California Privacy Protection Agency Releases Enforcement Advisory Targeting Data Brokers

California Privacy Protection Agency Issues Enforcement Advisory for Data Brokers

On December 17, 2025, the California Privacy Protection Agency (CPPA) took a significant step to reinforce data protection in the state by announcing its Enforcement Advisory No. 2025-01. This advisory serves as an essential reminder for data brokers of their responsibilities under California’s Delete Act, emphasizing the registration obligations and shedding light on emerging compliance issues.

The Delete Act Overview

At its core, the Delete Act mandates that data brokers register with the CPPA annually and pay a specified fee. This fee is critical, as it funds California’s innovative Delete Request and Opt-Out Platform (DROP). Beginning January 1, 2026, DROP will empower consumers to submit a single deletion request, effectively asking all registered data brokers to erase their personal information from their databases. This makes compliance not just a regulatory requirement but a key part of maintaining consumer trust.

Key Takeaways from the Advisory

The advisory outlines several critical reminders for data brokers, ensuring clarity on compliance expectations:

1. Separate Registration of Each Data Broker Entity

   • Each data broker must independently register, even if they are subsidiaries of a parent company. Relying on an affiliated entity’s registration is not permitted. This ensures accountability at every level of the data brokerage operation.

2. Trade Names and Websites

   • It’s imperative for data brokers to accurately list all their trade names and websites during the registration process. Verification of this information is vital; brokers must ensure that provided links are functional and lead to a page detailing how consumers can exercise their privacy rights without deceptive design.
3. Penalties for Non-Compliance
   • Failure to register can result in substantial repercussions, including administrative fines of $200 per day, in addition to covering the CPPA’s costs associated with enforcement actions. This penalty underscores the seriousness of compliance.

Steps for Ensuring Compliance

In light of the advisory, data broker businesses have a roadmap to ensure they meet these obligations. Here are a few actionable steps:

• Update Trade Names and Website Links

  • Regularly check and confirm that all trade names and website links listed in your registration are updated and operational. An accurate representation is crucial.

• Entity Structure Audit

  • Conduct a thorough review to ensure that each legal entity engaged in data brokering is registered with its own DROP account. This helps maintain compliance across the board.

• Review Consumer Rights Page

  • It’s vital to ensure the webpage linked at registration not only works but also provides a clear and informative outline of how consumers can exercise their privacy rights. A transparent approach helps foster trust with consumers.
• Deadlines
  • Setting internal reminders for the annual registration deadline, which falls on January 31, is crucial for avoiding non-compliance penalties. Keeping track of this date ensures that businesses remain proactive in their regulatory responsibilities.

Additional Resources and Next Steps

For further details about California’s data broker registration requirements, the CPPA provides extensive resources. Interested parties can navigate to California Expands Data Broker Registration Requirements for a more comprehensive overview.

Additionally, insights related to California’s Delete Request and Opt-Out Platform can be explored at California’s New Delete Request Tool Impacts Data Brokers and Residents, which elucidates how businesses and consumers alike will be affected by these regulatory changes.

With California taking proactive steps to strengthen consumer privacy, data brokers must ensure they are informed, prepared, and compliant to navigate this evolving landscape successfully.