California has issued penalties against two companies for violations of the state’s Delete Act, including a ban on the sale of Californians’ highly sensitive data.
The California Privacy Protection Agency (CPPA) announced that it finalized enforcement actions against Rickenbacher Data LLC (doing business as Datamasters) and S&P Global Inc. for failing to comply with the state’s data broker registration requirements.
These enforcement actions are part of California’s ramp-up under the Delete Act, which requires all data brokers operating in the state to register annually and provide consumers a way to opt out through a centralized system. That system, known as DROP (Delete Request and Opt-Out Platform), allows Californians to send one unified request to delete their personal data from all registered brokers.
Datamasters
The most serious enforcement action targets Datamasters, a Texas-based data broker that sold lists of individuals suffering from medical conditions such as Alzheimer’s disease, drug addiction, bladder incontinence, and other ailments. According to the CPPA, the firm offered access to millions of records containing names, home addresses, phone numbers, and email addresses of individuals categorized by health status, race, age, political affiliation, and even grocery and financial behaviors.
Sample records listed in the enforcement order show:
- 435,245 individuals labeled as having Alzheimer’s
- 2.4 million entries under arthritis
- Over 850,000 records for bladder control issues
- Extensive “Hispanic Lists” and “Senior Lists” targeting individuals based on ethnic surnames and age brackets
Despite operating at this scale, Datamasters failed to register as a data broker with the state by the 2025 deadline and only did so after being contacted by regulators. Initially, the company denied selling or processing data linked to Californians. However, the CPPA uncovered a spreadsheet on its website listing over 200,000 students from California, undermining its claim.
While Datamasters claimed it manually screened out California residents, the investigation revealed that it sold “nationwide” lists without removing California data, violating both the spirit and letter of the Delete Act.
As a result, the CPPA ordered Datamasters to pay a $45,000 administrative fine and cease all sales of Californians’ personal data by December 31, 2025. The company is also ordered to permanently delete all previously obtained data linked to Californians and implement strict internal policies to prevent future violations.
S&P Global
S&P Global Inc., a New York-based data and analytics giant, was also cited for failing to register as a data broker in 2025. The firm reportedly intended to register but failed to complete the process due to an internal administrative error. The CPPA’s enforcement action emphasized that this lapse persisted for 313 days, during which time S&P continued to operate as a data broker.
Despite taking corrective action promptly once contacted, S&P was fined $62,600, calculated based on a fixed penalty of $200 per day of noncompliance. The company has since registered and agreed to implement audit procedures and written compliance protocols to avoid future oversights.
S&P Global, a major player in the global financial and data intelligence market, reported annual revenues exceeding $26 billion, and processes data for hundreds of thousands of individuals. While the violation was procedural, the CPPA emphasized that registration is a foundational obligation for transparency and consumer protection under the Delete Act.
Leave a Reply