CalPrivacy is cracking down just as we promised with another fine but this time it’s against a data broker for a DROP act violation. On January 8, 2026, the California Privacy Protection Agency (“CalPrivacy”) announced a new round of enforcement actions targeting data brokers that operate in violation of state privacy laws. These actions underscore California’s aggressive push to hold data intermediaries accountable and protect residents’ personal information against unregistered commercial resale. The decisions follow settlements reached by CalPrivacy’s Data Broker Enforcement Strike Force and mark an early enforcement milestone under the state’s expanded privacy regime, which took effect January 1, 2026.
Enforcement Focus on Data Brokers
The enforcement actions center on Rickenbacher Data LLC, doing business as Datamasters, a Texas-based reseller of personal information. According to CalPrivacy’s decision, Datamasters purchased and resold highly sensitive lists — including names and contact information of Californians with serious health conditions — without complying with registration requirements under California’s data broker laws.
The decision orders Datamasters to pay a fine of $45,000 for failing to register with the California Data Broker Registry and to stop selling Californians’ personal information altogether. The breadth of data sold by the company and the lack of transparency around its activities illustrate longstanding concerns about the opacity and potential harms of the data broker market.
Why This Enforcement Matters
Data brokers compile, aggregate, and trade consumer information on a massive scale. Historically, much of this commerce has taken place without direct consumer knowledge or consent. Under California’s privacy laws — including the California Consumer Privacy Act (CCPA) and the Delete Act — data brokers must register with the state, enabling both regulatory oversight and consumer control over personal data.
California’s data broker registration regime also ties into a broader structural shift: the launch of the Delete Request and Opt-Out Platform (DROP), a first-of-its-kind system that allows consumers to submit a single deletion request to multiple registered data brokers. DROP became available January 1, 2026, and represents a major expansion of consumer control mechanisms.
Without registration, data brokers like Datamasters lack accountability, and consumers have limited ability to understand or influence how their information is being collected and circulated. By enforcing registration requirements and fining unregistered operators, CalPrivacy is pushing the industry toward compliance and greater transparency.
Details of the CalPrivacy Decision
The CalPrivacy Board’s decision highlights several concerning practices in the Datamasters case:
- The company bought and sold lists that included millions of people with serious health conditions such as Alzheimer’s disease, addiction, or bladder incontinence — categories of information that carry a high risk of misuse.
- Datamasters offered lists that segmented individuals by age, perceived racial or ethnic groups, and even political views, raising concerns about profiling and discriminatory targeting.
- The activities took place in 2024 without registration with the California Data Broker Registry, meaning the company operated outside the legal framework designed to ensure compliance with state privacy obligations.
CalPrivacy’s enforcement order requires Datamasters to halt all resale of Californians’ personal information and comply with ongoing obligations. The decision effectively removes the company from the data broker marketplace in California, signaling that regulators are prepared to use their enforcement authority early and visibly.
Regulatory and Market Implications
California has positioned itself as a national leader in privacy enforcement. The privacy regime created by Proposition 24 and implemented through CalPrivacy grants regulators broad authority to enforce consumer rights, issue fines, and oversee compliance with registration and other obligations.
The Datamasters enforcement action occurs against the backdrop of other significant regulatory developments, including:
- The implementation of the Delete Act and launch of the DROP system, enabling consumers to request deletion of their personal information held by multiple data brokers in one action.
- Updated CCPA regulations that take effect January 1, 2026, introducing new compliance requirements for businesses, including risk assessments, cybersecurity audits, and expanded consumer rights.
- Increased emphasis on data broker transparency and accountability, including obligatory disclosure in annual registrations and the potential for expanded enforcement actions.
These changes contribute to a rapidly evolving regulatory landscape. Businesses that collect, share, or sell personal information — and particularly those that operate as or with data brokers — must be prepared for both heightened obligations and aggressive enforcement.
How To Be CalPrivacy Compliant and Avoid Big Fines?
For organizations that handle consumer data — especially in the context of resale, segmentation, or profiling — the CalPrivacy action against Datamasters underscores several priorities:
- Assess Registration Requirements: If a business meets the definition of a data broker under California law, it must register with the California Data Broker Registry. Failure to do so may result in fines and enforcement actions.
- Inventory Personal Information Practices: Understand what categories of personal data are collected, shared, or sold — particularly sensitive categories like health information or demographic segments.
- Prepare for DROP Obligations: Following initial DROP launch, data brokers will be required to access and process deletion requests at least every 45 days starting August 2026. Businesses should build systems and workflows to comply with these requirements.
- Review and Update Compliance Programs: As CCPA and Delete Act regulations take effect, organizations need robust privacy programs, documentation, and operational processes to demonstrate adherence to California’s privacy framework.
CalPrivacy DROP Enforcement Action
The CalPrivacy enforcement actions announced on January 8, 2026 represent a clear signal that regulators will actively pursue compliance with data broker registration requirements and related privacy laws. Companies that trade in personal information — particularly sensitive data about individuals — must adapt quickly to California’s enhanced privacy regime or risk penalties, market exclusion, and reputational harm. As the state continues to refine and enforce its privacy laws, the actions of agencies like CalPrivacy will remain critical to shaping the future of data governance in the United States.
