Privacy & Information Security Law Blog

On January 29, 2025, the California Privacy Protection Agency (“CPPA”) announced that it had reached a settlement with Connecticut-based data broker Key Marketing Advantage, LLC (“KMA”), resolving the fifth CPPA action against a business for its alleged failure to register as a data broker, as required under California’s Delete Act. As part of the settlement, KMA agreed to pay $55,800 for its alleged failure to register as a data broker and submit to injunctive terms, including paying the CPPA’s attorney fees and costs resulting from non-compliance with the Delete Act.

The CPPA’s settlement with KMA is part of the CCPA’s investigative sweep of data broker registration compliance under the Delete Act, which requires data brokers to register with the CPPA and pay an annual fee. The settlement fees received fund the California Data Broker Registry and the Delete Request and Opt-Out Platform (“DROP”) (i.e., the accessible deletion mechanism provided for by the Delete Act that will be available to California consumers in 2026 to direct all data brokers to delete their personal information in a single request). 

Since 2024, the CPPA has had responsibility for maintaining the Data Broker Registry under the Delete Act. Businesses that operated as data brokers in 2024 have until January 31, 2025 to register with the CPPA or face fines of $200 per day.

Notably, the CPPA adopted new data broker regulations under the Delete Act in November 2024 that amended existing data broker regulations. These new regulations were approved in December 2024 and are now effective. In particular, the data broker registration fee regulations change the annual registration fee from $400 to $6,600, and the data broker registration regulations define relevant terms, guidance on procedures for registration changes and requirements for data brokers to disclose specific information about their exempt data collection practices, among other requirements. Notably, the data broker registration regulations specify that a business is “still a data broker if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer,” substantially broadening the definition of data broker.