California Privacy Regulator Fines and Bans DataMasters for Unregistered Sale of Sensitive Personal Data
California’s Privacy Protection Agency (CalPrivacy) announced a settlement action against Texas-based Rickenbacher Data (doing business as DataMasters), fining the company and banning it from selling Californians’ personal information as part of a broader enforcement crackdown on data brokers. The action was brought by the agency’s enforcement division and its Data Broker Enforcement Strike Force, following CalPrivacy’s stated intent to increase investigations into data broker privacy violations.
Regulators said DataMasters traded in data tied to sensitive health conditions—including lists associated with Alzheimer’s disease, drug addiction, and bladder incontinence—and also bought and sold lists segmented by demographics and inferred attributes such as “Seniors,” “Hispanic,” political affiliation, grocery purchases, banking activity, and health-related purchases for targeted advertising. CalPrivacy stated the company conducted these activities in 2024 without registering with the California Data Broker Registry, a requirement under California’s data broker rules.
Related Entities
Organizations
Sources
Related Stories
Regulatory scrutiny of consumer data collection and opt-out compliance
A U.S. congressional investigation by the Joint Economic Committee’s Democratic minority estimated that identity theft tied to breaches at **four major data brokers** has cost American consumers roughly **$20 billion**, and highlighted how some brokers obscured legally required “opt-out” pages (including use of `no-index` tactics that made deletion/opt-out pages harder to find). The report, prompted by investigative reporting, said several large brokers subsequently engaged with congressional staff and changed practices to make it easier for consumers to control the collection and sale of their personal data. California regulators separately escalated enforcement of opt-out requirements under state privacy law, with the **California Privacy Protection Agency (CPPA)** fining **PlayOn Sports** **$1.1 million** over allegations that its *GoFan* ticketing platform used tracking technologies for targeted advertising without providing a compliant, easy-to-use opt-out mechanism. The CPPA said users—including large numbers of high school students—were effectively forced to “agree” to tracking to access paid tickets and services, and that directing users to industry opt-out programs (e.g., Network Advertising Initiative / Digital Advertising Alliance) did not satisfy California’s requirement that companies provide their **own** opt-out tool and clear disclosures.
1 weeks ago
Healthcare Sector Data Breaches and Regulatory Action on Health Data Privacy
Multiple healthcare organizations have reported significant data breaches involving unauthorized access to patient information. CareOregon and Health Share of Oregon notified patients of a breach where protected health information, including names, dates of birth, health plan details, and Medicaid/Medicare numbers, was accessed without authorization, raising concerns about potential insurance fraud. Canopy Health, a major New Zealand oncology provider, disclosed a cyberattack that resulted in unauthorized access to administrative systems and possible data exfiltration, with the incident being contained and legal action taken to prevent misuse of the compromised data. Additionally, a Manhattan plastic surgery practice suffered a cyberattack in which sensitive patient images and personal information were stolen and published online, with extortion attempts made directly to patients; this attack is linked to a series of similar incidents targeting plastic surgery practices. In parallel to these incidents, California authorities have taken regulatory action against Datamasters, a marketing firm found to be illegally selling health and personal data of millions of individuals without proper registration as a data broker. The company was fined and banned from selling Californians' personal information after it was discovered to have traded in sensitive data, including health conditions and demographic details, for targeted advertising. These events highlight ongoing risks to health data privacy from both cyberattacks and improper commercial data practices, as well as the increasing regulatory scrutiny and enforcement in this sector.
2 months agoCalifornia Advances Data Privacy Whistleblower Protections and Deletion Rights
The California Privacy Protection Agency (CPPA) has approved three new draft bills aimed at strengthening data privacy protections in the state. The most notable proposal introduces anti-retaliation safeguards and financial incentives for whistleblowers who report companies violating California's privacy laws, with the goal of encouraging insiders to provide valuable information to regulators. The CPPA emphasized that such whistleblower contributions would enhance enforcement efforts, particularly in cases involving complex data processing and emerging technologies. In addition to whistleblower protections, the draft legislation seeks to expand Californians' rights to have their personal data deleted. The proposed changes would allow residents to request the removal of personal information not only collected directly by businesses but also obtained from third parties. These measures follow recent legislative successes, including a law signed by Governor Gavin Newsom that simplifies consumer opt-outs from data sharing via web browsers, further strengthening privacy rights for California residents.
4 months ago