In a decisive move that establishes a new benchmark for data privacy enforcement in the United States, the California Privacy Protection Agency (CPPA) has concluded its inaugural enforcement action under the state’s landmark Delete Act, targeting a Texas-based data broker for significant violations. This pioneering case against Rickenbacher Data LLC, operating under the name Datamasters, represents far more than a single penalty; it serves as a powerful declaration of California’s unwavering commitment to regulating the often-opaque data brokerage industry. By levying a substantial fine and imposing a comprehensive set of compliance mandates on an out-of-state entity, the CPPA has fired a clear warning shot, signaling that the digital borders of California’s privacy laws are defined by the location of its residents, not the physical address of the companies that process their data. This action sets a crucial legal precedent, illuminating the state’s expectations for transparency, accountability, and the non-negotiable requirement for data brokers to register their activities, thereby fundamentally altering the regulatory landscape for any business engaged in the commercial trade of personal information.
The Anatomy of a Data Broker Violation
Profiling the Offender
The enforcement action centered on Rickenbacher Data LLC, a limited liability company with its principal operations based in Flower Mound, Texas, but conducting business commercially as Datamasters. The company was officially identified by the CPPA as a “data broker” under the specific legal definition provided by California law, which encompasses any business that knowingly collects and sells the personal information of consumers with whom it lacks a direct relationship. The case was resolved through a stipulated final order, a legal agreement in which the company’s owner, David Rickenbacher, formally admitted that Datamasters had indeed operated as a data broker throughout the 2024 calendar year. This admission was a critical component of the resolution pursued by the CPPA’s Enforcement Division, which was ultimately adopted by the agency’s board, chaired by Jennifer M. Urban. The formal classification of Datamasters as a data broker was the foundational element upon which the entire enforcement action was built, confirming the company’s obligations under state law despite its out-of-state headquarters.
The core violation committed by Datamasters was its unambiguous failure to comply with the registration requirements mandated by California’s Delete Act, as codified in Civil Code section 1798.99.82. This statute requires all businesses meeting the data broker definition to register annually with the CPPA during the month of January and to pay the associated registration fees. This registration process is not a mere formality; it is the cornerstone of the state’s regulatory framework, designed to create a transparent, public registry of all entities trading in the personal data of Californians. This registry empowers both consumers and regulators to identify and scrutinize the activities of these companies. Despite its active operations throughout 2024, Datamasters neglected this fundamental duty, failing to register by the statutory deadline of January 31, 2025. The company remained in a state of continuous violation from February 1, 2025, until it finally submitted its registration on September 13, 2025, a move made only after the CPPA’s Enforcement Division had already commenced its investigation into the company’s non-compliance.
The Scope of Data Collection
The investigation conducted by the CPPA unearthed the vast and highly sensitive nature of the personal information that Datamasters collected, compiled, and sold as its primary business activity. The company’s entire commercial model was built upon acquiring enormous databases from various third-party suppliers and then reselling this information, often meticulously segmented into highly specific and potentially vulnerable consumer categories. According to the company’s own marketing materials, Datamasters boasted access to a massive “national consumer database” that contained detailed information on over 114 million households and 231 million individuals. This vast repository of data was explicitly offered to clients for the purposes of “precise targeting and segmentation,” enabling marketers to direct their efforts toward narrowly defined groups of people. The sheer volume of data underscores the scale at which the company operated, positioning it as a significant player in the commercial data trade and making its failure to register in California a particularly egregious oversight in the eyes of regulators.
What proved most alarming to investigators was the company’s specialization in lists categorized by extremely sensitive health conditions. The stipulated final order provided concrete figures that painted a chilling picture of these operations, revealing that Datamasters maintained and actively sold databases containing the home addresses, telephone numbers, and email addresses of specific populations. These lists included 435,245 individuals identified as having Alzheimer’s disease, 133,142 people classified under various addiction categories such as drug addiction and tobacco use, and 857,449 consumers with bladder control issues or incontinence, with additional lists available for conditions like acid reflux. Beyond health data, Datamasters also curated lists based on demographic, ethnic, and financial vulnerability profiles. These included “Hispanic Lists” containing over 20 million individuals, “Senior Lists” targeting elderly citizens, and “Mortgage Lists” identifying homeowners with high-interest loans, a group potentially facing financial distress. The company’s reach into California was explicitly demonstrated by a publicly posted spreadsheet identifying 204,218 available records for students located within the state, leaving no doubt about its operations impacting California residents.
A Botched Cover-Up and a Firm Response
The Investigation Unfolds
The CPPA’s Enforcement Division initiated its investigation upon discovering that Datamasters was actively marketing itself as a data broker yet had failed to appear on the state’s official registry. The company’s initial reaction to the agency’s inquiry was a categorical denial of any business activity related to the state. In its first formal response, Datamasters asserted unequivocally that it did “not do business or take orders of any kind” in California and maintained that it “does not do business in California with any entity.” This firm denial, however, was directly and irrefutably contradicted by evidence found on the company’s own public-facing website. The agency’s investigators presented Datamasters with the publicly available Excel spreadsheet that detailed its inventory of 204,218 California student records. Faced with this undeniable proof of its engagement with Californian data, the company’s narrative began to unravel, forcing it to abandon its initial position and construct a new, more nuanced explanation for its activities.
As the company’s initial denial collapsed under the weight of evidence, its story began to shift. Datamasters conceded that it did, in fact, receive personal information about California residents from its third-party data suppliers. However, it attempted to mitigate this admission by claiming it maintained an internal policy of rejecting any customer requests specifically for California-based data, citing the state’s stringent privacy laws as the reason. The agency’s investigators pressed further, astutely inquiring whether this supposed policy of rejection also applied to nationwide data requests, which would inevitably contain the personal information of a significant number of California residents. At this point, the company’s owner conceded that Datamasters had indeed accepted and fulfilled numerous orders for nationwide consumer lists without implementing any screening process to filter out or remove Californians’ data. This admission was the critical breakthrough, confirming that the company was actively collecting and selling the personal information of California residents through its broader geographic sales, rendering its earlier denials patently false. A few days after this concession, Datamasters retained legal counsel and made a final, desperate attempt to retract its prior statements, claiming its earlier explanations were “incomplete and inaccurate” and that it actually “screens all lists sold” to ensure no California personal information was included. Simultaneously, the company scrambled to align its public presence with this revised narrative, hastily removing the spreadsheet referencing California students and adding new disclaimers to its website.
The Hammer Falls Penalties and Mandates
The comprehensive investigation culminated in a stipulated final order, which was formally adopted by the CPPA board on December 30, 2025. This order imposed a series of robust monetary penalties and, more importantly, forward-looking compliance mandates designed to fundamentally alter the company’s business practices. Datamasters was ordered to pay a $45,000 administrative fine for its violation. Under the Delete Act, the authorized penalty for failing to register is $200 for each day of non-compliance. Given that the company’s period of violation spanned 224 days, from February 1, 2025, to September 13, 2025, the maximum statutory penalty would have been $44,800. The final $45,000 fine represented a settlement that closely approximated this statutory maximum, sending a clear message that the state intends to seek penalties that reflect the full duration of a company’s non-compliance. The monetary penalty, while significant, was only one component of the agency’s comprehensive remedial action.
The true force of the enforcement action was embedded in the prospective compliance obligations, which placed a heavy emphasis on creating systemic, verifiable changes to the company’s operations. The order mandated that Datamasters must completely cease selling all personal information of California residents by December 31, 2025, and by that same deadline, it must permanently delete all California personal information it had previously purchased or collected. Furthermore, within 30 days of the decision, the company was required to adopt and implement detailed written policies and procedures to ensure it does not collect or sell personal information belonging to Californians in the future. The order explicitly noted that the company’s previous reliance on “imperfect” manual screening processes was wholly insufficient. It also established strict data handling protocols: if Datamasters receives California personal information as part of larger data purchases, it must permanently delete that information within 24 hours. Finally, the order established long-term oversight, requiring Datamasters to maintain these written policies and detailed transaction records for five years and to submit a written summary of its privacy practices directly to the CPPA for review after one year, ensuring sustained accountability.
The Ripple Effect Setting a New Standard for Privacy
Broader Implications for the Industry
The enforcement action against Datamasters was a pivotal event, marking a significant escalation in the regulation of the data brokerage industry and sending ripples far beyond the confines of a single case. One of its most profound implications was the powerful assertion of California’s extraterritorial jurisdiction. Datamasters, a company headquartered in Texas with no physical offices, employees, or assets in California, was held fully accountable for its actions because its business directly affected California consumers. This decisively confirmed that the CPPA’s enforcement reach is determined by the location of the consumer whose data is being processed, not the location of the company processing it. This principle effectively extended the protection of California’s privacy regulations to any business worldwide that collects, sells, or otherwise processes the personal information of the state’s residents, dismantling any notion that geographic distance provides a shield from regulatory oversight. The case served as a stark reminder to the global business community that engaging with Californian data means consenting to the jurisdiction of California’s laws.
As the first-ever enforcement of the Delete Act, this case established a crucial baseline for compliance and set a high bar for the data broker industry. It made unequivocally clear that state regulators will not accept informal, ad-hoc, or undocumented compliance efforts. The era of claiming ignorance or relying on manual, error-prone processes to filter data was over. The stipulated order’s detailed requirements—mandating written policies, systematic screening protocols, meticulous record-keeping, and proactive reporting—created a new blueprint for what constitutes acceptable business practices. This action was part of a broader, more aggressive pattern of privacy enforcement by California authorities. It followed other major settlements, including a $1.55 million penalty against Healthline Media in July 2025 for failing to honor user opt-out requests and a $1.4 million settlement with mobile gaming company Jam City in November 2025 for similar violations. By targeting diverse sectors, from digital publishers and mobile apps to data brokers, the state demonstrated a comprehensive and multi-pronged enforcement strategy, underscoring its commitment to upholding privacy rights across the entire digital ecosystem.
The Future of Data Deletion
This landmark enforcement action arrived at a critical juncture, just as California prepared for the launch of its centralized Delete Request and Opt-out Platform on January 1, 2026. This innovative platform was designed to fundamentally alter the power dynamic between consumers and data brokers. For the first time, it would allow consumers to submit a single, universal request to have their personal information deleted by all registered data brokers simultaneously. This shifted the burden away from the consumer, who previously had to navigate the complex and often obscure process of contacting each data broker individually, and placed the onus of compliance squarely on the industry. This “one-stop shop” for data deletion represented a paradigm shift, empowering individuals with an efficient and powerful tool to exercise their privacy rights on a mass scale. For data brokers like Datamasters, whose business models relied on the large-scale accumulation and retention of comprehensive consumer profiles, this platform posed a near-existential threat to their operations.
The impending launch of the platform dramatically raised the stakes for compliance and amplified the message sent by the Datamasters case. With the new system in place, failing to register with the CPPA would not only risk an enforcement action but would also mean being excluded from the centralized deletion mechanism, a situation that regulators would likely view with extreme prejudice. The Datamasters case also served as a stern warning to the broader advertising and marketing industries that purchase consumer lists. It highlighted the urgent necessity of conducting thorough due diligence on all data suppliers to ensure they are properly registered where required and have a valid, legal basis for collecting and selling the data they provide. Going forward, contracts with data suppliers would need to include robust representations and warranties regarding compliance with all applicable privacy laws, including California’s. The intense focus on sensitive health and financial data in the Datamasters case also underscored the heightened legal risks associated with such information, which could attract scrutiny not only from the CPPA but also from other powerful regulatory bodies, including the Federal Trade Commission. This single action had effectively redrawn the boundaries of acceptable practice for an entire industry.
