California Cracks Down on Illegal Health Data Sales with $45,000 Fine and Industry-Wide Warning

The California Privacy Protection Agency (CalPrivacy) announced a decisive enforcement action this week against Rickenbacher Data LLC, operating as Datamasters, for illegally selling personal health information belonging to millions of Californians. The agency imposed a $45,000 fine and issued a permanent ban preventing the company from selling any Californian's personal data.

The Violation: Health Data as Marketing Commodity

Datamasters operated as an unregistered data broker, buying and reselling highly sensitive medical information for targeted advertising campaigns. According to CalPrivacy's final order, the company sold lists of people suffering from serious medical conditions including Alzheimer's disease, drug addiction, and bladder incontinence.

The scope of data trafficking extended beyond health information. Datamasters offered targeted lists based on:

• Age and perceived race (including 'Senior Lists' and 'Hispanic Lists')
• Political views and affiliations
• Grocery store purchase patterns
• Banking activity and financial status
• Health-related purchases

The company's database contained hundreds of millions of records, each including names, email addresses, physical addresses, and phone numbers—creating comprehensive profiles that enabled precise targeting of vulnerable populations.

California's Data Broker Registration Requirements

Under the California Delete Act, any business engaged in buying and selling consumer information must register as a data broker by January 31st each year. This registration enables consumers to use the Delete Request and Opt-out Platform (DROP), launching in 2026, which allows individuals to submit a single request to remove their personal information from all registered data brokers simultaneously.

The law represents a significant shift in data broker accountability. Previously, companies could operate in legal gray areas, claiming they didn't "technically" do business in California or arguing that data processing fell outside regulatory scope. Datamasters attempted this defense, initially claiming it didn't manage Californians' data, then shifting to argue it manually screened such data when confronted with evidence.

Enforcement Actions and Penalties

CalPrivacy's final order, signed December 12th, includes several layers of consequences:

Immediate Restrictions:

• Permanent ban on selling Californians' personal information
• Mandatory deletion of all previously purchased Californian data by end of December
• Required deletion of any future Californian data within 24 hours of receipt

Long-term Compliance:

• Five years of mandated compliance measures
• Required privacy practice reporting one year from the order
• Ongoing monitoring of data handling practices

Pattern of Resistance

What elevated this case from a simple registration violation to severe penalties was Datamasters' pattern of resistance. Despite multiple attempts by regulators to bring the company into compliance, Datamasters continued operating as an unregistered broker while actively selling sensitive health data.

This resistance strategy backfired. The company's attempts to evade regulation, combined with the sensitive nature of the data involved, resulted in both financial penalties and operational restrictions that fundamentally limit its business model.

Parallel Case: S&P Global's Administrative Error

In a related action, CalPrivacy also fined S&P Global $62,600 for failing to register as a data broker for 313 days. However, the agency characterized this as an "administrative error" rather than intentional evasion. S&P Global registered immediately upon discovering the oversight and implemented corrective actions, resulting in a penalty that reflects the violation's duration rather than malicious intent.

This contrast highlights how enforcement severity depends on both the nature of violations and the company's response to regulatory guidance.

Broader Implications for Data Broker Industry

The Datamasters case signals a new era of enforcement for the data broker industry. Companies can no longer operate in regulatory ambiguity, particularly when handling sensitive health information. The California Delete Act's registration requirement creates a transparent framework where:

1. Consumer empowerment: Individuals gain centralized control over their data across multiple brokers
2. Regulatory visibility: Authorities can identify and track all entities engaged in data brokerage
3. Accountability: Non-compliance results in both financial penalties and business restrictions

Practical Takeaways for Businesses

Immediate Actions:

• Verify data broker registration status with California authorities
• Audit data sources to identify any health, financial, or other sensitive information being processed
• Review data resale agreements for compliance with registration requirements

Long-term Strategy:

• Implement automated compliance monitoring for data broker regulations
• Establish clear data provenance and consent documentation
• Create rapid response protocols for regulatory inquiries
• Consider the ethical implications of reselling sensitive personal data

The Datamasters case demonstrates that California regulators will pursue aggressive enforcement against companies that treat personal health information as a commodity, particularly when those companies attempt to evade registration requirements. With the DROP platform launching in 2026, consumers will have unprecedented ability to control their personal information across the data broker ecosystem.

For more information about California's data broker registration requirements, visit the California Privacy Protection Agency website. Companies uncertain about registration obligations should consult the California Delete Act documentation and consider seeking legal guidance on compliance strategies.