The California Privacy Protection Agency banned Datamasters from selling personal information of Californians and imposed a $45,000 fine after the Texas-based marketing firm operated as an unregistered data broker while trafficking in the health and personal data of millions.
The California Privacy Protection Agency took enforcement action against Rickenbacher Data LLC, operating as Datamasters, for violating the California Delete Act. The Texas-based company bought and resold user information of millions of people suffering from various medical conditions, including Alzheimer's disease, drug addiction, and bladder incontinence, for targeted advertising purposes. Datamasters also sold lists based on age and perceived race, offering "Senior Lists" and "Hispanic Lists," as well as lists based on political views, grocery store purchases, banking activity, and health-related purchases. The collected data consisted of hundreds of millions of records including names, email addresses, physical addresses, and phone numbers. CalPrivacy imposed a $45,000 fine and permanently blocked the company from selling personal information belonging to Californians.
Under the California Delete Act, businesses buying and selling information about consumers must register their data brokerage activity by January 31st following each year. Starting in 2026, this regulation enables consumers to access an online platform called Delete request and opt-out platform (DROP), where they can submit a single request to all registered data brokers to remove their personal information. The law emerged from growing concerns about the scale of personal data collection. According to Tom Kemp, head of the California Privacy Protection Agency, consumers would need to spend hundreds of hours making individual deletion requests to each data broker without the centralized platform. Beginning in August 2026, enforcement of deletion requirements carries penalties of $200 per incident for non-compliance.
Datamasters displayed multiple factors during the investigation:
The enforcement action resulted in specific remedial requirements:
The case shows the data broker business model that Kemp has warned against. Data brokers collect and sell personal information at massive scale without direct consumer relationships..
In a separate action, CalPrivacy applied a $62,600 fine to S&P Global Inc. for failing to register as a data broker by the January 31st, 2025 deadline. This violation was attributed to an administrative error, and S&P Global was unregistered for 313 days.
According to CalPrivacy's statement, "In addition, Datamasters bought and resold lists of people based on age and perceived race, offering 'Senior Lists' and 'Hispanic Lists,' as well as lists based on political views, grocery store purchases, banking activity, and health-related purchases."
Tom Kemp explained the scale of potential penalties under the Delete Act in a recent interview, "If you are a data broker and you don't start deleting from August 2026, it is $200 per incident. If it turns out that they have a very vast database of California consumers, and those California consumers register [to have data brokers delete their information], the fines can be, say that there's a million people that have registered … you do a million times 200 and the number is very large, and that's where things really kick in."
On the dangers of combined data, Kemp noted that, "You could take a public record and then you could take additional information and then combine it. One example of additional information is, say that there's a data breach that occurs … for example, the Sutter Health breach here in California also revealed medical conditions associated with [individuals]. … You can combine the public records with the hacked information and not only can you tell that this individual lives at this address and this is the phone number of their mom, but you can also know through the hacked information what medical conditions that the consumer has."
Data brokers operate by collecting and selling personal information about consumers without having direct relationships with those individuals. Unlike traditional businesses that interact with customers, data brokers aggregate information from multiple sources including public records, data breaches, and other third parties. They create profiles that can include everything from contact information and shopping habits to medical conditions and political views. The Delete Act gives consumers a centralized method to control this information system. Without such regulation, individuals would need to identify and contact hundreds or thousands of data brokers individually to request removal of their personal data, a practically impossible task for most people.
This enforcement action represents one of the first significant uses of California's Delete Act powers to protect health information specifically. The case shows that state privacy agencies will pursue data brokers who traffic in sensitive medical conditions for advertising purposes, especially when those brokers deliberately evade registration requirements. The permanent ban on selling Californian data goes beyond typical monetary penalties, setting a precedent for consequences when companies resist compliance efforts.
The Datamasters case also shows the broader danger of combining data sources. When data brokers merge public records with information from breaches like the Sutter Health incident that exposed medical conditions, they create detailed lists that enable targeting and potential exploitation. This is concerning for vulnerable populations. As Kemp noted, fraudsters can use these combined records to contact elderly individuals with personalized scams, claiming to call on behalf of specific relatives whose information appears in the same data package.
Data brokers handling health information must register under state privacy laws or face permanent market exclusion, not just fines. The August 2026 enforcement deadline for deletion requirements creates urgent compliance timelines, with penalties that scale based on database size. Companies purchasing marketing lists should verify their vendors' registration status to avoid acquiring data from banned brokers. Healthcare organizations should monitor whether their breach data is being combined with other sources by data brokers for targeted marketing.
The enforcement order does not require individual notification, leaving many affected consumers unaware their data was traded.
The Delete Act targets the data broker system directly by creating a centralized deletion mechanism rather than relying on individual requests.
Inferred health data can be inaccurate yet still harmful, leading to discrimination, profiling, or targeted fraud based on false assumptions.
Advertisers may face reduced access to third-party audience lists and increased pressure to verify the legality of their data sources.