On December 3, the California Privacy Protection Agency (CalPrivacy) announced that its board issued a decision requiring a Nevada-based marketing firm to pay $56,600 in fines and past-due fees for failing to register as a data broker in violation of California’s Delete Act. The enforcement action was part of CalPrivacy’s Data Broker Enforcement Strike Force (previously covered by InfoBytes here).

CalPrivacy alleged the firm collected and sold detailed consumer profiles and custom audience lists, derived from billions of data points, without registering in the state’s Data Broker Registry. The decision stated the firm built a repository of demographic, socioeconomic, and behavioral data on more than 262 million individuals, drew inferences about consumer behaviors, and sold targeted audience segments for advertising purposes. The agency noted that “a sale is a sale,” and that businesses cannot bypass the CCPA or Delete Act by embedding personal information in larger offerings.

As previously covered by InfoBytes, the Delete Act requires data brokers to register with CalPrivacy each year in January and pay a fee that funds the Data Broker Registry and the Delete Request and Opt-out Platform.