The California Privacy Protection Agency (CalPrivacy) has taken action against the Datamasters marketing firm that sold the health and personal data of millions of users without being registered as a data broker.
As per the California Delete Act, businesses buying and selling information about consumers are required to register their data brokerage activity by January 31st following each year.
Starting in 2026, this allows consumers to access an online platform called Delete Request and Opt-out Platform (DROP), where they can submit a request to all registered data brokers to remove their personal information.
In the case of Rickenbacher Data LLC, operating as Datamasters, CalPrivacy imposed a $45,000 fine for failure to register in time.
Due to continued violations of significant severity, the Texas-based company has also been blocked from selling personal information belonging to Californians.
According to the agency's final order, Datamasters bought and resold user information of millions of people suffering from various medical conditions (e.g., Alzheimer’s disease, drug addiction, bladder incontinence) for targeted advertising.
"In addition, Datamasters bought and resold lists of people based on age and perceived race, offering 'Senior Lists' and 'Hispanic Lists,' as well as lists based on political views, grocery store purchases, banking activity, and health-related purchases," CalPrivacy says.
The collected data consisted of hundreds of millions of records that included names, email addresses, physical addresses, and phone numbers.
An aggravating factor was the company’s stance on the state’s regulation efforts, claiming it did not do business in California or manage data of Californians, and later admitting the opposite when confronted with evidence and alleging that it was manually screening the data.
Despite multiple attempts to force the firm into compliance, Datamasters reportedly resisted, while continuing to operate as an unregistered data broker.
According to the decision, which was signed on December 12, the company was also ordered to delete by the end of December all previously purchased Californians' personal information.
If Datamasters receives in the future as part of larger data sets information belonging to Californians, the company has to delete it within 24 hours of receiving it.
Datamasters must also maintain compliance measures for the next five years and submit a report of its pertinent privacy practices one year later.
CalPrivacy also applied a $62,600 fine to S&P Global Inc. for failing to register for 2024 as a data broker by the deadline set for January 31st, 2025. However, this violation was due to an administrative error.
"Although S&P Global acted quickly to register as a data broker and took corrective actions, the company was unregistered for 313 days," the agency notes in its decision to fine S&P Global.
The 2026 CISO Budget Benchmark
It's budget season! Over 300 CISOs and security leaders have shared how they're planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.
