Key point: This is the eighth fine CalPrivacy has issued against an entity for failing to register as a data broker and comes just days after CalPrivacy announced a new Data Broker Enforcement Strike Force and only months before fines will significantly increase under the California Delete Act.

On December 3, 2025, the California Privacy Protection Agency (CalPrivacy) announced its latest fine for an entity failing to register as a data broker under California’s Delete Act. This is the eighth time CalPrivacy has fined an entity for failing to register as a data broker. The agency issued four fines in both 2024 and 2025.

The $56,600 fine comes just days after CalPrivacy announced the formation of a Data Broker Enforcement Strike Force, portending even more (and significantly higher) fines against data brokers and unregistered data brokers. This is particularly notable given that the agency’s data broker regulations adopt a broader definition of what constitutes a data broker, which definition may encompass entities that do not traditionally consider themselves to be data brokers.

In the below article, we provide a brief overview of the enforcement action. We also discuss the broader context of data broker regulation in California, including the increased risks and requirements on data brokers in 2026.

Background

According to the Stipulated Final Order, the fitness and wellness marketing agency makes available consumers’ personal information to its clients to enable precise audience targeting for marketing campaigns. The marketing agency advertises its use of “first-party data and third-party data, AI driven audience modeling, and predictive analytics to reach the right people – at the right time.” The marketing agency collects personal information from a variety of sources, including its clients and third parties such as health and fitness-related companies. As part of its services, it discloses inferences about consumers, such as whether consumers are likely to be interested in fitness activities based on them attending health clubs. Put more succinctly, the marketing agency collects personal information from many different sources and then is paid by its health and fitness-related clients to conduct targeted advertising to individuals who have shown an interest in health and fitness or who the marketing agency infers have such an interest based on their personal information.

The Stipulated Final Order states that the marketing agency is a data broker under the California Delete Act but failed to register with CalPrivacy. The marketing firm was fined $50,000 and agreed to pay the $6,600 data broker registration fee for 2025. The $50,000 fine is comprised of a daily $200 fine for the 250 days the marketing firm failed to register as a data broker in 2025 (February 1, 2025, to October 8, 2025).

Increased Risks and Requirements for Data Brokers in 2026

The fine is another sign that CalPrivacy is closely scrutinizing not only entities that have registered as data brokers but also entities it believes should be registered. The fact that the agency is focusing on unregistered data brokers is particularly notable given that CalPrivacy’s implementing regulations adopt a broad definition of what constitutes a data broker, which can encompass entities that do not traditionally consider themselves to be data brokers.

Specifically, the law defines “data broker” as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The implementing regulations (as recently amended) define “direct relationship” to mean:

That a consumer has intentionally interacted with a business for purposes of accessing, purchasing, using, requesting, or obtaining information about the business’s products or services. A consumer does not have a “direct relationship” with a business if the purpose of their engagement is only to exercise any rights described under Civil Code section 1798, or for the business to verify the consumer’s identity. A business does not have a “direct relationship” with a consumer simply because it collects personal information directly from the consumer; the consumer must intend to interact with the business. A business is still a data broker and does not have a relationship with a consumer as to personal information it sells about the consumer it collected outside of a “first party” interaction with the consumer . . . .

Depending on an entity’s processing activities, the final two sentences of that definition could capture entities that may not consider themselves to be acting as data brokers.

Further, the consequences for failing to register will significantly increase in 2026 once the new Delete Request and Opt-out Platform (DROP) goes into effect. Starting August 1, 2026, data brokers must access the DROP at least once every 45 days and process deletion requests from California residents that have registered with the system. Failure to comply is subject to a $200 fine “for each deletion request for each day the data broker fails to delete information.”

Moreover, just months ago, California again amended its data broker law to require data brokers to provide even more information when registering. This includes not only additional disclosures as to what personal information data brokers collect but also whether, in the past year, data brokers shared or sold consumers’ data to (1) a foreign actor, (2) the federal government, (3) other state governments, (4) law enforcement (unless done pursuant to a subpoena or court order), or (5) a developer of a GenAI system or model.

In addition, when announcing the creation of its Data Broker Strike, CalPrivacy was careful to note that the enforcement division will be looking for compliance with the Delete Act “as well as with the state’s comprehensive privacy law, the California Consumer Privacy Act.” That statement certainly suggests that future data broker enforcement actions will focus on more than just a failure to register and also will involve a deeper dive into a data broker’s CCPA compliance activities. CCPA violations are subject to penalties of $2,663 for each violation and $7,988 for each intentional violation.