California Bans Data Brokers From Selling Health Data
▼ Summary
– The California Privacy Protection Agency fined Datamasters $45,000 and blocked it from selling Californians’ data for failing to register as a data broker as required by state law.
– Datamasters bought and resold sensitive personal data, including health conditions, age, race, and financial activity, from millions of people for targeted advertising.
– The company resisted compliance, falsely claiming it did not handle Californians’ data before admitting the opposite when presented with evidence.
– As part of the enforcement order, Datamasters must delete all previously purchased Californians’ data and maintain compliance measures for five years.
– In a separate case, the agency also fined S&P Global $62,600 for an administrative error that left it unregistered as a data broker for 313 days.
California has taken a decisive step to protect consumer privacy by banning a major data broker from selling the health and personal information of its residents. The California Privacy Protection Agency (CalPrivacy) has blocked Texas-based Rickenbacher Data LLC, operating as Datamasters, from selling any personal data belonging to Californians. This enforcement action, which includes a substantial fine, stems from the company’s failure to register as a data broker under state law and its sale of highly sensitive personal information.
State regulations, specifically the California Delete Act, mandate that any business engaged in buying and selling consumer data must formally register its brokerage activities. The deadline for this registration is January 31st of each year. Starting in 2026, this law will empower consumers through an online portal called the Delete Request and Opt-out Platform (DROP), where a single request can be submitted to all registered brokers to delete personal information. Datamasters’ failure to comply with the initial registration requirement resulted in a $45,000 penalty from CalPrivacy.
The agency’s investigation revealed particularly egregious practices. Datamasters had amassed and sold hundreds of millions of records containing names, email and physical addresses, and phone numbers. This data was used to create and market lists targeting individuals based on deeply personal criteria, including specific medical conditions like Alzheimer’s disease, drug addiction, and bladder incontinence. The firm also sold lists categorizing people by age, perceived race, such as “Hispanic Lists”, political views, and even details of their grocery purchases, banking activity, and other health-related spending.
An aggravating factor in the case was the company’s contradictory stance toward regulators. Datamasters initially claimed it did not conduct business in California or handle data on Californians. However, when presented with clear evidence to the contrary, the company admitted the opposite. It later argued it was manually screening data, a claim regulators found unconvincing. Despite multiple attempts by CalPrivacy to bring the firm into compliance, Datamasters continued to operate as an unregistered data broker.
The final order, signed on December 12, imposes strict ongoing requirements. Datamasters was ordered to delete all previously purchased personal information of Californians by the end of December. Furthermore, if the company receives information about California residents in any future data sets, it must delete that data within 24 hours of acquisition. Datamasters must also maintain comprehensive compliance measures for the next five years and submit a detailed report on its privacy practices one year from the order.
In a separate but related action, CalPrivacy also fined S&P Global Inc. $62,600 for missing the data broker registration deadline for 2024. The agency noted this violation was due to an administrative error, and the company acted swiftly to register and take corrective steps once notified. However, the fine was levied because S&P Global remained unregistered for 313 days. This contrast highlights the severity with which CalPrivacy views willful and persistent non-compliance, especially when it involves the trafficking of sensitive health data.
(Source: Bleeping Computer)
