The New Frontier of California Privacy Enforcement: A Tougher Era for Data Brokers

Last week, the Board of the Enforcement Division of the California Privacy Protection Agency (Agency) approved a settlement with California-based data broker Background Alert, Inc., requiring Background Alert to cease its operations for three (3) years. This is the sixth settlement by the Agency as part of its public investigative sweep of data broker registration compliance under the Delete Act.    Among other topics on the agenda for the Agency Board’s upcoming board meeting is the development of the Data Broker Request and Opt-Out Platform (DROP) and the draft regulations related to the DROP and the Delete Act.   

The Delete Act’s Requirements

The Delete Act, which incorporates the definitions set out in the California Consumer Privacy Act, as amended (CCPA), requires data brokers to register as a data broker with the Agency by January 31 of the year, following the calendar year in which they met the definition of a data broker and compile and disclose specified information to the Agency. Failure to register on time results in fines of $200 per day. The annual registration fee funds the development of the DROP system, which is under development by the Agency and will be available to consumers in 2026. The DROP will enable a consumer, through a single verifiable request, to request that every data broker that maintains personal information (including inferences) about that individual delete such information that is held by the data broker or associated service provider or contractor.

Background Alert’s Violation

Background Alert operated an online people search website that allowed people to search for individuals using their first name, last name, and state. The company would deliver search results based on public records (e.g., birth records, marriage/divorce records, records of professional licenses, etc.), and it would include information about people possibly associated with the searched-for person, thereby creating inferences and profiles about individuals. To deliver these results, Background Alert would infer relationships based on publicly available information, such as ZIP code and professional or employment-related information. Although the data sources used to generate the reports were in the public domain, the Agency determined that the inferences made about individuals fall squarely within the definition of personal information under the CCPA. Significantly, the Agency stated in the stipulated order that “[i]nferences present special risks to privacy … [c]onsumers can be identified, re-identified, and profiled as a result [of inferred data].”

The Agency found that Background Alert conducted business as a data broker during the 2023 calendar year, which then required the company to register as a data broker by January 31, 2024. Although Background Alert registered as a data broker on October 8, 2024, after the Agency launched an investigation, the company’s registration was 250 days past the deadline.

Expanded Scope of a “Data Broker” Under the Delete Act’s Currently Proposed Regulations

Although the Agency has recently been investigating businesses that operate as data brokers , based on the existing definition in the Delete Act, its proposed revisions to the draft regulations would expand the scope of businesses considered data brokers. Specifically, the proposed regulations define a “direct relationship” as a relationship where the “consumer has intentionally interacted with a business for the purpose of accessing, purchasing, using, requesting, or obtaining information about the business’s products or services.” The draft regulations further specify that a business is still a data broker and does not have a direct relationship with the consumer “simply because it collects personal information from the consumer.” Therefore, personal information collected in a first-party context is no longer solely sufficient to establish a direct relationship with a consumer; a “consumer must intend to interact with the business.”  

Looking Ahead

The Agency will provide updates coming out of its board meeting that occurred on March 6 and 7, 2025. Information about how to access previous recordings and motions from meetings can be found here. Other states, including Texas and Oregon, have data broker laws, and it is possible they may also enter the new frontier of data broker enforcement along with California. Businesses that are either currently data brokers or exploring entering the market should assess their various obligations under these laws, including proposed laws that are currently in the legislative pipeline.

Ryan Sulkin is Team Lead of Benesch’s Data Privacy & Cybersecurity Practice Group. He can be reached at 312.624.6398 or rsulkin@beneschlaw.com.

Adriana Beach is Of Counsel in Benesch’s Data Privacy & Cybersecurity Practice Group. She can be reached at 628.295.2016 or abeach@beneschlaw.com.