CalPrivacy Fines Marketing Firm $56K for Failing to Register as Data Broker
The California Privacy Protection Agency (CalPrivacy) fined Nevada-based marketing firm ROR Partners $56,000 for its failure to register as a data broker, in violation of the state's Delete Act. The agency's Data Broker Enforcement Strike Force brought the fine. Part of the Enforcement Division, the Strike Force was announced in November (see 2511190041).
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
“A sale is a sale,” said the CalPrivacy decision, dated Nov. 26. “A business cannot bypass the CCPA’s and the Delete Act’s requirements by selling personal information as part of a larger suite of products and services it offers.”
In addition to collecting personal information, ROR “makes available consumers’ personal information" to clients, letting them create "precise audience targeting for marketing campaigns.”
Further, ROR "discloses inferences about consumers,” and “makes clear that part of its value proposition to clients is disclosing or making available personal information,” the decision said. “ROR Partners’ disclosures are sales of personal information.”
In addition to the monetary penalty, the health-marketing specialist must register as a data broker in a timely manner in future years and ensure compliance with state law by disclosing metrics about the number of California Consumer Privacy Act (CCPA) requests received, complied with and denied in its privacy policy.
“We will scrutinize any business that walks and talks like a data broker to make sure it’s registered, and we will continue to examine businesses that create inferences about consumers to profile them,” Michael Macko, the head of enforcement at CalPrivacy, said in a release.
“Consumer profiles are protected personal information under the CCPA, and you could be a data broker by trafficking in them,” he added.
In the same release, CalPrivacy Executive Director Tom Kemp reminded businesses of the annual January registration deadline for data brokers, as well as the Jan. 1, 2026, start date of the Delete Request and Opt-Out Platform (DROP) (see 2510310032 and 2511100015).