On January 8, the California Privacy Protection Agency (CalPrivacy) announced it had taken enforcement actions against two companies for failing to register as data brokers, in violation of California’s Delete Act, by the January 31, 2025, deadline.

In the first case, CalPrivacy issued a $45,000 administrative fine against a company that purchased and resold sensitive personal information — including names, addresses, phone numbers, and email addresses — linked to medical conditions, age, ethnicity, and consumer behavior without properly excluding Californians’ data. The order required the company to delete all Californians’ personal information, implement compliance procedures, and retain records for five years.

In a separate decision, the agency fined a data and technology services company $62,600 for operating unregistered for 313 days due to a purported administrative error. The decision required the company to adopt written policies and procedures for timely registration and compliance auditing to prevent future violations.