Businesses that sell data regarding California residents have been put on notice by the California Privacy Protection Agency’s (the CPPA’s) recent aggressive enforcement of the California Delete Act. On October 30, 2024, the CPPA announced an investigative initiative focused on enforcing requirements for data brokers to register with the CPPA by January 31, 2024, pursuant to the Delete Act. The enforcement sweep has included companies that never even registered as data brokers until being contacted by the CPPA. In February, the enforcement division of the CPPA (the Enforcement Division) announced that it had reached two settlements as part of two distinct enforcement proceedings. This brings the CPPA’s total enforcement actions to at least six since the Delete Act went into effect on January 1, 2024.

Overview of California’s Delete Act

The Delete Act applies to data brokers, which are defined in the Delete Act as businesses that collect and sell personal information belonging to California consumers with whom they do not have a direct relationship. In addition to other compliance requirements, the Delete Act imposes data deletion obligations and requires data brokers to disclose (i) the number of consumer data deletion requests the data broker received during the prior calendar year; (ii) the average time it takes for the data broker to respond to such requests; and (iii) whether the data broker collects personal information of minors, reproductive health care data, and precise geolocation data. This information must be disclosed within the data broker’s privacy policy posted on their internet website and accessible from a link included in the data broker’s privacy policy. The Delete Act also requires data brokers to undergo an independent audit once every three years to verify compliance with the Delete Act, although this requirement does not take effect until January 1, 2028.

Data brokers are required to register on the California Data Broker Registry (the CA Registry) by January 31 of each year if they operated as a data broker during the previous year. Data brokers are required to pay an annual registration fee determined by the CPPA. The penalty for failing to register by the deadline is $200 per day.

Recent Enforcement Actions Against Data Brokers

On February 20, 2025, the CPPA announced that it brought an enforcement action seeking a $46,000 fine against Jerico Pictures, Inc., d/b/a National Public Data, a Florida-based company, for failing to register as a data broker and failing to pay the corresponding annual fee. The Enforcement Division alleges that National Public Data registered with the CPPA as a data broker 230 days after the January 31 statutory deadline to do so in 2024, and that National Public Data registered only after being contacted during an investigation into the company. National Public Data had previously made headlines in 2024 due to a data breach exposing 2.9 billion records, including names and Social Security numbers. In October 2024, the Enforcement Division filed a claim in the U.S. Bankruptcy Court for the Southern District of Florida to recover the administrative fine for failing to register with the CPPA, but the court ultimately dismissed the company's bankruptcy petition, leading the CPPA to initiate this enforcement action.

Separately, on February 27, 2025, the Enforcement Division announced that it had reached a settlement agreement with Background Alert, Inc., a California-based company, with this action also arising from a failure to register and pay the required fee. The Enforcement Division noted that Background Alert promoted its business with the slogan, "It's scary how much information you can dig up on someone." Under the settlement, Background Alert is required to cease operations until 2028 or pay a $50,000 fine.

Impact of Recent Enforcement Actions on Covered Entities

These most recent enforcement actions suggest that the CPPA is ready and willing to take action against companies of all sizes, including those that are not based in California, that sell data of California individuals but have not registered as a data broker. Due to the Delete Act’s wide-ranging applicability, organizations collecting personal data from California consumers should evaluate whether they are required to comply with the Delete Act. Organizations required to comply with the Delete Act should ensure they implement appropriate measures to comply, including registering as a data broker where required, and making the necessary disclosures in their privacy policy.

CPPA Delete Requests and Opt-out Platform

Entities that need to comply with the Delete Act should also monitor the rollout of the CPPA’s Data Broker Requests and Opt-Out Platform (DROP). DROP is a universal deletion mechanism currently being developed by the CPPA, enabling California consumers to submit a single request to DROP that would direct all data brokers to delete their personal information. DROP is funded partly by the CA Registry’s annual fees. The CPPA anticipates that DROP will be available on its website starting January 1, 2026. Beginning August 1, 2026, data brokers will be required to access DROP every 45 days to ensure compliance with the Delete Act.

For more information about the Delete Act and whether you may be required to register as a data broker in California, please contact Benjamin Mishkin and Robert Rubenstein in Cozen O’Connor’s Privacy, Technology & Data Security team.