Privacy & Information Security Law Blog

On January 8, 2026, the California Privacy Protection Agency (“CPPA”) announced enforcement activity against Rickenbacher Data LLC d/b/a Datamasters (“Datamasters”) and S&P Global Inc. (“S&P Global”) for failing to register as data brokers in California. Datamasters is a Texas-based company that buys and sells personal data for targeted advertising. S&P Global is a financial and commodities analytics company headquartered in New York. 

The CPPA fined Datamasters $45,000 and S&P Global $62,600. The companies were sanctioned for failing to register with the CPPA before January 31, 2025, the registration deadline set by California’s Delete Act for entities engaged in data brokerage activities during 2024. The Delete Act requires data brokers to register with the CPPA annually and pay an administrative fee. The CPPA uses registration fees to operate its Data Broker Registry and the Delete Request and Opt-out Platform, which allows consumers to direct all data brokers to delete their personal information in a single request.

According to the CPPA’s investigation, Datamasters bought and resold personal information of millions of people suffering from various medical conditions (such as Alzheimer’s disease, drug addiction, bladder incontinence) for targeted advertising. In addition, the company bought and resold lists of individuals based on age and perceived race, as well as lists based on political views, banking activity, grocery purchases and healthcare-related purchases. The CPPA found that Datamasters' consumer database “includes over 114 million households in the USA, with over 231 million individual names and addresses available for precise targeting and segmentation.”

According to the final order, Datamasters rejected certain customer requests to purchase Californians’ personal information. The company accepted and fulfilled, however, orders for nationwide lists of consumers without screening them to remove the personal information of California residents.

In addition to the $45,000 fine, the final order obligates Datamasters to stop selling personal information about California residents.

The case against S&P Global originates from an administrative error that resulted in the company’s failure to register as a data broker. After discovering the error, the company promptly registered with the CPPA and agreed in the final order to implement procedures to ensure it remains compliant with California’s data broker regulations.