California Data Broker Act Enforcement and DROP Explained

Introduction

In late December 2025, the California Privacy Protection Agency (CPPA) adopted two enforcement decisions that moved California’s data broker rules from theory into practice. Both actions focused on the same obligation: failure to register in the state’s data broker registry as required by the Delete Act.

The cases involved very different fact patterns. One concerned a company whose core business was the purchase and resale of large volumes of personal information. The other involved a global enterprise that intended to register but failed to complete the process on time. Despite these differences, the outcome was the same: enforcement action and financial penalties.

Together, these decisions clarify how seriously the CPPA views data broker registration and why that registration is central to the operation of California’s new consumer-facing tool, the Delete Request and Opt‑Out Platform, known as DROP.

The basics: California’s data broker registry and DROP

California’s data broker framework is established by the Delete Act. Businesses that qualify as data brokers must register annually with the CPPA and pay a registration fee. The CPPA maintains a public data broker registry that lists registered entities and provides transparency into the data broker ecosystem.

DROP builds on this registry. Instead of requiring consumers to contact individual data brokers one by one, DROP provides a centralized mechanism through which consumers can submit deletion and opt‑out requests to registered data brokers simultaneously. The effectiveness of this system depends on the accuracy and completeness of the registry. If a data broker does not register, it falls outside the mechanism consumers rely on to exercise these rights.

Case one: DataMasters and failure to register

On 30 December 2025, the CPPA adopted a stipulated final order against Rickenbacher Data LLC, doing business as DataMasters. According to the order, DataMasters purchased and resold personal information relating to millions of individuals, including California residents, without registering as a data broker as required by the Delete Act.

The CPPA’s findings describe a business model centered on highly targeted data lists. These lists included names, addresses, phone numbers, email addresses, demographic attributes, behavioral indicators, and data associated with health conditions. Based on these activities, the agency concluded that DataMasters clearly met California’s statutory definition of a data broker.

DataMasters did not register by the January 31, 2025 registration deadline. Although the company later registered and asserted that it attempted to exclude California data, the CPPA focused on what occurred in practice. The agency found that DataMasters accepted and fulfilled nationwide data orders that included personal information relating to California residents.

As part of the final order, the CPPA imposed a $45,000 administrative penalty, required DataMasters to stop selling Californians’ personal information, ordered the deletion of California-related data in its possession, and mandated written policies and recordkeeping measures designed to prevent similar conduct in the future.

This decision illustrates that registration obligations are assessed based on real-world data practices, not on how a business characterizes its intent or internal policies.

Case two: S&P Global and an administrative lapse

On the same day, the CPPA adopted a separate stipulated final order against S&P Global Inc. This case involved a very different compliance failure.

S&P Global did not dispute that it qualified as a data broker and intended to register for its 2024 activities. However, the CPPA found that the company did not complete its registration by the January 31, 2025 deadline. As a result, S&P Global remained unregistered for 313 days.

Under the Delete Act, failure to register is treated as a violation regardless of intent. Administrative penalties are calculated on a per‑day basis. Applying that framework, the CPPA imposed a $62,600 administrative fine, reflecting $200 per day for the period during which the company operated without registration.

The order also requires S&P Global to adopt written policies and internal review procedures designed to reduce the risk of missing future registration deadlines.

This decision underscores that good faith efforts and corrective action do not eliminate liability when statutory deadlines are missed.

Why these decisions matter

Taken together, the DataMasters and S&P Global decisions highlight several important points for businesses:

• Registration is mandatory. If a business meets the legal definition of a data broker, registration is a statutory requirement, not a discretionary step.
• Process failures still carry consequences. The S&P Global case shows that internal administrative errors can trigger enforcement even when there is no dispute about a company’s broader data practices.
• Consumer rights depend on registration. The data broker registry is the foundation on which DROP operates. Unregistered entities undermine the centralized deletion and opt‑out mechanism the law is designed to provide.
• Data type and scale influence scrutiny. Activities involving large volumes of personal information or detailed profiling, including health‑related or behavioral data, tend to attract closer regulatory attention.

The role of DROP going forward

DROP represents a shift toward centralized execution of consumer rights in California. Rather than navigating dozens or hundreds of individual company processes, consumers can rely on a single request mechanism that reaches registered data brokers.

For businesses, this increases the importance of accurate and timely registration. Companies that fail to appear in the registry are more visible to regulators and disconnected from the state’s rights‑management infrastructure. As DROP moves from rollout to routine use, registration and reporting obligations are likely to receive sustained enforcement attention.

Key takeaways for businesses

Businesses that collect, share, or sell personal information connected to California residents should review their activities against the statutory definition of a data broker and confirm whether registration is required. Registration deadlines should be tracked through documented internal controls rather than treated as informal or one‑time tasks.

The December 2025 CPPA decisions show that enforcement under the Delete Act is active and that procedural gaps can result in financial and operational consequences. In a regulatory environment where tools like DROP depend on accurate participation, understanding a company’s role in the data ecosystem and documenting it carefully has become a baseline expectation for operating in California’s privacy framework.