Yet another announcement about the California Privacy Protection Agency (CPPA) issuing a regulatory fine. This time it’s a smaller number a $55,400 fine to data broker Accurate Append, Inc. for failing to register under the California Delete Act. The company did not pay its 2024 registration fee or file a timely notice of closure, despite being active in 2023. It only registered after an investigation was opened by CPPA’s Enforcement Division which is one of numerous states using technology to research and go after non-compliant companies.
Michael Macko, CPPA Deputy Director of Enforcement, emphasized the importance of broker oversight:
“We are committed to bringing transparency to the data broker industry, and vigorous enforcement of California’s registration requirement is one way to do that.”
This marks the sixth public action by CPPA against data brokers since 2024. With the Delete Request and Opt-Out Platform (DROP) set to launch on August 1, 2026, enforcement is expected to intensify.
Related CPPA Enforcement Cases
1. Honda Motor Co. — $632,500 Fine (March 2025)
Honda settled with the CPPA for $632,500 after being found in violation of the CCPA due to:
- Requiring excessive personal data to verify opt-out requests
- Deploying dark patterns to discourage users from exercising their privacy rights
- Making it difficult for authorized agents to submit requests
- Sharing personal data with advertisers without adequate contractual safeguards
Remediation required Honda to overhaul its user interface, internal training, and vendor contracts.
2. Healthline Media — $1.55 Million Proposed Settlement (July 2025)
In the largest CPPA penalty to date, Healthline Media was fined $1.55 million. Allegations included:
- Noncompliance with Global Privacy Control (GPC) signals
- Improper sharing of article titles that revealed sensitive health information
- Misleading cookie banners that claimed tracking was disabled when it was not
- Vendor contracts lacking required CCPA language, including purpose limitations
The company must now implement functional opt-out systems, prohibit behavioral targeting of health content, and update third-party contracts to meet CCPA standards. If you’re a business struggling to get compliant or want a free privacy audit you can book a demo with one of our privacy professionals.
Comparative Enforcement Summary
| Company | Violation | Penalty | Key Compliance Failures |
|---|---|---|---|
| Accurate Append | Delete Act – Non-registration | $55,400 | Missed registration deadline, delayed compliance after enforcement notice |
| Honda | CCPA – Procedural Noncompliance | $632,500 | Dark patterns, inadequate identity verification, poor agent support, weak contracts |
| Healthline | CCPA – Substantive Violations | $1.55 million | Ignored GPC signals, health data misuse, misleading banners, incomplete contracts |
Trends in CPPA Enforcement
Multi-Industry Coverage
CPPA enforcement now spans the automotive, media, and data brokerage industries, signaling broad regulatory attention. Companies of all types are now expected to comply with CCPA, CPRA, and the Delete Act—or face serious financial consequences. It started with Sephora and we thought it was only going to be international companies when we saw Healthline and hear weekly about California Invasion of Privacy Act demand letters going out from Tauler & Smith we know that no business large or small is safe from privacy litigation.
Delete Act Compliance
California’s Delete Act mandates annual data broker registration by January 31. Failure to comply can result in fines up to $200 per day and further penalties. The rollout of DROP in 2026 will create a centralized opt-out tool, increasing compliance stakes even further.
Opt-Out Mechanics Must Function
Enforcement has moved beyond “checkbox compliance.” Tools that claim to block tracking or honor consumer choices must actually do so. Healthline’s penalty underscores that nonfunctional opt-out mechanisms are deceptive and illegal under California law.
Contracts Under Scrutiny
Both Honda and Healthline were cited for failing to maintain proper vendor contracts. The CPPA requires contracts to include purpose limitations, opt-out obligations, and clear privacy protections. Companies must proactively audit these agreements—not just rely on partner assurances.
Dark Patterns Prohibited
Design practices that make it harder to exercise privacy rights—like requiring multiple steps to opt out—can lead to enforcement actions. CPPA has made it clear that deceptive UX will be penalized.
Takeaways for Compliance Teams
- Register as a data broker annually, or file a non-operating notice if applicable
- Ensure opt-out, access, and deletion requests are functional, easy, and honored
- Avoid dark patterns that mislead or obstruct users
- Review and revise all vendor and ad tech contracts for CCPA compliance
- Prepare for DROP integration and ensure you can process universal delete requests by 2026
The CPPA’s fine against Accurate Append, combined with major actions against Honda and Healthline, sends a strong message: data privacy compliance in California is real, enforceable, and rapidly evolving. The days of passive checkbox policies are over. Organizations must now actively demonstrate compliance through functioning systems, robust contracts, and transparent processes. It is almost a guarnatee now that if you are not respecting visitors rights and using proper consent mechanisms that you can expect privacy problems.
