California Privacy Agency Launches Data Broker Strike Force Amid Delete Act Crackdown

California Regulator Escalates Data Broker Oversight

The California Privacy Protection Agency (“CPPA”) is intensifying its oversight of data brokers with a new dedicated Data Broker Enforcement Strike Force within its Enforcement Division. The strike force will monitor and investigate data brokers’ compliance with their legal obligations under California’s Delete Act and the California Consumer Privacy Act (“CCPA”).

The move follows a 2024 investigative sweep that led to multiple enforcement actions, including settlements with data brokers that failed to register and pay annual fees and an order forcing a California data broker to shut down operations for three years.

Delete Act Powers Enforcement Initiative

This crackdown is enabled by Senate Bill 362 (the “Delete Act”), which took effect in 2024 and gave the CPPA new powers to regulate and penalize data brokers. The Delete Act shifted responsibility for the state’s data broker registry from the Attorney General to the CPPA and placed new requirements on data brokers.

A business meeting the law’s definition of “data broker”—essentially any business collecting and selling personal data about consumers with whom it has no direct relationship—must submit a registration form each year and pay an annual registration fee (set at $6,000 for 2026). Data brokers who miss the deadline face fines of $200 per day, and the CPPA’s enforcement division has made clear it will pursue those penalties against companies “skirting the law” to ensure a level playing field.

Understanding the Delete Act

Enacted in October 2023, the Delete Act regulates the personal data trade. In addition to the annual registration and fee, the law imposes new transparency and consumer rights obligations on data brokers to:

• Publicly report how many consumer data deletion requests they received and how quickly they responded
• Disclose if they handle sensitive categories of data (minors’ information, reproductive health data, or precise geolocation)
• Provide a prominent link on their websites informing consumers of their privacy rights under the California Consumer Privacy Act

The annual registration fee will fund the California Data Broker Registry and the development of a centralized data deletion request mechanism (the Delete Request and Opt-out Platform or “DROP”), which will launch in 2026. DROP will allow consumers to direct every registered data broker to delete their personal information with a single request.

CCPA Requirements and the Delete Act

Businesses that do not fall under the CCPA may still need to comply with the Delete Act. Unlike the CCPA’s definition of a covered entity, the Delete Act’s definition of “data broker” does not have a threshold business size. In other words, businesses that meet the definition of “data broker” will still need to comply with the requirements in the Delete Act, even if they would not otherwise fall under the CCPA because their revenue is less than $25 million, they interact with fewer than 100,000 Californians, derive less than 50% of their annual revenue from selling California residents’ personal information, or meet another exception.

Note this means smaller data brokers that are not obligated to comply with CCPA obligations must nevertheless comply with Delete Act requirements.

Moreover, businesses that implement “Do Not Sell My Data” notices as part of their efforts to comply with the CCPA may still be data brokers if they sell the data of consumers who do not opt out. To determine if the Delete Act applies, these businesses should assess whether they have a “direct relationship” with the consumer. Delete Act regulations that went into effect on January 1, 2026, define a direct relationship as a relationship where the “consumer has intentionally interacted with a business for the purpose of accessing, purchasing, using, requesting, or obtaining information about the business’s products or services.”

Data Brokers: A Prime Target for Privacy Regulators

Data brokers have quickly become a prime target for privacy regulators due to the sheer scale and potential sensitivity of the data they collect and sell. The CPPA’s Executive Director has warned that the “immense volume of personal information sold by data brokers can pose a significant threat to Californians’ privacy.” Part of the concern arises because these companies can compile detailed profiles on individuals—potentially without those individuals’ knowledge. The CPPA’s enforcement chief has stated that Californians “have a right to know who is trafficking in their personal information.”

Federal authorities have likewise sounded alarms: the U.S. Federal Trade Commission recently highlighted how brokers selling sensitive location and profile data without consent could enable stalking, blackmail, or illicit surveillance.

Consequences of Delete Act Violations

The CPPA’s early enforcement of the Delete Act makes clear that non-compliant data brokers face serious consequences, including mounting fines for failing to register on time.

For example, one Florida-based data broker that registered 230 days late was hit with a proposed $46,000 fine (230 days × $200). In 2024 the CPPA reached settlements with data brokers Growbots, Inc. and UpLead LLC, which agreed to pay roughly $35,000 each in penalties after allegedly failing to register by the 2024 deadline. And in February 2025 the CPPA settled with Background Alert, Inc. for failing to register and pay fees, requiring the company to shut down operations through 2028 or incur a $50,000 fine. Data brokers, and other businesses that disregard California's privacy laws risk substantial fines, legal orders impacting operations, and reputational damage for not complying with the law.

Recommended Compliance Steps

To mitigate the risk of non-compliance and penalties, companies that are in business lines that may implicate Californian consumers’ data should consider the following steps:

1. Assess “Data Broker” Status: Evaluate whether your organization meets California’s definition of a “data broker"—a business that knowingly collects and sells personal information about consumers with whom it has no direct relationship. If you might be perceived as meeting this definition, err on the side of caution and prepare to comply, or contact an advisor to prepare a more fulsome assessment of your status, and develop a strategy to explain to stakeholders what you do not do.
2. Register and Pay the Annual Fee: Data brokers must register annually with the CPPA by January 31 and pay the annual fee (currently $6,000). Failure to register on time incurs a $200-per-day fine, so prompt compliance is essential.
3. Implement Deletion Request Processes: Establish systems to receive and honor consumer deletion requests. In 2026, integrate the CPPA’s new Delete Request and Opt-Out Platform to allow consumers to send a single delete request to all data brokers.
4. Review Data Handling and Disclosures: Audit the personal data your company collects, sells, or shares. Provide all required disclosures in your privacy policy and be prepared to report on data policies and response metrics for consumer requests. Review security measures to protect personal data, as breaches attract regulatory attention.
5. Monitor Ongoing Compliance: Stay current on CPPA guidance. The strike force and recent regulations signal that data broker compliance will remain a priority enforcement area. Conduct periodic privacy compliance reviews and promptly remediate any gaps, as regulators are actively looking for non-compliance.

By taking these steps, businesses that trade in personal data can better position themselves to comply with California’s Delete Act and avoid becoming the next target of the CPPA’s strike force. The cost of compliance is likely to be far lower than the cost of enforcement, which comes with financial and associated reputational risk.

Crowell would like to thank Emily Welsch for her contribution to this alert.