In a strong signal of escalating enforcement, the California Privacy Protection Agency (CalPrivacy, formally CPPA) released Enforcement Advisory No. 2025-01 on December 17, 2025, putting data brokers on notice regarding strict compliance with registration requirements under the groundbreaking Delete Act. The advisory specifically targets practices that obscure data broker identities—such as undisclosed trade names, unlisted websites, and improper reliance on parent company registrations—warning that such tactics hinder consumers’ privacy rights.
“We want to make it as easy as possible for Californians to exercise their privacy rights,” said Tom Kemp, CalPrivacy’s Executive Director. “With the next registration deadline around the corner, this advisory serves as a reminder for data brokers to register before they hear from us.”
Background: The Delete Act and the Rise of Consumer Data Deletion Rights
California continues to lead the nation in privacy protection with the California Consumer Privacy Act (CCPA, amended by the California Privacy Rights Act or CPRA) and the more recent Delete Act (SB 362, signed into law in October 2023). The Delete Act specifically targets data brokers—businesses that collect and sell personal information about consumers with whom they have no direct relationship.
Key innovations include:
- Mandatory annual registration with CalPrivacy, including payment of fees that fund the agency’s operations and the public Data Broker Registry.
- Starting in 2026, the creation of DROP—a centralized “one-stop” mechanism allowing consumers to submit a single deletion request that applies to all registered data brokers.
- Enhanced transparency requirements to help consumers identify and interact with data brokers.
The Data Broker Registry already lists hundreds of entities, but enforcement observations reveal gaps where some brokers obscure their operations, making it harder for consumers to exercise deletion or opt-out rights.
Core Issues Highlighted in Enforcement Advisory 2025-01
The advisory directly addresses three critical compliance areas based on the Enforcement Division’s observations:
- Disclosure of Trade Names and Websites: Data brokers must list all trade names (DBAs) and public-facing website addresses used to provide services. Incomplete listings “hide the ball” from consumers searching the registry.
- Independent Registration for Each Entity: Subsidiaries and affiliates cannot rely on a parent company’s registration. Each distinct legal entity that meets the data broker definition must register separately and maintain its own DROP account.
- Timely and Complete Registration: Registration is only complete upon submission of all required information and payment. Websites provided must be accurate, functional, and include a dark-pattern-free page for exercising privacy rights.
Penalties for Non-Compliance
The stakes are high. Under Civil Code § 1798.99.82(c), unregistered data brokers face:
- $200 administrative fine per day of non-registration.
- Payment of all past-due registration fees.
- Reimbursement of CalPrivacy’s investigation and administrative expenses.
CalPrivacy has demonstrated willingness to impose these penalties through its ongoing Data Broker Enforcement Strike Force.
Leadership Perspective: Quotes from CalPrivacy Officials
“The rules of the road are clear, and we expect data brokers will register as required,” said Michael Macko, CalPrivacy’s Deputy Director of Enforcement. “We will continue using all available tools to investigate potential violations and bring enforcement actions where appropriate.”
Executive Director Tom Kemp’s statement emphasizes proactive compliance over reactive enforcement, highlighting the agency’s consumer-first approach as DROP nears launch.
Recent Enforcement Actions Demonstrate Aggressive Stance
CalPrivacy has already taken significant actions, including:
- A $56,600 penalty against ROR Partners LLC for failing to register.
- $1.35 million fine against Tractor Supply Company for CCPA violations.
- $345,178 fine against Todd Snyder, Inc., requiring practice changes.
- $632,500 fine against American Honda Motor Co.
- Settlement forcing data broker Background Alert to cease operations or face steep fines.
- Multiple additional actions against unregistered brokers.
The agency has also launched international partnerships and a bipartisan Consortium of Privacy Regulators to amplify enforcement.
Compliance Checklist for Data Brokers
| Requirement | Details | Legal Reference |
|---|---|---|
| Annual Registration Deadline | January 31 each year (for prior year’s activity) | Civ. Code § 1798.99.82 |
| Independent Entity Registration | Subsidiaries cannot rely on parent registration | 11 CCR § 7602(a) |
| Trade Names & Websites | List all DBAs and functional website addresses | 11 CCR §§ 7603, 7610 |
| DROP Account | Required starting 2026 for deletion processing | Civ. Code § 1798.99.86 |
| Privacy Rights Link | Include dark-pattern-free deletion/opt-out page | Civ. Code § 1798.99.82(b)(2)(G) |
What This Means for Consumers and Businesses
For Californians, the advisory and upcoming DROP platform represent a major step toward regaining control over personal data sold without consent. Consumers suspecting an unregistered data broker can file complaints via CalPrivacy’s online form.
For businesses, the message is unambiguous: Review operations now, disclose fully, and register independently. With daily fines accumulating quickly, proactive compliance is far less costly than enforcement actions.
As data-driven technologies like AI accelerate the collection and monetization of personal information, California’s aggressive stance sets a national—and potentially global—precedent for data broker accountability.
