California Cracks Down: Data Brokers Face Heat Over Secret Health Data Sales
Subtitle: State privacy watchdogs are shutting the door on unregulated health data trafficking, with landmark fines and sweeping bans targeting rogue brokers.
The world of shadowy data brokers just got a jolt from California regulators. In a move that signals a new era of privacy enforcement, the California Privacy Protection Agency (CalPrivacy) has slapped hefty fines and outright bans on firms covertly hawking the sensitive health data of millions. The message is clear: the Wild West days of unchecked data peddling are over, and the stakes for noncompliance have never been higher.
At the heart of the crackdown is Rickenbacher Data LLC, operating as Datamasters, whose business model involved buying and reselling vast troves of personal information - names, emails, addresses, phone numbers, and even medical diagnoses like Alzheimer’s and drug addiction. Their customer lists, sorted by age, race, political views, and even grocery habits, fueled a lucrative trade in targeted advertising. For years, Datamasters operated in the shadows, failing to register as a data broker as required by California’s Delete Act, and denying any dealings with Californians - until regulators confronted them with hard evidence.
The consequences are unprecedented. Not only must Datamasters pay a $45,000 fine, but they are also forbidden from selling any data belonging to Californians. The company has been ordered to purge all previously collected information from its databases by the end of December, and any future slip-ups - like receiving Californian data as part of larger datasets - must be rectified within 24 hours. For the next five years, Datamasters will be under strict compliance monitoring, required to submit reports detailing their privacy practices.
The regulatory net is tightening. Starting in 2026, California residents will be able to use the Delete Request and Opt-out Platform (DROP) to demand that all registered data brokers erase their personal data - no more endless opt-out forms or chasing down shadowy companies. The state’s message: transparency and accountability are no longer optional in the data economy.
Even giants aren’t immune. S&P Global, a major player in financial data, was fined $62,600 for missing the broker registration deadline by 313 days - a violation, regulators note, that was promptly corrected but not overlooked. The days of administrative errors being swept under the rug are over.
California’s bold moves are more than a warning - they’re a blueprint. As the lines between health, tech, and marketing blur, other states are watching closely. For millions of Californians, the battle to reclaim their digital privacy is just beginning. For data brokers, it’s a wake-up call: adapt or get out of the game.
WIKICROOK
- Data Broker: A data broker collects, buys, and sells personal data - often without individuals’ knowledge - to third parties for marketing, credit, or risk assessment.
- Delete Act: The Delete Act lets California residents delete personal data from all registered data brokers at once, streamlining privacy protection and data control.
- DROP (Delete Request and Opt: DROP is California’s new portal letting consumers request deletion of their personal data from all registered data brokers with a single action.
- Targeted Advertising: Targeted advertising delivers ads to users based on their personal data or online behavior, tailoring content for greater relevance and engagement.
- Compliance Monitoring: Compliance monitoring is the continuous review of an organization’s adherence to laws, regulations, and policies, helping to prevent violations and ensure cybersecurity.
