The California Privacy Protection Agency announced on December 30, 2025 its first enforcement action under the state's Delete Act, ordering Texas-based data broker Rickenbacher Data LLC to pay a $45,000 fine for failing to register as required by law. The decision marks the opening salvo in California's campaign to regulate an industry that trades in detailed personal information about millions of Americans, often without their knowledge or consent.

Rickenbacher Data, operating under the business name Datamasters from Flower Mound, Texas, bought and resold personal information categorized by sensitive health conditions including Alzheimer's disease, drug addiction, bladder incontinence, acid reflux, and tobacco use. The stipulated final order details that the company maintained databases with home addresses, telephone numbers, and email addresses for 435,245 people with Alzheimer's disease, 133,142 individuals classified under addiction categories, and 857,449 consumers with bladder control issues.

The company's marketing materials advertised access to what it described as a national consumer database containing over 114 million households and 231 million individual names and addresses "available for precise targeting and segmentation." Pricing started at $40 per thousand records with a minimum order of 5,000 names.

Datamasters also offered lists segmented by ethnicity and financial vulnerability. The company promoted "Hispanic Lists" containing more than 20 million people with Hispanic surnames, "Senior Lists" of senior citizens and Baby Boomers, and "mortgage lists" of homeowners carrying high-interest loans. An Excel spreadsheet posted to the company's website identified 204,218 available records for students in California, demonstrating the geographic scope of its data collection efforts.

Beyond demographic and health data, Datamasters sold behavioral information based on consumers' political views, grocery purchase patterns, retail shopping behavior, and investment activity. The company offered access to 3,370 "Consumer Predictor Models" spanning 16 categories including automotive preferences, financial activity, media use, and nonprofit activity. These models used existing customer relationships to predict future purchasing behavior "with high probability rates."

The business model relied on accessing databases licensed from third-party suppliers. Datamasters advertised bulk database purchases and subscription-based "data feeds" delivering personal information on recurring schedules. One offering provided a compiled USA consumer database with 219 million records for $9,500 as an outright purchase, with quarterly updates available for $1,995. The company marketed these services specifically to "Telemarketers, Call Centers, Data Brokers, Data Resellers and Bulk Email Data Users."

California's Delete Act, codified in Civil Code section 1798.99.82, requires businesses meeting the definition of data broker to register annually with the California Privacy Protection Agency during January and pay associated fees. Data brokers are defined as businesses that collect and sell personal information about consumers with whom they have no direct relationship. Datamasters met this definition during the 2024 calendar year but failed to register by the January 31, 2025 deadline.

The California Privacy Protection Agency's Enforcement Division opened an investigation after discovering Datamasters had not registered. When initially contacted, Datamasters denied engaging in data broker activity. The company told investigators it did "not do business or take orders of any kind" in California and "does not do business in California with any entity."

This denial proved inconsistent with evidence on the company's own website. When confronted with the Excel spreadsheet identifying California student records, Datamasters admitted receiving Californians' personal information from suppliers but claimed it rejected customer requests to purchase California-specific data. The company asserted it had periodically refused to fulfill California-specific orders between 2020 and 2025, citing California privacy laws.

The agency investigated further, asking whether Datamasters had similarly rejected requests for nationwide data that encompassed California along with other states. The company owner told investigators that Datamasters had accepted and fulfilled orders for nationwide consumer lists without screening them to remove Californians' personal information. This statement confirmed that despite periodic refusals of California-specific requests, the company was collecting and selling Californians' data through broader geographic sales.

Follow PPC Land

Follow PPC Land on your socials: LinkedIn, Google, Google News, X, Mastodon, Bluesky, Reddit, Threads or via RSS

A few days after this admission, Datamasters retained legal counsel and backtracked on its statements. The company explained that its earlier statements were "incomplete and inaccurate as stated" and instead asserted that it "screens all lists sold" to ensure they contained no California personal information.

Datamasters then updated its website to align with this new position. The company removed the Excel spreadsheet describing California student records, added text stating it does "not sell or provide data about California residents," and posted a "California Consumer Privacy Act Compliance Notice" restricting all products and services from use by entities covered by CCPA.

The stipulated final order acknowledges that Datamasters attempted to comply with California privacy laws through manual screening processes at various points between 2020 and 2025, but these efforts were imperfect. The company lacked sufficient written policies and procedures to ensure compliance with the Delete Act.

The enforcement action brings multiple consequences beyond the $45,000 administrative fine. Datamasters must cease selling all Californians' personal information starting December 31, 2025. The company must permanently delete all previously purchased California personal information by that same deadline.

Within 30 days of the December 30, 2025 decision, Datamasters must adopt written policies and implement procedures ensuring it does not collect or sell personal information belonging to Californians when buying and reselling data. To the extent Datamasters receives California personal information as part of larger purchases, it must permanently delete such information within 24 hours of receipt, instruct senders not to disclose California information in the future, and maintain records of entities that disclosed Californians' data.

The company must also maintain these written policies and procedures for five years, update its website and contact forms to clearly state it does not buy or sell Californians' personal information, and maintain records of any transactions involving requests for California data. After one year, Datamasters must submit a written summary of its privacy practices to the California Privacy Protection Agency.

This enforcement action arrives as California implements its Delete Request and Opt-out Platform, which took effect January 1, 2026. The centralized system allows California consumers to submit a single deletion request that reaches all registered data brokers, replacing the previous requirement to contact each company individually. Data brokers must begin accessing the platform every 45 days starting August 1, 2026 to retrieve and process consumer deletion requests.

The $45,000 fine represents a relatively modest penalty under the Delete Act, which authorizes administrative fines of $200 per day for each day a business fails to register. Datamasters failed to register between February 1, 2025 and September 13, 2025, a period spanning approximately 224 days. The maximum potential penalty for this timeframe would have exceeded $44,800, suggesting the stipulated settlement approximated the statutory maximum for registration failure.

Advertise on ppc land

Buy ads on PPC Land. PPC Land has standard and native ad formats via major DSPs and ad platforms like Google Ads. Via an auction CPM, you can reach industry professionals.

Learn more

The Datamasters case demonstrates California's commitment to enforcing data broker transparency requirements even against out-of-state companies with no physical presence in California. The company operated from Texas but conducted business affecting California consumers, establishing sufficient jurisdiction for the California Privacy Protection Agency to pursue enforcement.

The enforcement action highlights tensions in how data brokers navigate state privacy laws. Datamasters' inconsistent statements to investigators—first denying California business entirely, then admitting to selling nationwide lists containing California data, then claiming comprehensive screening—reveal compliance challenges faced by companies accustomed to operating in a national market now fragmented by state-level regulations.

The case also exposes the sensitive nature of data broker inventory. Lists categorizing consumers by health conditions like Alzheimer's disease, drug addiction, and bladder incontinence raise privacy concerns beyond simple contact information. Marketing based on these attributes can exploit vulnerable populations, particularly when combined with lists targeting seniors or individuals with high-interest mortgages who may be experiencing financial stress.

California has demonstrated sustained enforcement activity across privacy violations. The state secured a $1.55 million settlement with Healthline Media in July 2025 for failing to honor opt-out requests and continuing to share medical article data with advertisers. A separate $1.4 million settlement with mobile gaming company Jam City followed in November 2025 for violations including failure to provide opt-out mechanisms across 21 mobile applications.

The Attorney General launched an investigative sweep into the location data industry in March 2025, sending letters to advertising networks, mobile app providers, and data brokers appearing to violate CCPA. These enforcement actions demonstrate California's multi-sector approach to privacy compliance spanning publishers, mobile applications, and data brokers.

The data broker industry faces increasing regulatory pressure globally. Spain's data protection authority imposed €1.8 million in fines on business data firm Informa D&B in January 2025 for processing personal data of 1.6 million individual business owners without valid legal basis under GDPR. The ruling established important precedents distinguishing between public registry access and commercial data exploitation.

The Datamasters decision establishes several compliance expectations for data brokers. Written policies and procedures must be sufficiently detailed to prevent inadvertent collection and sale of California personal information. Companies cannot rely on informal screening processes or periodic refusals of state-specific requests while continuing to sell nationwide lists containing that state's data.

Data brokers accepting nationwide databases from suppliers must implement systematic screening to identify and exclude California personal information before reselling. When screening proves impossible, companies face a binary choice: exclude California entirely from their business model or register as a data broker and comply with all associated requirements including the Delete Request and Opt-out Platform starting August 2026.

The enforcement action against Datamasters signals that California privacy regulators will pursue data brokers regardless of where they physically operate. The agency demonstrated investigative persistence, following up on inconsistent statements and confronting the company with evidence from its own website. This approach suggests regulators possess both technical capability and legal authority to identify unregistered data brokers conducting business affecting California consumers.

For the advertising industry, the Datamasters case reinforces that privacy compliance requirements continue expanding. Marketers purchasing consumer lists must verify that suppliers have registered as data brokers where required and have obtained proper legal basis for collecting and selling personal information. Contracts with data suppliers should include representations and warranties about compliance with applicable privacy laws.

The case also highlights risks associated with health-related consumer data. Lists categorizing individuals by medical conditions trigger heightened privacy protections under multiple frameworks including HIPAA, state health privacy laws, and the Federal Trade Commission's Health Breach Notification Rule. Marketers using such lists face potential enforcement from multiple regulatory agencies beyond state privacy authorities.

The advertising technology industry has begun implementing standardized protocols for privacy compliance. IAB Tech Lab finalized its Data Deletion Request Framework in June 2024, establishing a common method for transmitting deletion requests throughout the digital advertising supply chain. The framework addresses requirements under GDPR, U.S. state privacy laws including CCPA, and additional legislation like Quebec's Law 25.

Datamasters' acknowledgment that its compliance efforts were "imperfect" despite attempting manual screening processes underscores the operational complexity of privacy compliance for data brokers. Companies operating in this space must invest in systematic technical controls, written procedures, staff training, and ongoing monitoring to ensure California personal information does not enter their databases or reach their customers.

The stipulated final order includes provisions requiring Datamasters to produce records to the California Privacy Protection Agency upon request, maintain audit trails of any transactions involving California data, and submit annual compliance reports. These ongoing obligations extend five years from the December 30, 2025 decision, creating long-term oversight of the company's privacy practices.

The Datamasters enforcement demonstrates that California regulators will accept settlements that include both monetary penalties and comprehensive compliance requirements. The stipulated order dedicates substantial attention to prospective compliance measures—written policies, screening procedures, record retention, and reporting obligations—suggesting California prioritizes systemic improvement over punitive damages.

The decision arrives at a pivotal moment for data privacy enforcement. As of January 1, 2026, multiple updates to California privacy law took effect, expanding requirements around consumer consent for businesses collecting and transferring personal information to third parties. Companies must now enter into agreements with any third party, service provider, or contractor receiving consumer data, specifying that transfers occur only for limited purposes.

Data brokers face a regulatory landscape shifting toward greater transparency and consumer control. The Delete Request and Opt-out Platform fundamentally changes the business model by enabling consumers to remove their information from hundreds of data brokers through a single action. This centralized deletion mechanism threatens companies whose value proposition depends on maintaining comprehensive consumer profiles across their databases.

For Datamasters specifically, the enforcement action effectively requires the company to exit the California market entirely or fundamentally restructure its operations. The order prohibits selling Californians' personal information and mandates deletion of all California data by December 31, 2025. These requirements make it commercially impractical for a nationwide data broker to continue operating while excluding California, which represents approximately 12 percent of the U.S. population.

The California Privacy Protection Agency's willingness to bring enforcement actions against out-of-state data brokers establishes that the agency will exercise jurisdictional authority based on where consumers are located rather than where companies operate. This extraterritorial reach effectively extends California privacy law to any business selling data about California residents, regardless of corporate domicile.

The Datamasters case demonstrates that initial denials or misrepresentations to regulators will not prevent enforcement. The company's shifting explanations—from denying California business to admitting nationwide sales to claiming comprehensive screening—did not deter investigators from pursuing the case. This investigative approach suggests regulators will verify compliance claims independently rather than accepting company statements at face value.

PPC Land Newsletter

Subscribe PPC Land newsletter ✉️ for similar stories like this one

Subscribe

Timeline

  • 2020-2025: Datamasters attempts compliance through periodic refusals of California-specific data requests while continuing to sell nationwide lists
  • 2024: Datamasters operates as data broker buying and selling personal information of more than 100,000 consumers without direct relationships
  • January 31, 2025: Data broker registration deadline passes; Datamasters fails to register with California Privacy Protection Agency
  • February 1, 2025: Datamasters enters violation period for failure to register
  • March 2025: California Attorney General announces investigative sweep into location data industry targeting advertising networks and data brokers
  • July 1, 2025: California announces $1.55 million Healthline settlement, marking largest CCPA monetary penalty
  • September 13, 2025: Datamasters registers as data broker after enforcement investigation begins
  • November 21, 2025: California secures $1.4 million settlement with Jam City for mobile app privacy violations
  • December 12, 2025: Datamasters and California Privacy Protection Agency sign stipulated final order
  • December 30, 2025: California Privacy Protection Agency Board adopts stipulated order as official decision
  • December 31, 2025: Deadline for Datamasters to cease selling Californians' personal information and delete all California data
  • January 1, 2026: California privacy law updates take effect expanding consent requirements; Delete Request and Opt-out Platform becomes accessible to consumers
  • August 1, 2026: Data brokers must begin accessing Delete Request and Opt-out Platform every 45 days to process deletion requests
PPC Land Newsletter

Subscribe PPC Land newsletter ✉️ for similar stories like this one

Subscribe

Summary

Who: Rickenbacher Data LLC, doing business as Datamasters, a Texas-based limited liability company with principal place of business in Flower Mound, Texas. The company's owner David Rickenbacher signed the stipulated order admitting to operating as a data broker during the 2024 calendar year. The California Privacy Protection Agency's Enforcement Division, represented by Deputy Director Michael S. Macko, Assistant Chief Counsel Lara Kehoe Hoffman, and Attorney Angie Jin, brought the enforcement action. The agency's board, chaired by Jennifer M. Urban, adopted the stipulated order as its decision.

What: The California Privacy Protection Agency ordered Datamasters to pay a $45,000 administrative fine for failing to register as a data broker by the January 31, 2025 deadline as required under California's Delete Act. The stipulated final order also requires Datamasters to cease selling all Californians' personal information by December 31, 2025, permanently delete all previously purchased California personal information by that deadline, adopt written policies and procedures within 30 days to prevent future collection or sale of California data, maintain records of compliance activities for five years, and submit annual reports to the agency. Datamasters bought and resold personal information of millions of consumers categorized by sensitive health conditions including Alzheimer's disease (435,245 people), drug addiction (133,142 individuals), and bladder control issues (857,449 consumers), along with demographic segmentation by ethnicity, age, and financial condition.

When: The California Privacy Protection Agency Board adopted the stipulated final order on December 30, 2025. Datamasters operated as a data broker during the 2024 calendar year but failed to register by the January 31, 2025 statutory deadline, entering violation status on February 1, 2025. The company registered on September 13, 2025 after the enforcement investigation began. Datamasters and the enforcement division signed the stipulated order on December 12, 2025. The company faces a December 31, 2025 deadline to cease selling California personal information and delete all previously collected California data.

Where: The enforcement action was brought before the California Privacy Protection Agency, headquartered at 400 R Street, Suite 350, Sacramento, California 95811. Datamasters operates from 6101 Long Prairie Road #744, Flower Mound, Texas 75028. The company conducted business affecting California consumers despite having no physical presence in the state. The enforcement establishes that California privacy law applies to data brokers regardless of corporate domicile when they collect and sell personal information of California residents. The case demonstrates extraterritorial reach of California privacy regulations based on where consumers are located rather than where businesses physically operate.

Why: The enforcement action seeks to ensure transparency and accountability in the data broker industry, which trades in detailed personal information about millions of consumers who typically have no direct relationship with these companies and often remain unaware their data is being bought and sold. California's Delete Act requires annual data broker registration to create public visibility into which companies engage in this business and to enable consumer exercise of privacy rights through the centralized Delete Request and Opt-out Platform. Datamasters' failure to register violated this transparency mandate. The company's business model—buying and reselling sensitive health information, demographic data, and behavioral profiles for targeted advertising purposes—exemplifies privacy risks that California seeks to address through enhanced consumer control over personal information. The enforcement demonstrates California's commitment to holding data brokers accountable regardless of where they operate, establishing compliance expectations for written policies, systematic screening procedures, and ongoing record retention that extend beyond simple registration requirements.

Share this article
The link has been copied!