Data Privacy,
Data Security,
Regulation
California Regulators Crack Down on Sale of Sensitive Health Data
In a significant enforcement action aimed at the data broker industry, California regulators have fined Texas-based DataMasters, a firm specializing in buying and selling consumer information for targeted marketing. The company has since been prohibited from selling any California residents’ personal data. This move is part of California’s ongoing effort to strengthen privacy protections, particularly for vulnerable populations.
The California Privacy Protection Agency Board recently announced the decision against Rickenbacher Data, operating under the name DataMasters, following a settlement initiated by the enforcement division’s Data Broker Enforcement Strike Force. In November, CalPrivacy had indicated its intent to ramp up investigations into privacy violations within the data broker marketplace.
Investigations revealed that DataMasters had engaged in the trade of sensitive data related to “millions of individuals with conditions such as Alzheimer’s disease, substance abuse disorders, and bladder incontinence,” using this information for targeted advertising purposes. The company also acquired and disposed of databases segmenting individuals into categories such as “Seniors” or “Hispanic,” along with various demographic and behavioral markers.
It is crucial to note that DataMasters undertook these activities throughout 2024 without proper registration in the California Data Broker Registry. Current California privacy law mandates that data brokers must register with the attorney general and remit a registration fee, which is currently $6,000.
CalPrivacy further revealed that the agency has effectively barred DataMasters from the California market by prohibiting the sale of all forms of personal information regarding Californians. Michael Macko, head of enforcement at CalPrivacy, underscored the potential risks involved in selling lists of individuals dealing with serious health issues. He emphasized, “In the wrong hands, such lists could be misused for purposes beyond advertising.”
Last week, CalPrivacy also announced a $62,600 fine against S&P Global, Inc., a New York-based data services provider, citing failure to register as a data broker due to administrative oversight. Cybersecurity attorney Lily Li remarked on the scale and minimal regulation surrounding the data broker landscape. She stated that while companies may seek this data for personalized healthcare advertising, it also poses risks of misuse for social engineering and fraud.
Besides California, only a few other states—Oregon, Vermont, and Texas—require registration for data brokers. California stands out with its additional stipulation that registered data brokers need to honor consumer deletion requests via a state platform, reflecting a more comprehensive approach to data privacy regulation.
