CalPrivacy’s Data Broker Enforcement Strike Force: updates and enforcement actions
On November 26, 2025, CalPrivacy (previously the CPPA) issued a decision requiring ROR Partners LLC to pay $56,600 for failure to register as a data broker under California’s Delete Act. According to the decision, the company used “billions of data points” from over 262 million Americans to create consumer profiles and audience lists, which ROR’s clients could then use for targeted advertising.
This action was brought as part of CalPrivacy’s Data Broker Enforcement Strike Force, designed to investigate privacy violations by the data broker industry. As part of this effort, CalPrivacy recently issued an Enforcement Advisory highlighting data broker registration requirements related to trade names, websites and parent/subsidiary entities of data brokers.
What is a data broker?
By law, a data broker is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship,” with limited exceptions for certain entities covered under other sector-specific laws. In short, they are companies that collect and sell a consumer’s personal information without directly interacting with that consumer.
Data brokers commonly collect information such as email, phone number, browsing history, or location data from places like public records, commercial data, and other sources. Data brokers often then analyze, bundle and sell these profiles about consumers to other businesses.
According to CalPrivacy’s DROP website, “[t]his information can be used to influence you – to buy certain products, to feel certain emotions, or even take certain actions. It can put you at greater risk of identity theft, fraud, or AI impersonations. It can also increase the chances your data is leaked or hacked.”
What is the Data Broker Enforcement Strike Force?
On November 19, one week prior to the ROR decision, CalPrivacy announced its creation of the Data Broker Enforcement Strike Force within its Enforcement Division. According to the announcement, “[t]he Enforcement Division will be reviewing the [data broker] industry for compliance with the data broker registration requirement in the Delete Act, as well as for compliance with the state’s comprehensive privacy law, the California Consumer Privacy Act (CCPA).”
This is not the first time the California regulator has targeted data brokers. In 2024, the Enforcement Division conducted a public investigative sweep of data broker registration with a similar goal of verifying compliance with the Delete Act and the CCPA.
What is the Delete Act?
The Delete Act is a law that applies to data brokers and requires them to register with CalPrivacy and pay an annual fee. Additionally, data brokers must also disclose:
- The number of consumer deletion requests they have received, as well as their average response time;
- Whether the data broker collects certain types of sensitive information or the personal information of minors; and,
- A link on their website informing customers of their rights under the CCPA.
- Basic identifiers, including name, phone number, or email.
- Behavioral data, including social media or browsing history, likes and dislikes.
- Financial-related data, including payment history or spending habits.
- Health-related data, including your usage of health-related apps, wearables, trackers or websites.
- Location data, including where you go and how often you visit certain places.
- Relationships, including your family and friends and how often you interact with them.
- Inferences, including those about your lifestyle, hobbies, incomes, or even religious or philosophical beliefs, which can include history of the videos you watch, articles you read, or topics you search for.