On November 26, 2025, CalPrivacy (previously the CPPA) issued a decision requiring ROR Partners LLC to pay $56,600 for failure to register as a data broker under California’s Delete Act. According to the decision, the company used “billions of data points” from over 262 million Americans to create consumer profiles and audience lists, which ROR’s clients could then use for targeted advertising.
This action was brought as part of CalPrivacy’s Data Broker Enforcement Strike Force, designed to investigate privacy violations by the data broker industry. As part of this effort, CalPrivacy recently issued an Enforcement Advisory highlighting data broker registration requirements related to trade names, websites and parent/subsidiary entities of data brokers.
What is a data broker?
By law, a data broker is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship,” with limited exceptions for certain entities covered under other sector-specific laws. In short, they are companies that collect and sell a consumer’s personal information without directly interacting with that consumer.
Data brokers commonly collect information such as email, phone number, browsing history, or location data from places like public records, commercial data, and other sources. Data brokers often then analyze, bundle and sell these profiles about consumers to other businesses.
According to CalPrivacy’s DROP website, “[t]his information can be used to influence you – to buy certain products, to feel certain emotions, or even take certain actions. It can put you at greater risk of identity theft, fraud, or AI impersonations. It can also increase the chances your data is leaked or hacked.”
What is the Data Broker Enforcement Strike Force?
On November 19, one week prior to the ROR decision, CalPrivacy announced its creation of the Data Broker Enforcement Strike Force within its Enforcement Division. According to the announcement, “[t]he Enforcement Division will be reviewing the [data broker] industry for compliance with the data broker registration requirement in the Delete Act, as well as for compliance with the state’s comprehensive privacy law, the California Consumer Privacy Act (CCPA).”
This is not the first time the California regulator has targeted data brokers. In 2024, the Enforcement Division conducted a public investigative sweep of data broker registration with a similar goal of verifying compliance with the Delete Act and the CCPA.
What is the Delete Act?
The Delete Act is a law that applies to data brokers and requires them to register with CalPrivacy and pay an annual fee. Additionally, data brokers must also disclose:
- The number of consumer deletion requests they have received, as well as their average response time;
- Whether the data broker collects certain types of sensitive information or the personal information of minors; and,
- A link on their website informing customers of their rights under the CCPA.
Entities covered under the Act must register by January 31 if they operated as a data broker in the previous year, and they face a $200 penalty per day for failure to register. As of 2024, the data broker registry is maintained by CalPrivacy.
The annual fee funds the registry, along with the new mechanism for allowing deletion of personal information from data brokers, called “DROP.”
What is DROP?
The first-of-its-kind deletion mechanism, the Data Broker Requests and Opt-Out Platform (DROP) will allow consumers to file a single request, which directs all registered data brokers to delete the consumers’ personal information immediately, and continuously every 45 days.
According to the DROP website, the data that is subject to DROP may include:
- Basic identifiers, including name, phone number, or email.
- Behavioral data, including social media or browsing history, likes and dislikes.
- Financial-related data, including payment history or spending habits.
- Health-related data, including your usage of health-related apps, wearables, trackers or websites.
- Location data, including where you go and how often you visit certain places.
- Relationships, including your family and friends and how often you interact with them.
- Inferences, including those about your lifestyle, hobbies, incomes, or even religious or philosophical beliefs, which can include history of the videos you watch, articles you read, or topics you search for.
However, the law has certain exemptions for information that is not required to be deleted. This includes information that the government makes public (property records, court filings, etc.) or information controlled by other state or federal laws, such as certain financial or health information.
The intent behind the mechanism is to give consumers more control over their personal information and helps protect their privacy.
DROP is expected to be available to consumers on January 1, 2026.
What’s next?
With the release of DROP and the establishment of the Data Broker Enforcement Strike Force, California is positioned to take data broker enforcement seriously. The decision against ROR Partners LLC was finalized one week after the Strike Force was announced, and all signs say this is the first of many enforcement efforts under this regulatory push.
If your company or organization may be acting as a data broker, it is important that you understand your obligations under laws like the California Delete Act, but also other state laws. These laws may have requirements like registering as a data broker, publishing a clear privacy notice, providing specific opt-outs, and reporting certain disclosures.