California Bans Data Broker Reselling Health Data of Millions

California’s privacy landscape is evolving rapidly, driven by the California Delete Act that mandates annual registration for any entity buying or selling consumer data. The law creates a centralized opt‑out platform, DROP, slated for 2026, giving residents a single point of contact to request data removal. By tightening registration deadlines and imposing steep fines, the state aims to curb opaque data‑brokerage practices that have long evaded consumer scrutiny, positioning California as a national benchmark for data‑privacy enforcement.

The Datamasters case illustrates the agency’s willingness to pursue aggressive penalties when firms ignore these obligations. By reselling detailed health records—including conditions like Alzheimer’s and drug addiction—Datamasters leveraged sensitive information for targeted advertising, violating both ethical norms and legal requirements. The $45,000 fine, combined with a ban on selling Californian data and a mandatory purge of existing records, sends a clear message: non‑compliance will result in swift, punitive action. This enforcement not only protects millions of individuals but also forces data brokers to reassess their sourcing, vetting, and compliance frameworks.

Beyond Datamasters, the $62,600 fine against S&P Global for a registration oversight highlights that even large, well‑resourced firms are not immune. The decision underscores the importance of robust internal tracking systems to ensure timely registration and reporting. As the DROP platform becomes operational, companies will need to implement real‑time monitoring and rapid deletion protocols to avoid similar penalties. In this climate, proactive compliance—through automated registration, transparent data handling, and swift response mechanisms—will become a competitive advantage for firms navigating the increasingly stringent U.S. data‑privacy regime.