The California Privacy Protection Agency kicked off 2026 by announcing two new enforcement actions that show continued expansion of enforcement scope, escalating remedies, and sustained focus on health data. If not abundantly clear by now, a significant portion of CalPrivacy's energy has shifted to regulating data brokers.  

Datamasters

In the first matter, CalPrivacy alleged that Datamasters, a mailing list targeting company, failed to register as a data broker. While the core violation mirrors prior cases, the order reveals a few notable points:

1. CalPrivacy alleged that Datamasters bought and sold sensitive health information relating to rare medical conditions for targeted advertising purposes. In this way, the allegations draw clear parallels to the California Attorney General's Healthline settlement. Although California privacy law ostensibly treats all health information as equally sensitive, enforcement practice suggests regulators apply heightened scrutiny to information about certain more serious or uncommon conditions compared to more routine health data.
2. The order also describes Datamasters' initial resistance to CalPrivacy's investigation, including claims that it did not conduct business in California or sell data relating to California residents, followed by subsequent retractions of those statements. The agency’s recounting indicates that early non-cooperation may have undermined prospects for a more amicable resolution and serves as a cautionary example for brokers navigating investigations.
3. As a remedy, Datamasters was ordered to cease selling Californians' personal information. This marks the second instance in which CalPrivacy has effective barred a data broker from operating in California, following an earlier case in which a broker agreed to cease operations for three years to resolve alleged Delete Act violations. 

S&P Global, Inc.

Announced in tandem with Datamasters, CalPrivacy's settlement with S&P Global is similarly routine in its failure-to-register allegations, but is notable for the profile of the respondent. S&P Global is a publicly traded conglomerate, and its data brokerage business is just one of its several business lines. 

For businesses with diverse product lines, the key takeaway here is that the data broker classification is determined at the data level. If any segment of a business collects and sells or licenses personal information of consumers with whom it lacks a direct relationship, that segment may trigger data broker obligations, including registration and deletion. Although S&P Global attributed its failure to register to an administrative error, the underlying basis for registration illustrates how data broker rules can apply to large enterprises not traditionally viewed as brokers.

Broader Enforcement Trends

Earlier California data broker enforcement largely focused on smaller, traditional brokers and imposed relatively modest penalties. Recent actions reflect a shift. In December, a settlement with marketing firm ROR Partners clarified an expansive interpretation of data brokerage that includes providing custom audiences. The Datamasters and S&P Global matters continue this trajectory into new areas, extending into health-related data and large multinational enterprises.

CalPrivacy has dedicated substantial resources to data broker regulation, a trend likely to continue as the August 1, 2026, effective date approaches for brokers to honor deletion requests made through the Deletion Request and Opt-out Platform.