The California Privacy Protection Agency (CPPA) has launched an enforcement action against Jerico Pictures, Inc., doing business as National Public Data, a Florida-based data broker, seeking a $46,000 fine for failing to register as required under California’s Delete Act. This action marks the CPPA’s sixth enforcement case against a data broker, with the previous five cases resulting in settlements.

Background and Breach Incident
National Public Data came under scrutiny after an April 2024 data breach compromised approximately three billion records, including Social Security numbers and other personal information, affecting around 270 million individuals. Although much of the data was reportedly inaccurate, the breach ranked among the largest data incidents of 2024. Following the breach, National Public Data filed for bankruptcy protection, claiming it could not meet its financial obligations. However, the U.S. Bankruptcy Court for the Southern District of Florida dismissed the petition in November 2024, allowing creditors and regulatory bodies to proceed with legal action.

Violation of the Delete Act
The CPPA enforcement action stems from National Public Data’s failure to register with the CPPA by the January 31, 2024 deadline, as required by California’s Delete Act. This legislation mandates that data brokers register annually and pay a fee supporting the California Data Broker Registry. Companies that fail to comply face fines of $200 per day. National Public Data ultimately registered on September 18, 2024—230 days past the deadline—only after being contacted by the CPPA during its compliance investigation.

Broader Implications
The action emphasizes the CPPA’s commitment to holding data brokers accountable – a key area of regulatory focus of late. The CPPA underscored that it will continue to leverage all available tools, including litigation, to ensure compliance.

As part of the Delete Act, data brokers should start their preparations to comply with the Delete Request and Opt-Out Platform (DROP), a mechanism launching in 2026 that will enable consumers to submit a single request directing all registered data brokers to delete their personal information, streamlining the process of exercising privacy rights.