 California students. Ultimately, the company admitted it had fulfilled nationwide orders without screening out California residents, even though it periodically refused to fulfill California-specific orders. Not surprisingly, the order notes that Datamasters’ attempts to comply with California’s privacy laws were “imperfect,” and that the company lacked written policies and procedures.
The remedies imposed by the order go well beyond a simple fine. In addition to the $45,000 penalty, the order requires Datamasters to:
- permanently delete all Californians’ personal information and stop selling California residents’ data;
- adopt written policies to ensure it does not collect or sell Californians’ data;
- implement a rapid deletion protocol for California data inadvertently received by the company, and maintain records of non-compliant transmissions; and
- post a statement on its website that it does not buy or sell the personal information of California residents and submit a written summary of its privacy practices to the agency one year after the order becomes effective.
These requirements effectively remove Datamasters from California’s data marketplace.
The S&P Global Case
The second enforcement action illustrates the strict liability nature of the Delete Act’s registration requirement. According to the stipulated order in that action, S&P Global “intended to register” for its 2024 data broker activities in January 2025, and “believed” the registration had been completed. But it was not—the company was unregistered for 313 days before CalPrivacy contacted it.
The order emphasizes that S&P Global acted quickly once it learned of the lapse, promptly registering and taking corrective action. Nevertheless, CalPrivacy imposed a $62,600 fine ($200 per day the company went unregistered) for what amounted to an administrative oversight. Beyond the monetary penalty, S&P Global must adopt written policies and procedures to ensure timely registration, review and update its auditing procedures to identify missing or incomplete registrations, and notify its officers, directors, employees, agents, and contractors of their responsibilities under the order.
Practical Takeaways for Companies
1. Know Whether You’re a Data Broker—and Register Accordingly
With the January 31, 2026 registration deadline less than two weeks away, the most immediate lesson is that companies must carefully evaluate whether they meet the statutory definition of a data broker. A business qualifies if it knowingly collects and sells to third parties the personal information of consumers with whom the business does not have a direct relationship. This definition can sweep in a broad range of companies, including those that purchase and resell data from third-party suppliers, aggregate consumer information for sale to advertisers, or license data feeds to clients.
The S&P Global case demonstrates that basic compliance tasks can slip through the cracks even in sophisticated global corporations without sufficient internal controls. Companies that believe they may be data brokers should err on the side of registering. Failure to do so triggers the $200 per day statutory fine, calculated from February 1 through the date of eventual registration, and good faith is not a defense.
2. National Data Sales Can Still Trigger California Obligations
The Datamasters case underscores that California’s data broker laws apply to the personal information of California residents even when that information is part of a larger national dataset. Companies that sell those datasets but seek to avoid the state’s data broker requirements by screening out California personal information must implement appropriate protocols and written policies, or risk enforcement. CalPrivacy’s action against Datamasters shows that the agency will closely scrutinize claims that a company does not sell California data, particularly where a company’s website, product offerings, or supplier relationships tend to suggest otherwise.
3. Implement and Document Compliance Policies and Auditing Procedures
Both enforcement actions highlight the importance of having written policies and procedures to support compliance—and of regularly auditing those procedures. Companies should treat these enforcement actions as a reminder that good intentions and informal processes are not substitutes for documented compliance programs. Privacy and compliance teams should maintain written procedures that clearly assign responsibility for data broker registration, establish verification steps to confirm registrations are completed, and set calendar reminders for recurring obligations. Internal auditing functions should also periodically review compliance status with statutory registration requirements.
* * * *
The Datamasters and S&P Global enforcement actions confirm that CalPrivacy is actively policing the data broker ecosystem and is prepared to impose significant penalties on companies that fail to meet their registration obligations.
