The California Privacy Protection Agency (known as CalPrivacy) recently published its latest enforcement strikes against two data brokers for failing to register.  

In October 2024, CalPrivacy launched an investigative sweep and since then, it has brought nine enforcement actions against business entities deemed to be data brokers for failure to register.

In November 2025, CalPrivacy launched a “strike force” dedicated to monitoring data brokers. The two most recent actions for failure to comply with the Delete Act are against Datamasters and S&P Global. In both cases, CalPrivacy entered into stipulated orders with these companies. 

With Datamasters, the agency’s five-member board approved a stipulated final order (see the Datamasters—Final Stipulated Order) that both levies a $45,000 fine for the alleged registration violation and mandates that the company stop selling all personal information about Californians, a step the agency said will “effectively remove” the company from the state’s market.

In the other action (see the S&P Global Inc.—Stipulated Final Order), S&P Global agreed to pay a $62,600 fine and to adopt procedures for registration and compliance auditing to prevent similar errors in the future.

Entities doing business in California should carefully assess whether their data practices trigger obligations under the state’s data broker registration regime, as the consequences of noncompliance can be significant. Penalties for failure to register can quickly escalate, and CalPrivacy has demonstrated an increasing willingness to use its enforcement authority in this area. Registration compliance is not merely technical, but a priority enforcement area with material business risk.