CalPrivacy Forces Data Broker Out of State Amid Concerns About Sensitive Lists
The California Privacy Protection Agency challenged a company’s claim that it didn't engage in data broker activity in the state, and then made it cease that activity through a settlement under the Delete Act, according to a decision released Thursday. In addition, CalPrivacy raised concerns about the sensitive nature of data bought and resold by Datamasters, the company in question. Datamasters' and S&P Global's failures to register as data brokers led to more than $100,000 in fines combined (see 2601080008).
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
The state privacy agency said its Data Broker Enforcement Strike Force reached a $45,000 settlement with Datamasters, a Texas-based reseller of personal information for targeted advertising, and a $62,600 settlement with S&P Global, the New York-based market intelligence company. The CalPrivacy board also ordered Datamasters to stop selling personal information about Californians, which effectively boots the data broker from doing business in the state.
CalPrivacy’s decision found that in 2024, Datamasters bought and resold the names, addresses, phone numbers and email addresses of millions of people with certain health conditions, including Alzheimer’s disease, drug addiction and bladder incontinence, for targeted ads. The data broker also “bought and resold lists of people based on age and perceived race, offering ‘Senior Lists’ and ‘Hispanic Lists,’” the agency said, with additional lists based on political views, banking activity, and grocery and health-related purchases.
“Reselling lists of people battling Alzheimer’s disease is a recipe for trouble,” said Michael Macko, CalPrivacy's enforcement head. “In the wrong hands, these lists could be used to target people for more than just advertising. The same risks apply to selling lists of senior citizens, people who identify as conservative or liberal, or people who purchase sensitive health products. History teaches us that certain types of lists can be dangerous.”
In a separate decision, CalPrivacy found that an administrative error led to S&P Global’s failure to register. The company must adopt registration and compliance auditing procedures so it doesn’t happen again, the agency said.
“S&P Global conducts business as a data broker by knowingly collecting and selling to third parties the personal information of consumers with whom the business does not have a direct relationship,” said the CalPrivacy decision. “S&P Global intended to register the company as a data broker for its 2024 activities and S&P Global believed that the registration had been completed,” but that was not the case.
“Upon learning of the Agency’s investigation, S&P Global investigated its registration status and discovered that the registration process had not been completed. S&P Global promptly registered as a data broker.” Even so, the company was fined $200 a day for being unregistered for 313 days, the agency said.
S&P Global has “agreed to the terms of the Order and worked closely with the [California privacy agency] on the resolution of this matter,” a company spokesperson said. Datamasters declined to comment.
The California Delete Act requires companies to register annually and pay a fee to the privacy agency if they were data brokers in the previous year. CalPrivacy’s last fine was in December against the marketing company ROR Partners (see 2512030029).
Starting later this year, the Delete Act also will require data brokers to quickly honor consumer requests to delete their data through the Delete Request and Opt-Out Platform (DROP), which some expect will lead to a large increase in the size of penalties (see 2512100040). CalPrivacy announced its data broker strike force, which is part of the Enforcement Division, in November (see 2511190041).
Datamasters Denied Being Data Broker
In the Datamasters decision, CalPrivacy said the Texas company buys and resells personal information “by accessing databases licensed by third-party suppliers, including a ‘national consumer database,’” which is advertised as including about 114 million U.S. households and more than 231 million individual names and addresses.
The company says local businesses or national brands may buy access to its database, the agency noted. Additionally, the company “offers access to additional national databases as a one-time purchase or as a ‘data feed to deliver personal information on a recurring basis for a subscription fee, consisting of hundreds of millions of records.”
“To remove any possible doubt about the company’s national portfolio, Datamasters offers emails and mailing addresses for students ‘throughout the USA’ and, as a sample of its product offerings, had posted an Excel spreadsheet to its website identifying 204,218 available records for students in California.”
Yet Datamasters denied operating as a data broker in California after the agency opened the investigation, according to the CalPrivacy decision. While the company registered shortly after being contacted, it initially told the agency that it “did ‘not do business or take orders of any kind’ in California” and doesn’t “‘sell data products for either consumers or businesses’ in California.”
“The Agency followed up, perceiving an inconsistency between these statements and those on Datamasters’ website.” When CalPrivacy showed Datamasters the company's spreadsheet of California students, the Texas firm said it had received Californians’ personal information from its supplier, “but it asserted that Datamasters rejected any requests from its customers to purchase California-specific personal information.”
The agency confirmed that to be the case at “various points between 2020 and 2025,” it said, but CalPrivacy also heard from the company’s owner that Datamasters didn’t reject requests to buy nationwide data that included Californians. The company later backtracked on that admission, the agency said.
“Although Datamasters tried to comply with California’s privacy laws through a manual screening process at various points between 2020 and 2026, the company’s efforts were imperfect,” CalPrivacy said.
The order required Datamasters to “cease and desist selling Californians’ personal information” starting Dec. 31, 2025. By the same date, the company was required to delete all previously purchased personal information of Californians.
The company’s website now includes a California Consumer Privacy Act compliance notice and a disclaimer at the bottom of every page that reads, “DATAMASTERS DOES NOT SELL TO OR PROVIDE DATA ABOUT CALIFORNIA RESIDENTS.”
The Datamasters affair is "a good reminder of the old privacy mainstay: say what you mean and mean what you say," Cobun Zweifel-Keegan, IAPP managing director for Washington, D.C., said in a LinkedIn post.