California Privacy Protection Agency Enforces Ban on Datamasters Health Data Reselling, Enforces $45,000 Fine
Published
Key Takeaways
- Regulatory Enforcement: The California Privacy Protection Agency has fined marketing firm Datamasters $45,000 for selling sensitive data.
- Reselling Ban: The unregistered broker was banned from reselling the personal information of California residents due to privacy violations.
- Data Exploitation: Datamasters bought and resold sensitive medical data for targeted advertising, including records on Alzheimer’s disease and substance addiction.
The California Privacy Protection Agency (CalPrivacy or CPPA) has executed a significant enforcement action against Rickenbacher Data LLC, doing business as Datamasters, effectively enacting a California data broker ban on the entity.
The Texas-based marketing firm was found to be trafficking in the sensitive personal information of millions of consumers without maintaining the required legal registration.
CalPrivacy Sanctions Unregistered Broker for Privacy Violations
Specifically, Datamasters bought and resold granular healthcare data privacy information, categorizing individuals by medical conditions such as Alzheimer’s disease, drug addiction, and bladder incontinence.
The agency’s final order, dated December 30, 2025, imposes a $45,000 fine and mandates the deletion of all data belonging to California residents by the end of last month.
“No later than December 31, 2025, Datamasters shall permanently delete all Californians' personal information, if any, that Datamasters previously purchased,” said the official document.
California Delete Act Strengthens Data Reselling Restrictions
This enforcement highlights the compliance landscape introduced by the California Delete Act, under which entities that buy and sell consumer data must register their brokerage activities annually.
Datamasters attempted to evade these regulations by claiming it did not manage data of Californians, a claim later disproven by evidence of their "Senior Lists" and "Hispanic Lists." The company also maintained lists based on health-related and grocery store purchases, political views, and banking activity.
The Act not only imposes data reselling restrictions but also lays the groundwork for the forthcoming Delete Request and Opt-out Platform (DROP), which will allow consumers to issue a single request to wipe their personal information from all registered data brokers.
Implications for Compliance and Consumer Privacy
Beyond the financial penalty, the company is now legally barred from selling Californian data and must adhere to strict compliance monitoring for the next five years, the order stated.
“In the wrong hands, these lists could be used to target people for more than just advertising,” said Michael Macko, the head of enforcement at CalPrivacy, in the CPPA announcement.
“The same risks apply to selling lists of seniors, people who identify as conservative or liberal, or people who purchase sensitive health products. History teaches us that certain types of lists can be dangerous.”
In a parallel action, CalPrivacy also fined S&P Global Inc. $62,600 for failing to register by the statutory deadline, further demonstrating the agency's commitment to enforcing transparency.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular