California Cracks Down on Data Brokers

The California Privacy Protection Agency has fined Accurate Append, Inc. $55,400 for failing to register as a data broker under the Delete Act. This penalty underscores California’s push to regulate the opaque data broker industry, which continues to collect, trade, and monetize personal data at scale.

UC Irvine's 2025 study, "Consumer Privacy and the Hidden Data Economy", sheds light on systemic privacy risks tied to data brokers:

✅ Scale of the Industry: Over 540 data brokers are registered in California, handling massive amounts of consumer data often without direct interaction with the individuals concerned.

✅ Widespread Non-Compliance:

43% failed to respond to CCPA data access or deletion requests.

37% requested excessive personal details (e.g., copies of IDs, SSNs) for identity verification, ironically creating new privacy risks.

30% used outdated opt-out mechanisms, or failed to provide CCPA-compliant opt-out links.

✅ Opaque Practices: Many brokers lacked transparent disclosures, making it hard for consumers to understand how their data is collected, shared, or sold.

✅ Security Risks: The study flagged multiple breaches linked to data brokers, exposing sensitive data such as SSNs and financial records.

✅ Cross-Jurisdictional Gaps: Even registered brokers often operate across multiple states and jurisdictions, complicating enforcement and allowing gaps in consumer rights protections.

These findings reinforce why CPPA enforcement is accelerating: recent actions include Todd Snyder ($345,178), Honda ($632,500), and closures of non-compliant brokers like Background Alert.

✅ What’s Coming

The Delete Act mandates that:

- All data brokers register annually and pay fees to support California’s Data Broker Registry.

- The Delete Request and Opt-Out Platform (DROP), launching in 2026, will let consumers submit a single deletion request across all registered brokers—streamlining rights enforcement and raising stakes for compliance.

California’s enforcement trajectory is clear: penalties are growing, compliance oversight is expanding, and tools like DROP will make enforcement even sharper. Compared to Europe’s GDPR fines, U.S. penalties remain modest but are rising steadily. The UC Irvine study shows that many brokers are not prepared for active oversight—and regulators are closing in.

✅ What Organizations Should Do Now:

☑️ Audit data broker contracts for compliance and security safeguards.

☑️ Prepare for DROP integration—ensure processes to handle deletion requests at scale.

☑️ Monitor CPPA enforcement patterns and align with CCPA, CPRA, and Delete Act obligations.

☑️ Build vendor oversight programs for third-party data handlers and conduct periodic compliance reviews.

UC Irvine's study

Author: Sebastian Burgemejster