Think You’re Not a Data Broker? CalPrivacy Regulations and Enforcement Suggest a Second Look

Recent developments under California’s data broker law, the Delete Act, signal intensified focus by the California Privacy Protection Agency (“CalPrivacy”) on businesses that sell personal information.

In particular, CalPrivacy has (1) issued new regulations under the Delete Act, effective January 1, 2026, clarifying the breadth of the “data broker” definition, (2) brought multiple enforcement actions against businesses it determined were data brokers that failed to register, and (3) released an Enforcement Advisory highlighting the risks of noncompliance with the Delete Act’s registration requirements and confirming that business cannot rely on affiliates’ registrations to satisfy their own obligations.

Each of these is covered in more detail below.

#1. NEW DELETE ACT REGULATIONS

The new regulations sharpen the definition of “data broker” to more clearly capture businesses that historically may not have viewed themselves as falling within that category, including providers of third-party website tracking technologies and businesses who augment their first-party data with third-party data.

The Delete Act defines a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” Earlier regulations defined a “direct relationship” as one in which “a consumer intentionally interacts with a business for the purpose of accessing, purchasing, using, or requesting the business’s products or services.”

The new regulations emphasize that “[a] business does not have a ‘direct relationship’ with a consumer simply because it collects personal information directly from the consumer; the consumer must intend to interact with the business.” As a result, even where a business collects information directly from a consumer and then sells that information, it may still be deemed a data broker if the collection stems from an unintentional interaction on the consumer’s part.

CalPrivacy’s Initial Statement of Reasons indicates this revision was intended to capture third-party tracking technology providers—such as those providing cookies and pixels—that may collect personal information directly from consumers without the consumers’ awareness. As CalPrivacy explains, the revised definition is “necessary to ensure that businesses cannot rely on these unintentional interactions to avoid complying with consumer rights bestowed by the Delete Act.”

Second, the regulations further clarify that “a business is still a data broker and does not have a direct relationship with a consumer as to personal information it sells about the consumer that it collected outside of a ‘first party’[1] interaction with the consumer.” In practice, this means that selling personal information obtained from third parties can trigger data broker status, even where the business otherwise maintains a direct relationship with the consumers whose information it sells.

Additional key changes in the regulations include:

• Data brokers must establish a Delete Request and Opt-out Platform (DROP) account for purposes of receiving deletion requests under CalPrivacy’s universal deletion mechanism.
• Beginning August 1, 2026, data brokers must access DROP to download consumer deletion lists at least once every 45 calendar days, process deletion requests obtained through DROP in accordance with the regulations, and report the status of every deletion request received during the previous DROP access session.

#2. DATA BROKER ENFORCEMENT ACTIONS

CalPrivacy continues to prioritize enforcement of the Delete Act, with recent settlements underscoring its expansive view of who qualifies as a “data broker” and the importance of the law’s registration requirements. Notable examples include:

ROR Partners: CalPrivacy ordered ROR Partners, a marketing firm, to pay $56,600 for failing to register as a data broker, concluding that it sold personal information when it “disclosed or made available personal information to clients as part of its services.” ROR Partners used “billions of data points” to build detailed consumer profiles and custom audience segments—such as lists of frequent health-club attendees—and sold those audiences to clients for targeted advertising.

The decision underscores that advertising providers may be treated as data brokers when they sell personal information, even if the information is bundled within broader advertising services, indicating that CalPrivacy may interpret a “sale” expansively. As the decision states: “A sale is a sale. A business cannot bypass the CCPA’s and the Delete Act’s requirements by selling personal information as part of a larger suite of products and services it offers.”

Datamasters: CalPrivacy ordered Datamasters to pay $45,000 for failing to register as a data broker after purchasing and reselling the names, phone numbers, and email addresses of millions of people with Alzheimer’s disease, drug addiction, and other health conditions for targeted advertising. The decision also required Datamasters to stop selling Californians’ personal information, effectively removing it from the California market.

#3. ENFORCEMENT ADVISORY ON DATA BROKER REGISTRATION

In a recent Enforcement Advisory, CalPrivacy cautioned that some data brokers appear to be “hiding the ball” from consumers and evading Delete Act requirements by: (1) doing business under multiple trade names or operating multiple websites without listing those trade names and websites on their registration; or (2) relying on a parent or affiliated entity’s registration instead of registering independently. CalPrivacy emphasized that these practices undermine the purpose of the Data Broker Registry, which is intended to give consumers clear visibility into who is brokering their personal information and to enable the effective exercise of rights under the Delete Act and the CCPA.

In light of these concerns, the Advisory emphasized that:

• Each distinct legal entity in a family of companies that meets the definition of a data broker must register separately. Registration does not pass automatically from parent companies to subsidiaries or among affiliates. Instead, each distinct legal entity operating as a data broker and qualifying as a business must register.
• Data brokers must list their trade names and websites. Among other information required to be included in the data broker’s registration, the data broker must provide its business name and, if applicable, trade name(s) (i.e., DBA), as well as providing any website addresses where it provides services.

[1] “First party” means a consumer-facing business with which the consumer intends and expects to interact.