Data brokers who offered brokerage services in California in 2025 must register or re-register their status with the state's data broker registry by Jan. 31, 2026.
In-scope companies that fail to do so may be liable for administrative fines or even reasonable expenses incurred by the CalPrivacy regulator in investigating and bringing an administrative action against the business.
Since October 2024, when CalPrivacy (formerly the California Privacy Protection Agency) first launched a data broker investigative sweep, and later a Data Broker Enforcement Strike Force, it has brought at least nine enforcement actions against in-scope businesses that failed to register as data brokers. In one decision announced this month, in addition to a $45,000 fine, CalPrivacy mandated that the data broker stop selling all personal information about Californians, effectively removing the company from the state's brokerage market.
This year, as a result of new regulations to the Delete Act — California's broker law — new definitions that broaden the scope of what constitutes a "data broker" have taken effect. Those definitions include potential impacts on providers of third-party tracking technologies and licensors/sellers of compiled consumer profiles and audience segments. The Delete Act also created a new portal, available to consumers, to request deletion of their personal information from brokers en masse.
What Kind of Businesses Fall Within Scope of the State's 'Data Broker' Definition?
California considers "data brokers" to be businesses subject to the California Consumer Privacy Act ("CCPA") that knowingly collected and sold to third parties the personal information of California consumers with whom the business did not have a "direct relationship" in 2025.
Clarified Definition of "Direct Relationship"
New regulations to the Delete Act approved in November 2025 clarify that the term "direct relationship" applies when a consumer has intentionally interacted with a business for the purpose of accessing, purchasing, using, requesting or obtaining information about the business's products or services. Further, the regulations hold that:
a business does not have a "direct relationship" with a consumer simply because it collects personal information directly from the consumer; the consumer must intend to interact with the business. A business is still a data broker and does not have a direct relationship with a consumer as to personal information it sells about the consumer that it collected outside of a "first party" interaction with the consumer. (emphasis added)
In other words, even a business that does directly collect personal information from a consumer (e.g., as part of an email newsletter sign-up) may still be considered a data broker if it sells any other personal information that it did not directly collect from the consumer to third parties. As such, having a "direct relationship" vis-à-vis some personal information does not negate the "data broker" status that attaches to a business selling personal information collected outside of the direct relationship with that consumer.
Possible Applicability to Tracking Pixel and Third-Party Cookie Providers
A comment within CalPrivacy's Initial Statement of Reasons regarding the new regulations' "direct relationship" definition and its "intend[s] to interact with the business" language may provide clarification for providers of third-party tracking technologies as to their potential status as "data brokers" under the law if they, in turn, "sell" the personal information made available to them via an unaffiliated website (or, it stands to reason, potentially mobile application software development kits) to third parties:
For example, websites may host non-first party cookies or pixels on their webpage. While the consumer browses goods on that first party website, a third party may collect personal information directly from the consumer. This cannot be treated as an intentional interaction with that third party because the consumer is not intending to interact with that third party. This definition is necessary to ensure that businesses cannot rely on these unintentional interactions to avoid complying with consumer rights bestowed by the Delete Act.
Increased Scrutiny on Selling of Consumer Profiles and Inferences for Targeted Advertising
The tracking technology clarification aligns with
CalPrivacy's enforcement trend of interpreting the data broker
law and "selling" more expansively.
As one example, in December 2025, the regulator reached a settlement with an unregistered marketing firm
that created detailed consumer profiles and custom audience lists
— comprising billions of consumers' demographic,
economic, and behavioral data points, and inferences derived from
the same — which the firm sold as datasets to its clients for
targeted advertising purposes. That decision clarified that
advertising and marketing firms may operate as data brokers if they
obtain and sell Californians' personal information, regardless
of whether the firms bundle the personal information as part of a
larger suite of products and services they offer.
Data Brokers Will Be Required to DROP What They Are Doing and Delete Personal Information
The state implementing and hosting a first-of-its-kind Delete Request and Opt-Out Platform ("DROP") marks one new feature of California's data broker regime, taking effect this year.
- One Deletion Request Applicable to All Registered Brokers — Through the DROP, a California consumer (or an authorized agent on their behalf) may submit a single request to direct every registered data broker holding personal information about the consumer — and, by extension, the broker's service providers and contractors pursuant to Delete Act Regulation § 7613(d)'s onward notification requirement — to delete such personal information, including inferences a broker has made about the consumer, unless a statutory exemption applies or the broker cannot verify the consumer. Consumers have access to DROP at no charge.
- Brokers Must Access and Utilize DROP by the Summer — Starting on Aug. 1, 2026, the state will require all registered data brokers doing business in California to process consumer DROP requests every 45 days (with some delay allowed for restoring archived or backup systems to an active state) and report via DROP the status of each request to CalPrivacy (i.e., "record deleted," "record opted out of sale," "record exempted," or "record not found").
- If the Consumer Requesting Deletion Is Not Verified, Brokers Must Treat It as an Opt-Out of Sale/Share Request — To the extent a data broker cannot verify a consumer's deletion request — for example because the broker has matched multiple consumers to an identifier, such as a changed phone number — the data broker must instead process the request the same as a California Consumer Privacy Act ("CCPA") opt-out of sale or sharing request for the personal information associated with each matched consumer.
- The Meaning of "Delete" — In this context, "delete" means permanently and completely erasing the personal information from existing systems, including archived or backup systems (after a reasonable restoration delay), "deidentifying" the personal information, or "aggregating" consumer information, as the CCPA defines those terms.
- Fines Per Day, Per Consumer Request — Data brokers that fail to honor DROP deletion requests may be liable for an administrative fine of $200 for each deletion request for each day the broker fails to delete information. This is separate from the $200-per-day administrative fine for failure to register as a data broker.
How to Register as a Data Broker in California
In order to register as a broker in California, businesses must create an account in the DROP system, complete a registration form requesting contact information, and pay the annual fee of $6,000 (plus a 3% third-party processing fee for electronic payments). The fee is non-refundable and may not be prorated.
- Broker Disclosures at Registration — The registration requires the broker to disclose the types of "personal information," and any "sensitive personal information" it collects, according to the definitions for those terms from the CCPA. CalPrivacy has published a guide for consumers and businesses that clarifies what these terms encompass. Registrants must also indicate whether they collect personal information of minors, precise geolocation, and/or consumers' reproductive health data.
- Separate Registrations Required for Qualifying Affiliated Data Brokers — CalPrivacy has also clarified via its Enforcement Advisory No. 2025-01 that if an entity qualifies as a "business" under the CCPA — regardless of its status as a parent company, affiliate, or subsidiary of another business — it must separately register as a broker and create a DROP account if it independently meets the "data broker" definition. Brokers must also list within their registration trade names, assumed names, and any websites through which they offer or provide data broker services.
Takeaways
Given these new requirements and the potential consequences for non-compliance, companies subject to the CCPA that sell personal information to third parties for monetary or other valuable consideration should carefully consider whether they obtained any such information outside of a direct relationship with a California consumer.
Moreover, even businesses that historically did not consider themselves within the scope of California's data broker law should consider the definitions and may wish to examine their business practices to assess the likelihood of whether their business practice could trigger the "data broker" definition.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
