Under the Delete Act, companies engaged in buying or selling consumer data are required to register annually as data brokers by January 31. Beginning in 2026, the law will also enable consumers to use a centralized online tool known as the Delete Request and Opt-out Platform (DROP), which allows individuals to request the deletion of their personal information from all registered data brokers at once.
CalPrivacy imposed a $45,000 fine on Datamasters for failing to register within the required timeframe. Due to the seriousness and continued nature of the violations, the agency also prohibited the company from selling personal information related to Californians. According to the regulator’s final order, Datamasters continued operating as an unregistered data broker despite repeated efforts by the agency to bring it into compliance.
The investigation found that Datamasters purchased and resold data linked to people with specific medical conditions, including Alzheimer’s disease, drug addiction, and bladder incontinence, primarily for targeted advertising purposes. In addition to health data, the company traded consumer lists categorized by age and perceived race, marketing products such as “Senior Lists” and “Hispanic Lists.” The datasets also included information tied to political views, grocery shopping behavior, banking activity, and health-related purchases.
The scope of the data involved was extensive, reportedly consisting of hundreds of millions of records containing names, email addresses, physical addresses, and phone numbers. CalPrivacy identified the nature and scale of the data processing as a significant risk to consumer privacy, particularly given the sensitive characteristics associated with many of the records.
An aggravating factor in the case was Datamasters’ response to regulatory scrutiny. The company initially claimed it did not conduct business in California or handle data belonging to Californians. When confronted with evidence to the contrary, it later acknowledged processing such data and asserted that it manually screened datasets, a claim regulators found unconvincing. The agency noted that Datamasters resisted compliance efforts while continuing its data brokerage activities.
As part of the enforcement order, signed on December 12, Datamasters was instructed to delete all previously acquired personal information related to Californians by the end of December. The company must also delete any California-related data it may receive in the future within 24 hours. Additionally, Datamasters is required to maintain compliance safeguards for five years and submit a report detailing its privacy practices after one year.
In a separate action, CalPrivacy fined S&P Global Inc. $62,600 for failing to register as a data broker for 2024 by the January 31, 2025 deadline. The agency noted that the lapse, which lasted 313 days, was due to an administrative error and that the company acted promptly to correct the issue once identified.
