In a stark reminder of California’s aggressive stance on data privacy, the California Privacy Protection Agency (CPPA) has levied a $56,600 penalty against ROR Partners LLC, a Nevada-based marketing outfit specializing in fitness and wellness campaigns, for operating as an unregistered data broker.
The enforcement action, detailed in a board decision released today, stems from violations of the state’s Delete Act, which mandates that entities collecting and monetizing personal data must register annually with the CPPA. ROR Partners, which leverages vast troves of consumer insights to craft tailored ad audiences, was found to have sidestepped this requirement throughout 2024, despite handling “billions of data points” to construct in-depth profiles on over 262 million U.S. residents.
These profiles, enriched with demographic, economic, and behavioral details, enabled the firm to infer user tendencies—such as gym-goers’ likelihood to engage with wellness promotions—and package them for sale to clients. The CPPA’s ruling cuts through any ambiguity: even when bundled into broader marketing services, such data transactions qualify as brokerage under the California Consumer Privacy Act (CCPA) and its Delete Act extension.
“The essence of a transaction doesn’t change just because it’s wrapped in a bigger package,” the decision asserts, rejecting attempts to evade oversight through creative structuring. This case marks a key escalation in the CPPA’s Data Broker Enforcement Strike Force, launched recently to root out non-compliant players in the shadowy data trade.
Michael Macko, the agency’s enforcement chief, emphasized the broader stakes: “Companies must confront the privacy pitfalls of hoarding personal details, particularly for ad targeting. We’ll zero in on any outfit that quacks like a data broker—ensuring registration—and keep probing those peddling consumer inferences. Under the CCPA, those profiles are safeguarded info, and dealing in them could land you in broker territory.”
The fine encompasses back fees and penalties, underscoring the Delete Act’s mechanics: brokers register each January, contributing to a fee pool that sustains the Data Broker Registry and the forthcoming Delete Request and Opt-Out Platform (DROP). Set to debut in 2026, DROP empowers Californians to issue a single command wiping their data from all listed brokers, a groundbreaking tool in the fight for digital autonomy.
Tom Kemp, CPPA Executive Director, urged vigilance as the next deadline looms: “With 2026 registration around the corner, firms should audit last year’s dealings. If data brokerage was in play, sign up now. And soon, residents can hit ‘delete’ across the board via DROP, reclaiming control over their info.”
The Rise of the Delete Act: A Timeline of Privacy Fortification
California’s privacy odyssey traces back to the 2018 CCPA, born from voter outrage over breaches like Cambridge Analytica. This trailblazing law granted residents rights to access, delete, and opt out of data sales, but data brokers—often opaque middlemen—slipped through cracks. Enter the 2020 Delete Act, an amendment tightening the noose: it compelled brokers to self-identify, fund a public registry, and pave the way for DROP.
Implementation hit snags—delayed by litigation and rulemaking—but by 2024, the CPPA, elevated to full agency status, unleashed its enforcement arsenal. Early sweeps yielded settlements like Growbots’ $35,400 tab for tardy filing, signaling zero tolerance. This year’s tally balloons past $300,000 in broker-specific penalties, with ROR’s hit joining Accurate Append’s $55,400 and National Public Data’s $46,000 max-out.
Industry tremors are palpable. Ad tech veterans, accustomed to frictionless data flows, now grapple with compliance audits. A 2025 Deloitte analysis pegs annual registry costs at $3.3 million from 495 initial filers, swelling to 530 by mid-year—a 7% uptick reflecting heightened awareness, or perhaps coerced participation. Yet, skeptics decry the burden on startups, arguing it stifles innovation in a sector projected to hit $1 trillion globally by 2030.
Industry Ripples and Consumer Wins
For marketers like ROR, the verdict is a wake-up jolt. Wellness brands, reliant on precision targeting, may pivot to first-party data or anonymized aggregates to dodge broker labels. Legal eagles at firms like WilmerHale warn of “perilous” exposures: $200 daily fines accrue swiftly, and inferences—AI-fueled predictions of behavior—now fall under CCPA’s protective umbrella.
Privacy advocates cheer the momentum. Groups like the Electronic Privacy Information Center hail DROP as a “game-changer,” potentially slashing breach risks by centralizing opt-outs. A recent UC Berkeley study estimates 70% of Californians unaware of their CCPA rights; DROP could bridge that gap, fostering trust eroded by scandals like the 2024 National Public Data hack exposing billions of records.
Yet challenges persist. Interstate enforcement hinges on cooperation, with the CPPA’s new Consortium of Privacy Regulators eyeing multistate pacts. As AI amplifies profiling perils, expect rulemaking on algorithmic transparency. Kemp’s team eyes 2026 audits, promising “vigorous” scrutiny to deter shadow brokers.
This enforcement wave cements California’s role as a privacy pacesetter, influencing kin laws in Colorado and Virginia. For ROR and peers, it’s a costly lesson: in the Golden State’s data gold rush, registration isn’t optional—it’s the entry fee to legitimacy.
If you want to avoid expensive regulatory fines you should book a demo with Captain Compliance’s privacy experts for a free website audit to see where your legal risks and gaps are.
