Anticipating The Largest U.S. Privacy Fines For Unregistered Data Brokers

Earlier this year, the California Lawyers Association published an article I wrote entitled ‘Wake Now, Discover That You Are A Data Broker.’ Included in that overview is a description of California’s ‘Delete Act’ and its broad definition of ‘data broker’ that encompasses many categories of businesses who are currently not registered with California’s Data Broker Registry. While CalPrivacy (a.k.a. the California Privacy Protection Agency or ‘CPPA’) has already enforced against many companies who did not previously register, the implications for companies not registering in 2026 could lead to the largest U.S. statutory privacy fines ever issued. 

The reason for this claim is that beginning August 1, 2026, CalPrivacy can enforce the following provision in the Delete Act: “An administrative fine of two hundred dollars ($200) for each deletion request for each day the data broker fails to delete information as required by Section 1798.99.86.” 

Here’s a short analysis why the Delete Act has such important implications: 

1. On January 1, 2026, CalPrivacy will open up California resident registrations for the Delete Request and Opt-out Platform (DROP), and on August 1, 2026, registered data brokers will begin accessing DROP at least every 45 days to retrieve resident deletion requests. As a result, all data brokers will need to complete those initial DROP requests by roughly mid-September or else be subject to the statutory penalties for non-compliance.

2. California has approximately 25 million adult residents (on the low end). If even 10% of California residents register with the DROP, that will total approximately 2.5 million residents who must be deleted from registered data broker databases. (As a broad comparison, according to numerous sources, the vast majority of U.S. adults have registered with the FTC National Do Not Call Registry.) 

3. Based on that estimated adoption rate, if a data broker does not register and apply the DROP by mid-September, they could be subject to an immediate $500,000,000 administrative fine (2.5 million California DROP users x $200 fine per California DROP user per day). 

4. As the law specifically states “for each day the data broker fails to delete information”, that same unregistered data broker could be subject to a $500MM administrative fine every day until they register and apply the DROP, which could reach $53,000,000,000 if the data broker does not register and apply the DROP by the end of 2026. 

5. This enforcement action is compounded by an additional $6000 registration fee and a $200 per day administrative fine that CalPrivacy can enforce against the data broker simply for not registering with California, which would add an additional $72,400 if the business does not register by January 31, 2026 (332 days x $200/day) + 6,000 registration fee = 72,400). 

6. To be clear, this is an ‘administrative’ penalty, not a potential enforcement action that could be adjudicated in court (or even settled in conjunction with a legal challenge). In other words, it’s a fine that can only be appealed through a court challenge on limited grounds such as whether the law was improperly applied, or CalPrivacy acted unreasonably in administering the fine (or a broader challenge to the constitutionality to the law itself). If a data broker simply fails to register with California and is proven to meet the Delete Act’s data broker definition, then any such legal challenge associated with the fine would be a very high burden as the statutory penalty text is quite clear. In such an event, the most relevant challenge would seemingly be the broader question of whether the Delete Act violates the U.S. Constitution, which would be an even higher burden with a lengthy multi-year process likely ending in a Supreme Court decision.      

Reminder: The Delete Act’s updated definition of ‘Data Broker’ is very broad and includes a provision that potentially converts first party data into a third-party data broker activity. Here’s the key excerpt from the most recently approved regulations to the Delete Act (effective '26); https://cppa.ca.gov/regulations/pdf/data_broker_drop_reg.pdf

“Direct relationship” means that a consumer has intentionally interacted with a business for the purpose of accessing, purchasing, using, or requesting, or obtaining information about the business’s products or services. A business does not have a “direct relationship” with a consumer simply because it collects personal information directly from the consumer; the consumer must intend to interact with the business. A business is still a data broker and does not have a direct relationship with a consumer as to personal information it sells about the consumer that it collected outside of a “first party” interaction with the consumer, as that term is defined in California Code of Regulations, title 11, section 7001.

I encourage you to read the full Statement of Reasons for CalPrivacy’s rationale for these definitional changes and other regulations. 

Categories Of Data Brokers Predominantly Missing From The California Registry 

Below is a list of some of the categories of companies that should be registered as data brokers, and in my review of the California registry, I believe that these categories are currently under-represented.  

1. Businesses engaged in selling any data that has been enriched or appended with third-party data (including B2B data providers)

There are many instances where first-party data collectors utilize third-party data providers to supplement their databases, and where either the data provider or even the first party are deemed to be data brokers. One such example is email appending, which is a practice that this author was deeply involved with in the late 1990’s and is making a comeback with ‘de-anonymization’ and similar ‘re-identification’ services that match website visitor IP addresses with third-party email databases in order to enable a first-party marketer to re-target email marketing offers to previously ‘unknown’ website visitors. The email data source provider is most certainly a California data broker in this scenario, and if the first party enables third parties to utilize its email list, it will also be deemed a data broker. In addition to this category of data appending, any business that enables a first party to synchronize their own collected data with sourced third-party data, such as for ‘identity graphing’ purposes to enable cross-channel or cross-device marketing, is likely deemed a data broker.     

A very important issue is that both the Delete Act and the California Consumer Privacy Act (CCPA) definition of ‘sale’ clearly incorporates business professionals’ personal information, and the ‘publicly available’ collection exemption rarely applies to this category of data because even though a professional’s identity information may be publicly soured online, the majority of contact information sourced in association with that individual is from proprietary data sources (or ‘created’ as part of a company’s email system naming association). Simply put, companies licensing B2B email addresses or phone numbers that they did not collect themselves are deemed to be data brokers (including when appending to ‘unknown’ website visitor data).

Finally, any businesses that license demographics, firmographics, transactional data, behavioral data, and observed or inferred interests are also deemed data brokers if this information is associated with an ‘identified or identifiable individual or device’. This encompasses many types of businesses not listed here, but the most obvious under-represented behavioral data category applies to the next category - advertising services.       

2. Advertising Services, notably media buyers, media sellers, ad networks, and intermediary advertising data service

Let’s start with examples of the two largest public companies in the ‘ad network’ ecosystem (ie; businesses that enable cross-contextual behavioral data to be ‘sold’ through their platforms): Google (Nasdaq: GOOG) and The Trade Desk (Nasdaq: TTD). As of the date of this posting, neither of these companies are currently registered as data brokers in California, and there is a strong argument that both companies could be defined as data brokers under the Delete Act because the ‘direct relationship’ regulation cited above indicates that a ‘third-party cookie’ is not a ‘first party relationship.’ These companies could potentially challenge this ‘direct relationship’ regulation with a Delete Act constitutional legal challenge (on both First Amendment and Commerce Clause grounds) since both the browser and publishers make it clear to consumers that these advertising services are using cookies/tracking technologies (with choices to opt-out or disable) which enables a ‘first-party’ relationship. However, on the face of the law, the regulation indicates that if a third-party advertising cookie is used to ‘sell’ that website visitor’s data to other advertisers, it would qualify as a data broker activity. In other words, any cross-contextual behavioral advertising services that enable advertisers to reach categories of audiences that the intermediary collects/sells based on the cross-contextual behavioral activities of those audiences is likely a data broker activity.   

Another tricky issue is that many media providers enrich their first-party data with third-party demographic data, or even combine their audience data with advertiser first party data, and then enable the enriched/appended audience to be utilized by advertisers through other media providers. This practice is detailed by the Interactive Advertising Bureau (IAB) in their white paper entitled “Untangling the Issues in Commerce Media Networks: Key Considerations Under U.S. State Privacy Laws” where it describes ‘Offsite’ advertising services (also commonly referred to as ‘audience extension’ campaigns). As the third party enriched or combined first party-data is sold or licensed for an external media use, it is also likely deemed a ‘data broker’ activity by the media provider and/or advertising intermediary. Again, as noted in the above definition of ‘direct relationship’, first-party data combined with third-party data and then sold to others is not exempt from the California data broker requirements.   

As you can see, the broad definition of data broker likely implicates every advertising-related data service that enables ad retargeting, including proprietary addressable ID providers, as well as a number of intermediaries which can include companies enriching addressable IDs with demographic or other third-party data. For the most obvious cross-correlation of companies potentially missing from the CA registry, one only needs to reference the companies publicly listed as enabling advertising data services through the Digital Advertising Alliance and Network Advertising Initiative’s websites. 

3. Advertising and marketing agencies 

In my comments to CalPrivacy related to their July rulemaking, I specifically took issue with the fact that the Delete Act does not exempt intermediaries acting on behalf of an advertiser or marketer from being defined as a data broker. Any agency that works with advertisers and marketers and procures third-party data on their behalf that they then charge clients for in their client invoices, or otherwise mark-up the cost in a media buy on an advertisers behalf, is likely deemed a data broker and requires the agency to register with California. There are so many ways agencies can be implicated in this process without knowing it, including licensing third-party ‘lookalike’ audiences, modeling third-party data, or as previously noted - enabling first-party data enrichment or providing data append services.    

The risk of an agency being deemed a California data broker can be mitigated with commercial terms and internal operational controls, but simply having a Data Protection (or ‘Processing’) Agreement (DPA) that lists the agency as a ‘service provider’ under California law is not sufficient by itself. The agency must have written instructions to procure the specific third-party data to be utilized, must not be ‘white labeling’ the data services, or enabling the third-party data/models to be used across clients (i.e. no ‘proprietary models/lists/audiences’). These are very important operational and commercial controls that agencies should be very mindful of when engaging with advertisers or marketers in data-related services. 

4. Data-enabling SaaS and related services 

Along the same lines as with agencies, my public comments to CalPrivacy also requested an exemption for software-as-a-service (SaaS) platforms and related services that enable businesses to procure and utilize third-party data through their software/systems. As no exemption was made, the following examples of software platforms are likely implicated as data brokers, unless they follow the commercial and operational controls I mentioned above: 1) website personalization services that utilize third-party data to help the business modify the content of the website for the specifically identified visitor, including B2B website personalization services; 2) call or SMS enablement software that includes the capability to select third-party phone number data sources in addition to enabling first-party phone number data use; 3) enabling automated email or direct mail targeting based on website visitors as described above, including B2B targeting; and 4) prospect or visitor enrichment services that append demographic, firmographic, or other third-party data attributes to lead-generation activities or even customer support data enrichment services.    

Again, these risks can be mitigated through operational or commercial controls, but it is not sufficient to simply rely upon a DPA ‘service provider’ categorization.  

5. Market research providers 

The market research industry is often overlooked in the context of data sales, but should be very aware of the potential implications as many businesses in this category engage in licensing their list of market research panel participants for others to utilize, including for ‘blind surveys’ from anonymous brand sponsors, as well as licensing the individual attributes from surveys they procure as part of a survey to advertisers or data aggregators. In many cases, the market research provider may contract as a ‘service provider’ on behalf of a brand sponsoring the survey, but if the research provider is utilizing third-party data to solicit survey participants, this activity is likely deemed a ‘sale’ and subject to data broker registration if the brand sponsor does not provide specific written instructions to procure a specific survey list on their behalf. In other words, unless the market research provider has their own proprietary collected survey panel, they are at risk of being deemed a data broker.

If all of the above wasn’t enough to get your attention, CalPrivacy announced on November 19, 2025 that they have formed a ‘Data Broker Enforcement Strike Force’ which on December 3, 2025 brought its first case against an unregistered data broker, resulting in a $56,600 penalty.   

In summary, the above categories are just examples of the many types of businesses that are under-represented in the California Data Broker Registry, and need more education about the potential implications of their use of third-party data as well as potential operational or commercial controls to mitigate their risk of compliance. As noted, the implications of non-compliance and CalPrivacy enforcement capabilities are significant, while the costs of Delete Act compliance are insignificant in comparison.  

If you’d like to receive more data broker-related updates, direct message me or contact us through IHP’s website to sign up for our data broker email update list.