Privacy & Cybersecurity Law Blog

On December 3, 2025, the California Privacy Protection Agency (“CPPA”) announced that it fined ROR Partners LLC (“ROR Partners”), a Nevada-based marketing firm, $56,600 for failing to register as a data broker under California’s Delete Act.

The CPPA brought the case as part of its Data Broker Enforcement Strike Force, which was announced on November 19, 2025, and created to investigate privacy violations by the data broker industry. According to the order, ROR Partners created consumer profiles and custom audience lists using data points covering the demographic, socioeconomic and behavioral information of over 262 million Americans. ROR Partners used this data to draw inferences about consumers and their expected behaviors and sold custom audience segments for targeted advertising without registering as a data broker. The order clarified that, “a sale is a sale,” and that selling personal information, even as part of a larger suite of products and services, requires compliance with the CCPA and the Delete Act.

The Delete Act requires data brokers to register with the CPPA annually in January and pay a fee that funds the Data Broker Registry and the Delete Request and Opt-Out Platform (“DROP”).  DROP, launching in 2026, will allow consumers to request all registered data brokers to delete their personal data with a single request.

In the CPPA’s announcement, Michael Macko, the head of enforcement at the CPPA, said, “we will scrutinize any business that walks and talks like a data broker to make sure it’s registered, and we will continue to examine businesses that create inferences about consumers to profile them. Consumer profiles are protected personal information under the CCPA, and you could be a data broker by trafficking in them.”