California privacy regulators have taken fresh action against companies accused of trading in sensitive personal data without proper authorization.
The latest decisions target a marketing firm that sold health-related profiles and a global analytics provider that failed to meet registration rules.
The California Privacy Protection Agency (CPPA) said the actions are part of its enforcement of the Delete Act, which requires businesses that buy and sell consumer data to register annually.
Officials warned that information linked to medical conditions and personal behavior can pose serious risks when circulated for commercial gain.
The most severe penalty was imposed on Rickenbacher Data LLC, operating as Datamasters. Regulators found the Texas-based company bought and resold personal data tied to millions of people in 2024 without registering as a data broker in California.
Trading in Sensitive Profiles
According to the agency’s order, Datamasters handled hundreds of millions of records containing names, email addresses, phone numbers and physical addresses. The data was packaged into marketing lists built around highly sensitive attributes.
These included:
-
People with conditions such as Alzheimer’s disease, drug addiction and bladder incontinence
-
Lists based on age and perceived race, including “Senior Lists” and “Hispanic Lists”
-
Groupings linked to political views, grocery purchases, banking activity and health-related spending
“Reselling lists of people battling Alzheimer’s disease is a recipe for trouble,” said Michael Macko, head of enforcement at CalPrivacy.
“In the wrong hands, these lists could be used to target people for more than just advertising.”
Fines and Operating Restrictions
CalPrivacy fined Datamasters $45,000 and ordered the company to stop selling any personal information belonging to Californians. It must also delete all previously acquired California data and remove any such information within 24 hours if it appears in future data sets.
Read more on data brokers: Cybercriminals Exploit Low-Cost Initial Access Broker Market
A separate decision fined S&P Global $62,600 for failing to register as a data broker by the January 31 deadline for 2025. Regulators said the lapse, caused by an administrative error, left the firm unregistered for 313 days.
The actions align with the launch of the Delete Request and Opt-out Platform (DROP), which allows consumers to request deletion of their personal information from all registered data brokers in a single step.