California Takes Action: Data Broker Prohibited from Reselling Health Information

California Takes Action Against Data Broker Selling Health Data

Recently, the California Privacy Protection Agency (CalPrivacy) made a significant move against the marketing firm Datamasters for unlawfully selling the personal and health data of millions of individuals without proper registration as a data broker.

Under the California Delete Act, companies engaged in the buying and selling of consumer information are mandated to register their data brokerage activities annually by January 31st.

Beginning in 2026, consumers will have access to an online platform known as Delete Request and Opt-out Platform (DROP), where they can request all registered data brokers to remove their personal information.

One of the companies targeted by CalPrivacy was Rickenbacher Data LLC, operating as Datamasters, which was fined $45,000 for failing to register on time.

Due to ongoing serious violations, the Texas-based company has been prohibited from selling personal information of Californians.

According to the agency’s findings, Datamasters was found to have purchased and resold user information of millions of individuals with various medical conditions for targeted advertising purposes.

Furthermore, the company was found selling lists categorized by age, race, political views, grocery purchases, banking activities, and health-related transactions.

The data obtained by Datamasters included names, email addresses, physical addresses, and phone numbers, totaling hundreds of millions of records.

Of particular concern was Datamasters’ initial denial of doing business in California or handling data of Californians, only to later admit to the contrary when presented with evidence.

Despite repeated attempts to bring the company into compliance, Datamasters continued to operate as an unregistered data broker.

As part of the final order issued on December 12, Datamasters was instructed to delete all previously purchased personal information of Californians by the end of December.

In the event that Datamasters acquires information belonging to Californians in the future, the company must promptly delete it within 24 hours of receipt.

Datamasters is also required to implement compliance measures for the next five years and submit a report on its privacy practices after one year.

Additionally, CalPrivacy fined S&P Global Inc. $62,600 for failing to register as a data broker by the specified deadline, attributing the violation to an administrative error.

Although S&P Global promptly rectified the error and registered as a data broker, the agency emphasized the importance of timely compliance to avoid such penalties.