Data Brokers Under the Spotlight: Latest CPPA Enforcement Action Reflects New Era for Data Broker Compliance

State privacy enforcement targeted at data brokers continues, and the California Privacy Protection Agency (CPPA) has been at the forefront of this effort. 

The CPPA has made clear that data broker registration and transparency are top priorities, as reflected in its latest enforcement action, announced July 29, 2025, against Accurate Append, Inc., for alleged failure to register as a data broker under the California Delete Act.

As we discussed in a prior post, the Delete Act requires data brokers to pay an annual fee and register in the CPPA’s Data Broker Registry, with penalties for noncompliance of up to $200 per day plus the cost of registration and the CPPA’s investigation and enforcement costs. The action against Accurate Append is a result of the CPPA’s continued investigative sweep concerning data brokers’ Delete Act compliance announced in October 2024. 

Settlement with Accurate Append

According to the CPPA, Accurate Append failed to register by the January 31, 2024, deadline for conducting business as a data broker in 2023, and registered only after being contacted by the CPPA. The stipulated order requires Accurate Append to pay a $55,400 fine, comply with the Delete Act’s registration and disclosure requirements, and notify the CPPA if it ceases to operate as a data broker before the deadline to register.

Broader Trend: State Regulators Increase Oversight of Data Brokers

The CPPA’s sweep has resulted in actions against seven other data brokers—six settlements and a default order for the maximum available penalty (based on per-day violations) of $46,000 against National Public Data, which failed to challenge allegations that it had failed to register in violation of the Delete Act. Texas and Oregon have similarly ramped up scrutiny of data brokers. For example, in 2024, the Texas attorney general announced it had notified over 100 businesses of their alleged apparent noncompliance with the Texas Data Broker Law. And this year, the Oregon attorney general reported that it had sent “cure letters to all data brokers who had not incorporated/addressed the [state’s Consumer Privacy Act] in their public-facing privacy notices.”

What’s Next: New Delete Act Obligations on the Horizon

The Delete Act’s requirements are in the process of expanding, and data brokers should prepare for several new obligations that have recently taken effect or will soon be in place:

• By July 1, 2025: Website privacy policies must summarize the number and outcomes of key consumer privacy requests (delete, access, opt out) from the prior year, including average and median response times.
• By August 1, 2026: Brokers must use the new deletion platform at least every 45 days to process consumer deletion requests.
• By January 1, 2028: Brokers must undergo an independent third-party audit for compliance.

At its July 24, 2025, meeting, the CPPA Board voted to solicit public comment on modified draft Delete Request and Opt-Out Platform (DROP) rules, which, if adopted, would further expand obligations on data brokers, as discussed in our prior post.