Privacy & Information Security Law Blog

As part of the California Privacy Protection Agency’s (“CPPA”) investigative sweep of data broker registration compliance under California’s Delete Act, the CPPA recently announced an enforcement action against a Florida-based data broker and a settlement with a California-based data broker for failure to register as a data broker on the California Data Broker Registry (the “Registry”), as required under the Delete Act.

On February 20, 2025, the CPPA announced that it brought an enforcement action against Jerico Pictures, Inc., a Florida-based data broker doing business under the name National Public Data. The CPPA is seeking a $46,000 fine against the company for its failure to timely register as a data broker on the Registry. The CPPA has alleged that National Public Data registered as a data broker on September 18, 2024, which is 230 days after the January 31, 2024 registration deadline for data brokers that operated in 2023. The CPPA also asserted that National Public Data only registered on the Registry after the CPPA’s Enforcement Division contacted the company during an investigation. National Public Data experienced a data breach in 2024 which resulted in the 2.9 billion records being exposed, including names and Social Security numbers.

On February 27, 2025, the CPPA reached a settlement with Background Alert, Inc. (“Background Alert”), a California-based data broker for its failure to timely register on the 2025 Registry. The CPPA alleged that Background Alert created and sold profiles about individuals through the website, backgroundalert.com. In particular, the CPPA alleged that Background Alert collected billions of public records, drew inferences from those records to identify individuals who may be associated with other individuals and identified patterns to create profiles about consumers. Per the settlement, Background Alert is required to shut down its operations through 2028 or face a $50,000 fine.

As we previously reported, the CPPA adopted new data broker regulations under the Delete Act in November 2024 that amended existing data broker regulations.