California Data Broker Registration Is Not Optional!

On December 3, 2025, the California Privacy Protection Agency ("CPPA") announced that it had fined a Nevada-based marketing firm, ROR Partners LLC ("ROR"), $56,600 for failure to register as a California data broker as required pursuant to the State's "Delete Act."

As our readers are aware, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), requires that certain businesses which collect and sell the personal information of consumers with whom they do not maintain a direct relationship must register annually with the CPPA as California "data brokers."

The CPPA's ROR enforcement action serves as an important reminder to companies that collect, aggregate, or sell/share a large amount of consumer data that filing for registration on the California Data Broker Registry is not optional.

Why Was ROR Fined?

According to the CPPA's Stipulated Final Order, ROR provided clients with a "repository of over 262 million US adults with deep demographic data, behavioral patterns, and unique ROR ID numbers for precise [ad] targeting." ROR created this repository by gathering consumer personal information from a variety of sources, including its clients and other third parties, with which it partnered as a marketing agency.

The CCPA defines a California "data broker" as "a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." Under the CCPA, "business" means a company that:

• Has gross annual revenues in excess of $25 million;
• Buys, sells, or shares the personal information of 100,000 or more consumers or households; or
• Derives 50 percent or more of annual revenues from selling consumers' personal information.

It can be reasonably inferred that one of the reasons ROR did not register is because it sold personal information to third parties as part of its marketing services. The CPPA's decision makes clear, however, that "[a] sale is a sale," regardless of whether the sale was made as part of a bundle with other advertising and marketing services.

Key Takeaways for California Data Brokers

• Data broker registration requirements apply even if you are "just marketing." Businesses that think of themselves as advertising or marketing agencies may fall within the Delete Act's purview if they sell or share the personal information of a significant number of consumers with whom they have no direct relationship.
• If you qualify as a "data broker" under the CCPA, register now or risk regulatory enforcement and associated fines.
• Prepare for the launch of the Delete Request and Opt-Out Platform ("DROP"). Starting in 2026, consumers will be able to submit a single deletion/opt-out request to all data brokers via the CPPA's DROP Platform. Businesses should familiarize themselves with the initiative in preparation for compliance.

Why Does the ROR Partners Decision Matter to Your Business?

The CPPA initiated the action against ROR as part of a broader enforcement initiative coined the "Data Broker Enforcement Strike Force." Announced on November 18, 2025, the Strike Force's launch made clear that data broker compliance enforcement would be a CPPA priority.

If your business shares the personal information of California consumers, now is the time to reevaluate your consumer data privacy compliance practices. It is important to note that registration on the Data Broker Registry is just one of the many obligations that California consumer data brokers have under the CCPA.

Related Blog Posts:

Coming Soon: A Federal Privacy Policy Mandate

California Strengthens its Automatic Renewal Law

Connecticut Privacy Law Advances to House

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.