California data broker fined $45,000 for selling health condition lists

The California Privateness Safety Company introduced on December 30, 2025 its first enforcement motion beneath the state’s Delete Act, ordering Texas-based knowledge dealer Rickenbacher Information LLC to pay a $45,000 effective for failing to register as required by regulation. The choice marks the opening salvo in California’s marketing campaign to control an trade that trades in detailed private details about thousands and thousands of People, typically with out their data or consent.

Rickenbacher Information, working beneath the enterprise title Datamasters from Flower Mound, Texas, purchased and resold private data categorized by delicate well being circumstances together with Alzheimer’s illness, drug dependancy, bladder incontinence, acid reflux disorder, and tobacco use. The stipulated closing order particulars that the corporate maintained databases with house addresses, phone numbers, and e mail addresses for 435,245 individuals with Alzheimer’s illness, 133,142 people categorized beneath dependancy classes, and 857,449 customers with bladder management points.

The corporate’s advertising and marketing supplies marketed entry to what it described as a nationwide shopper database containing over 114 million households and 231 million particular person names and addresses “accessible for exact focusing on and segmentation.” Pricing began at $40 per thousand data with a minimal order of 5,000 names.

Datamasters additionally provided lists segmented by ethnicity and monetary vulnerability. The corporate promoted “Hispanic Lists” containing greater than 20 million individuals with Hispanic surnames, “Senior Lists” of senior residents and Child Boomers, and “mortgage lists” of house owners carrying high-interest loans. An Excel spreadsheet posted to the corporate’s web site recognized 204,218 accessible data for college students in California, demonstrating the geographic scope of its knowledge assortment efforts.

Past demographic and well being knowledge, Datamasters bought behavioral data based mostly on customers’ political opinions, grocery buy patterns, retail purchasing conduct, and funding exercise. The corporate provided entry to three,370 “Client Predictor Fashions” spanning 16 classes together with automotive preferences, monetary exercise, media use, and nonprofit exercise. These fashions used current buyer relationships to foretell future buying conduct “with excessive likelihood charges.”

The enterprise mannequin relied on accessing databases licensed from third-party suppliers. Datamasters marketed bulk database purchases and subscription-based “knowledge feeds” delivering private data on recurring schedules. One providing supplied a compiled USA shopper database with 219 million data for $9,500 as an outright buy, with quarterly updates accessible for $1,995. The corporate marketed these providers particularly to “Telemarketers, Name Facilities, Information Brokers, Information Resellers and Bulk Electronic mail Information Customers.”

California’s Delete Act, codified in Civil Code part 1798.99.82, requires companies assembly the definition of knowledge dealer to register yearly with the California Privateness Safety Company throughout January and pay related charges. Information brokers are outlined as companies that gather and promote private details about customers with whom they haven’t any direct relationship. Datamasters met this definition in the course of the 2024 calendar yr however didn’t register by the January 31, 2025 deadline.

The California Privateness Safety Company’s Enforcement Division opened an investigation after discovering Datamasters had not registered. When initially contacted, Datamasters denied participating in knowledge dealer exercise. The corporate instructed investigators it did “not do enterprise or take orders of any sort” in California and “doesn’t do enterprise in California with any entity.”

This denial proved inconsistent with proof on the corporate’s personal web site. When confronted with the Excel spreadsheet figuring out California scholar data, Datamasters admitted receiving Californians’ private data from suppliers however claimed it rejected buyer requests to buy California-specific knowledge. The corporate asserted it had periodically refused to satisfy California-specific orders between 2020 and 2025, citing California privateness legal guidelines.

The company investigated additional, asking whether or not Datamasters had equally rejected requests for nationwide knowledge that encompassed California together with different states. The corporate proprietor instructed investigators that Datamasters had accepted and fulfilled orders for nationwide shopper lists with out screening them to take away Californians’ private data. This assertion confirmed that regardless of periodic refusals of California-specific requests, the corporate was amassing and promoting Californians’ knowledge by broader geographic gross sales.

Just a few days after this admission, Datamasters retained authorized counsel and backtracked on its statements. The corporate defined that its earlier statements had been “incomplete and inaccurate as acknowledged” and as an alternative asserted that it “screens all lists bought” to make sure they contained no California private data.

Datamasters then up to date its web site to align with this new place. The corporate eliminated the Excel spreadsheet describing California scholar data, added textual content stating it does “not promote or present knowledge about California residents,” and posted a “California Client Privateness Act Compliance Discover” limiting all services and products from use by entities lined by CCPA.

The stipulated closing order acknowledges that Datamasters tried to adjust to California privateness legal guidelines by handbook screening processes at numerous factors between 2020 and 2025, however these efforts had been imperfect. The corporate lacked enough written insurance policies and procedures to make sure compliance with the Delete Act.

The enforcement motion brings a number of penalties past the $45,000 administrative effective. Datamasters should stop promoting all Californians’ private data beginning December 31, 2025. The corporate should completely delete all beforehand bought California private data by that very same deadline.

Inside 30 days of the December 30, 2025 determination, Datamasters should undertake written insurance policies and implement procedures making certain it doesn’t gather or promote private data belonging to Californians when shopping for and reselling knowledge. To the extent Datamasters receives California private data as a part of bigger purchases, it should completely delete such data inside 24 hours of receipt, instruct senders to not disclose California data sooner or later, and preserve data of entities that disclosed Californians’ knowledge.

The corporate should additionally preserve these written insurance policies and procedures for 5 years, replace its web site and get in touch with types to obviously state it doesn’t purchase or promote Californians’ private data, and preserve data of any transactions involving requests for California knowledge. After one yr, Datamasters should submit a written abstract of its privateness practices to the California Privateness Safety Company.

This enforcement motion arrives as California implements its Delete Request and Opt-out Platform, which took impact January 1, 2026. The centralized system permits California customers to submit a single deletion request that reaches all registered knowledge brokers, changing the earlier requirement to contact every firm individually. Information brokers should start accessing the platform each 45 days beginning August 1, 2026 to retrieve and course of shopper deletion requests.

The $45,000 effective represents a comparatively modest penalty beneath the Delete Act, which authorizes administrative fines of $200 per day for every day a enterprise fails to register. Datamasters didn’t register between February 1, 2025 and September 13, 2025, a interval spanning roughly 224 days. The utmost potential penalty for this timeframe would have exceeded $44,800, suggesting the stipulated settlement approximated the statutory most for registration failure.

The Datamasters case demonstrates California’s dedication to imposing knowledge dealer transparency necessities even in opposition to out-of-state corporations with no bodily presence in California. The corporate operated from Texas however performed enterprise affecting California customers, establishing enough jurisdiction for the California Privateness Safety Company to pursue enforcement.

The enforcement motion highlights tensions in how knowledge brokers navigate state privateness legal guidelines. Datamasters’ inconsistent statements to investigators—first denying California enterprise completely, then admitting to promoting nationwide lists containing California knowledge, then claiming complete screening—reveal compliance challenges confronted by corporations accustomed to working in a nationwide market now fragmented by state-level rules.

The case additionally exposes the delicate nature of knowledge dealer stock. Lists categorizing customers by well being circumstances like Alzheimer’s illness, drug dependancy, and bladder incontinence increase privateness issues past easy contact data. Advertising and marketing based mostly on these attributes can exploit susceptible populations, significantly when mixed with lists focusing on seniors or people with high-interest mortgages who could also be experiencing monetary stress.

California has demonstrated sustained enforcement exercise throughout privateness violations. The state secured a $1.55 million settlement with Healthline Media in July 2025 for failing to honor opt-out requests and persevering with to share medical article knowledge with advertisers. A separate $1.4 million settlement with mobile gaming company Jam City adopted in November 2025 for violations together with failure to supply opt-out mechanisms throughout 21 cellular functions.

The Lawyer Normal launched an investigative sweep into the placement knowledge trade in March 2025, sending letters to promoting networks, cellular app suppliers, and knowledge brokers showing to violate CCPA. These enforcement actions display California’s multi-sector strategy to privateness compliance spanning publishers, cellular functions, and knowledge brokers.

The info dealer trade faces growing regulatory stress globally. Spain’s knowledge safety authority imposed €1.8 million in fines on enterprise knowledge agency Informa D&B in January 2025 for processing private knowledge of 1.6 million particular person enterprise house owners with out legitimate authorized foundation beneath GDPR. The ruling established necessary precedents distinguishing between public registry entry and business knowledge exploitation.

The Datamasters determination establishes a number of compliance expectations for knowledge brokers. Written insurance policies and procedures have to be sufficiently detailed to stop inadvertent assortment and sale of California private data. Corporations can’t depend on casual screening processes or periodic refusals of state-specific requests whereas persevering with to promote nationwide lists containing that state’s knowledge.

Information brokers accepting nationwide databases from suppliers should implement systematic screening to establish and exclude California private data earlier than reselling. When screening proves not possible, corporations face a binary alternative: exclude California completely from their enterprise mannequin or register as a knowledge dealer and adjust to all related necessities together with the Delete Request and Decide-out Platform beginning August 2026.

The enforcement motion in opposition to Datamasters indicators that California privateness regulators will pursue knowledge brokers no matter the place they bodily function. The company demonstrated investigative persistence, following up on inconsistent statements and confronting the corporate with proof from its personal web site. This strategy suggests regulators possess each technical functionality and authorized authority to establish unregistered knowledge brokers conducting enterprise affecting California customers.

For the promoting trade, the Datamasters case reinforces that privacy compliance requirements continue expanding. Entrepreneurs buying shopper lists should confirm that suppliers have registered as knowledge brokers the place required and have obtained correct authorized foundation for amassing and promoting private data. Contracts with knowledge suppliers ought to embrace representations and warranties about compliance with relevant privateness legal guidelines.

The case additionally highlights dangers related to health-related shopper knowledge. Lists categorizing people by medical circumstances set off heightened privateness protections beneath a number of frameworks together with HIPAA, state well being privateness legal guidelines, and the Federal Commerce Fee’s Well being Breach Notification Rule. Entrepreneurs utilizing such lists face potential enforcement from a number of regulatory companies past state privateness authorities.

The promoting know-how trade has begun implementing standardized protocols for privateness compliance. IAB Tech Lab finalized its Information Deletion Request Framework in June 2024, establishing a typical methodology for transmitting deletion requests all through the digital promoting provide chain. The framework addresses necessities beneath GDPR, U.S. state privateness legal guidelines together with CCPA, and extra laws like Quebec’s Legislation 25.

Datamasters’ acknowledgment that its compliance efforts had been “imperfect” regardless of making an attempt handbook screening processes underscores the operational complexity of privateness compliance for knowledge brokers. Corporations working on this house should put money into systematic technical controls, written procedures, employees coaching, and ongoing monitoring to make sure California private data doesn’t enter their databases or attain their prospects.

The stipulated closing order contains provisions requiring Datamasters to provide data to the California Privateness Safety Company upon request, preserve audit trails of any transactions involving California knowledge, and submit annual compliance stories. These ongoing obligations lengthen 5 years from the December 30, 2025 determination, creating long-term oversight of the corporate’s privateness practices.

The Datamasters enforcement demonstrates that California regulators will settle for settlements that embrace each financial penalties and complete compliance necessities. The stipulated order dedicates substantial consideration to potential compliance measures—written insurance policies, screening procedures, document retention, and reporting obligations—suggesting California prioritizes systemic enchancment over punitive damages.

The choice arrives at a pivotal second for knowledge privateness enforcement. As of January 1, 2026, a number of updates to California privateness regulation took impact, increasing necessities round shopper consent for companies amassing and transferring private data to 3rd events. Corporations should now enter into agreements with any third occasion, service supplier, or contractor receiving shopper knowledge, specifying that transfers happen just for restricted functions.

Information brokers face a regulatory panorama shifting towards higher transparency and shopper management. The Delete Request and Decide-out Platform essentially modifications the enterprise mannequin by enabling customers to take away their data from lots of of knowledge brokers by a single motion. This centralized deletion mechanism threatens corporations whose worth proposition depends upon sustaining complete shopper profiles throughout their databases.

For Datamasters particularly, the enforcement motion successfully requires the corporate to exit the California market completely or essentially restructure its operations. The order prohibits promoting Californians’ private data and mandates deletion of all California knowledge by December 31, 2025. These necessities make it commercially impractical for a nationwide knowledge dealer to proceed working whereas excluding California, which represents roughly 12 p.c of the U.S. inhabitants.

The California Privateness Safety Company’s willingness to deliver enforcement actions in opposition to out-of-state knowledge brokers establishes that the company will train jurisdictional authority based mostly on the place customers are situated reasonably than the place corporations function. This extraterritorial attain successfully extends California privateness regulation to any enterprise promoting knowledge about California residents, no matter company domicile.

The Datamasters case demonstrates that preliminary denials or misrepresentations to regulators won’t stop enforcement. The corporate’s shifting explanations—from denying California enterprise to admitting nationwide gross sales to claiming complete screening—didn’t deter investigators from pursuing the case. This investigative strategy suggests regulators will confirm compliance claims independently reasonably than accepting firm statements at face worth.

Timeline

• 2020-2025: Datamasters makes an attempt compliance by periodic refusals of California-specific knowledge requests whereas persevering with to promote nationwide lists
• 2024: Datamasters operates as knowledge dealer shopping for and promoting private data of greater than 100,000 customers with out direct relationships
• January 31, 2025: Data broker registration deadline passes; Datamasters fails to register with California Privateness Safety Company
• February 1, 2025: Datamasters enters violation interval for failure to register
• March 2025: California Attorney General announces investigative sweep into location knowledge trade focusing on promoting networks and knowledge brokers
• July 1, 2025: California announces $1.55 million Healthline settlement, marking largest CCPA financial penalty
• September 13, 2025: Datamasters registers as knowledge dealer after enforcement investigation begins
• November 21, 2025: California secures $1.4 million settlement with Jam City for cellular app privateness violations
• December 12, 2025: Datamasters and California Privateness Safety Company signal stipulated closing order
• December 30, 2025: California Privateness Safety Company Board adopts stipulated order as official determination
• December 31, 2025: Deadline for Datamasters to stop promoting Californians’ private data and delete all California knowledge
• January 1, 2026: California privacy law updates take effect increasing consent necessities; Delete Request and Decide-out Platform turns into accessible to customers
• August 1, 2026: Information brokers should start accessing Delete Request and Decide-out Platform each 45 days to course of deletion requests

Abstract

Who: Rickenbacher Information LLC, doing enterprise as Datamasters, a Texas-based restricted legal responsibility firm with principal workplace in Flower Mound, Texas. The corporate’s proprietor David Rickenbacher signed the stipulated order admitting to working as a knowledge dealer in the course of the 2024 calendar yr. The California Privateness Safety Company’s Enforcement Division, represented by Deputy Director Michael S. Macko, Assistant Chief Counsel Lara Kehoe Hoffman, and Lawyer Angie Jin, introduced the enforcement motion. The company’s board, chaired by Jennifer M. City, adopted the stipulated order as its determination.

What: The California Privateness Safety Company ordered Datamasters to pay a $45,000 administrative effective for failing to register as a knowledge dealer by the January 31, 2025 deadline as required beneath California’s Delete Act. The stipulated closing order additionally requires Datamasters to stop promoting all Californians’ private data by December 31, 2025, completely delete all beforehand bought California private data by that deadline, undertake written insurance policies and procedures inside 30 days to stop future assortment or sale of California knowledge, preserve data of compliance actions for 5 years, and submit annual stories to the company. Datamasters purchased and resold private data of thousands and thousands of customers categorized by delicate well being circumstances together with Alzheimer’s illness (435,245 individuals), drug dependancy (133,142 people), and bladder management points (857,449 customers), together with demographic segmentation by ethnicity, age, and monetary situation.

When: The California Privateness Safety Company Board adopted the stipulated closing order on December 30, 2025. Datamasters operated as a knowledge dealer in the course of the 2024 calendar yr however didn’t register by the January 31, 2025 statutory deadline, getting into violation standing on February 1, 2025. The corporate registered on September 13, 2025 after the enforcement investigation started. Datamasters and the enforcement division signed the stipulated order on December 12, 2025. The corporate faces a December 31, 2025 deadline to stop promoting California private data and delete all beforehand collected California knowledge.

The place: The enforcement motion was introduced earlier than the California Privateness Safety Company, headquartered at 400 R Road, Suite 350, Sacramento, California 95811. Datamasters operates from 6101 Lengthy Prairie Highway #744, Flower Mound, Texas 75028. The corporate performed enterprise affecting California customers regardless of having no bodily presence within the state. The enforcement establishes that California privateness regulation applies to knowledge brokers no matter company domicile after they gather and promote private data of California residents. The case demonstrates extraterritorial attain of California privateness rules based mostly on the place customers are situated reasonably than the place companies bodily function.

Why: The enforcement motion seeks to make sure transparency and accountability within the knowledge dealer trade, which trades in detailed private details about thousands and thousands of customers who usually haven’t any direct relationship with these corporations and sometimes stay unaware their knowledge is being purchased and bought. California’s Delete Act requires annual knowledge dealer registration to create public visibility into which corporations have interaction on this enterprise and to allow shopper train of privateness rights by the centralized Delete Request and Decide-out Platform. Datamasters’ failure to register violated this transparency mandate. The corporate’s enterprise mannequin—shopping for and reselling delicate well being data, demographic knowledge, and behavioral profiles for focused promoting functions—exemplifies privateness dangers that California seeks to deal with by enhanced shopper management over private data. The enforcement demonstrates California’s dedication to holding knowledge brokers accountable no matter the place they function, establishing compliance expectations for written insurance policies, systematic screening procedures, and ongoing document retention that reach past easy registration necessities.