California blocks data broker from selling health information

The California Privacy Protection Agency banned Datamasters from selling personal information of Californians and imposed a $45,000 fine after the Texas-based marketing firm operated as an unregistered data broker while trafficking in the health and personal data of millions.

What happened

The California Privacy Protection Agency took enforcement action against Rickenbacher Data LLC, operating as Datamasters, for violating the California Delete Act. The Texas-based company bought and resold user information of millions of people suffering from various medical conditions, including Alzheimer's disease, drug addiction, and bladder incontinence, for targeted advertising purposes. Datamasters also sold lists based on age and perceived race, offering "Senior Lists" and "Hispanic Lists," as well as lists based on political views, grocery store purchases, banking activity, and health-related purchases. The collected data consisted of hundreds of millions of records including names, email addresses, physical addresses, and phone numbers. CalPrivacy imposed a $45,000 fine and permanently blocked the company from selling personal information belonging to Californians.

The backstory

Under the California Delete Act, businesses buying and selling information about consumers must register their data brokerage activity by January 31st following each year. Starting in 2026, this regulation enables consumers to access an online platform called Delete request and opt-out platform (DROP), where they can submit a single request to all registered data brokers to remove their personal information. The law emerged from growing concerns about the scale of personal data collection. According to Tom Kemp, head of the California Privacy Protection Agency, consumers would need to spend hundreds of hours making individual deletion requests to each data broker without the centralized platform. Beginning in August 2026, enforcement of deletion requirements carries penalties of $200 per incident for non-compliance.

Going deeper

Datamasters displayed multiple factors during the investigation:

• The company initially claimed it did not do business in California or manage data of Californians
• When confronted with evidence, Datamasters admitted the opposite and alleged it was manually screening the data
• Despite multiple attempts to force compliance, the firm reportedly resisted while continuing to operate as an unregistered data broker
• The company failed to register by the January 31st deadline required under the California Delete Act

The enforcement action resulted in specific remedial requirements:

• Datamasters must delete all previously purchased Californians' personal information by the end of December
• If the company receives information belonging to Californians as part of larger data sets in the future, it must delete that data within 24 hours
• The company must maintain compliance measures for the next five years
• Datamasters must submit a report of its privacy practices one year later

The case shows the data broker business model that Kemp has warned against. Data brokers collect and sell personal information at massive scale without direct consumer relationships..

In a separate action, CalPrivacy applied a $62,600 fine to S&P Global Inc. for failing to register as a data broker by the January 31st, 2025 deadline. This violation was attributed to an administrative error, and S&P Global was unregistered for 313 days.

What was said

According to CalPrivacy's statement, "In addition, Datamasters bought and resold lists of people based on age and perceived race, offering 'Senior Lists' and 'Hispanic Lists,' as well as lists based on political views, grocery store purchases, banking activity, and health-related purchases."

Tom Kemp explained the scale of potential penalties under the Delete Act in a recent interview, "If you are a data broker and you don't start deleting from August 2026, it is $200 per incident. If it turns out that they have a very vast database of California consumers, and those California consumers register [to have data brokers delete their information], the fines can be, say that there's a million people that have registered … you do a million times 200 and the number is very large, and that's where things really kick in."

On the dangers of combined data, Kemp noted that, "You could take a public record and then you could take additional information and then combine it. One example of additional information is, say that there's a data breach that occurs … for example, the Sutter Health breach here in California also revealed medical conditions associated with [individuals]. … You can combine the public records with the hacked information and not only can you tell that this individual lives at this address and this is the phone number of their mom, but you can also know through the hacked information what medical conditions that the consumer has."

In the know

Data brokers operate by collecting and selling personal information about consumers without having direct relationships with those individuals. Unlike traditional businesses that interact with customers, data brokers aggregate information from multiple sources including public records, data breaches, and other third parties. They create profiles that can include everything from contact information and shopping habits to medical conditions and political views. The Delete Act gives consumers a centralized method to control this information system. Without such regulation, individuals would need to identify and contact hundreds or thousands of data brokers individually to request removal of their personal data, a practically impossible task for most people.

Why it matters

This enforcement action represents one of the first significant uses of California's Delete Act powers to protect health information specifically. The case shows that state privacy agencies will pursue data brokers who traffic in sensitive medical conditions for advertising purposes, especially when those brokers deliberately evade registration requirements. The permanent ban on selling Californian data goes beyond typical monetary penalties, setting a precedent for consequences when companies resist compliance efforts.

The Datamasters case also shows the broader danger of combining data sources. When data brokers merge public records with information from breaches like the Sutter Health incident that exposed medical conditions, they create detailed lists that enable targeting and potential exploitation. This is concerning for vulnerable populations. As Kemp noted, fraudsters can use these combined records to contact elderly individuals with personalized scams, claiming to call on behalf of specific relatives whose information appears in the same data package.

The bottom line

Data brokers handling health information must register under state privacy laws or face permanent market exclusion, not just fines. The August 2026 enforcement deadline for deletion requirements creates urgent compliance timelines, with penalties that scale based on database size. Companies purchasing marketing lists should verify their vendors' registration status to avoid acquiring data from banned brokers. Healthcare organizations should monitor whether their breach data is being combined with other sources by data brokers for targeted marketing.

FAQs

Are consumers notified if their data was sold by Datamasters?

The enforcement order does not require individual notification, leaving many affected consumers unaware their data was traded.

How does the Delete Act differ from the original California Consumer Privacy Act (CCPA)?

The Delete Act targets the data broker system directly by creating a centralized deletion mechanism rather than relying on individual requests.

What risks exist when health data is inferred rather than directly obtained from medical providers?

Inferred health data can be inaccurate yet still harmful, leading to discrimination, profiling, or targeted fraud based on false assumptions.

How might this enforcement affect advertisers and marketers?

Advertisers may face reduced access to third-party audience lists and increased pressure to verify the legality of their data sources.