Skip to main content
Industry Insights
7 min read

Data Broker Enforcement Roundup: First Half of 2026

CalPrivacy fined three brokers for registry violations, the FTC permanently banned Kochava from selling sensitive location data, and the CFPB withdrew its data-broker/FCRA rule. Here's what happened in data broker enforcement in the first half of 2026, and what it means if you're waiting on a broker to comply.

Rahul Kandoriya
Written byRahul Kandoriya·Last updated July 4, 2026
Data Broker Enforcement Roundup: First Half of 2026
Data Broker Enforcement Roundup: First Half of 2026

Regulators spent the first half of 2026 actually using the enforcement tools that state registry laws and federal agencies built over the past few years. Here's what happened, who got fined, who got banned from selling what, and what it signals for anyone still waiting on a data broker to comply with a removal request.

Key Takeaways

  • California's registry enforcement got real: CalPrivacy fined three data brokers on January 8, 2026 for failing to register — including a $45,000 fine against Datamasters for compiling and selling Alzheimer's patients' data, and a $62,600 fine against S&P Global for 313 days of non-registration.
  • The FTC permanently banned data broker Kochava (and subsidiary Collective Data Solutions) from selling sensitive precise location data without affirmative express consent, in a stipulated order announced May 4, 2026.
  • The FTC separately sent warning letters to 13 data brokers on February 9, 2026, citing penalties of up to $53,088 per violation for selling data that identifies military personnel or veterans to foreign adversaries.
  • The CFPB withdrew its proposed rule that would have classified data brokers selling sensitive personal data as "consumer reporting agencies" under the Fair Credit Reporting Act — a significant reversal of a Biden-era proposal, formally published May 15, 2025.
  • A Senate Joint Economic Committee report found data brokers IQVIA and Findem used "noindex" code to hide their own opt-out pages from Google search — Findem's own disclosures showed it failed to process 80% of privacy requests it received.

California: The Delete Act's Registry Penalties Are Now Being Enforced

California's data broker registry law carries a strict penalty: $200 per day that a broker operates in the state without registering. On January 8, 2026, the California Privacy Protection Agency (CalPrivacy) announced its first wave of enforcement under this provision through its Data Broker Enforcement Strike Force.

Rickenbacher Data LLC (d/b/a Datamasters), a Texas-based broker, was fined $45,000 for failing to register. The company had compiled and sold data on Alzheimer's patients and people with substance-use disorders, and had initially claimed it didn't operate in California — an assertion CalPrivacy contradicted using the company's own website, which listed data on 200,000 California students. The enforcement order went further than a fine: it forced Datamasters to permanently stop selling California residents' data and implement a rapid deletion protocol, effectively ending its California operations.

S&P Global, Inc. was fined $62,600 the same day — calculated at $200/day for 313 days unregistered. Unlike Datamasters, this was treated as an administrative oversight rather than an attempt to evade the law, but CalPrivacy still applied the fine at its full statutory rate and required an internal audit overhaul.

A third action, against Background Alert, Inc., is worth understanding precisely because the mechanism is easy to misstate: Background Alert was found to have operated 250 days past its registration deadline and reached a $50,000 settlement — but the actual structure is a mandatory shutdown of its California data broker operations through 2028, with the $50,000 penalty only triggering if the company violates that shutdown agreement. It is not a "pay the fine or shut down" choice; the shutdown is required regardless.

The signal: California's data broker registry, which sounded like a paperwork requirement when it launched, now has real enforcement teeth, including the ability to force a non-compliant broker out of the state entirely, not just fine it.


FTC: A Permanent Ban on Selling Sensitive Location Data

On May 4, 2026, the FTC announced a stipulated final order against Kochava and its subsidiary Collective Data Solutions, resolving litigation the agency first filed in 2022. The FTC had alleged that Kochava's sale of precise location data — data revealing visits to reproductive health clinics and places of worship — constituted an unfair business practice.

The order permanently prohibits Kochava from selling, licensing, or transferring sensitive precise location data without affirmative express consent, and requires the company to implement a Supplier Assessment Program to verify that any location data it acquires upstream was actually consented to by the people it describes.

Separately, on February 9, 2026, the FTC sent warning letters to 13 data brokers (not publicly named — the FTC released only a template letter) regarding the Protecting Americans' Data from Foreign Adversaries Act (PADFA). The letters warned that selling data identifying U.S. military personnel or veterans to foreign adversaries or foreign-controlled entities carries civil penalties of up to $53,088 per violation.


CFPB Reversal: Data Brokers Will Not Be Regulated as Credit Bureaus (For Now)

In December 2024, the CFPB had proposed a rule that would have reclassified data brokers selling sensitive information — income, credit history, debt payment data — as "consumer reporting agencies" under the Fair Credit Reporting Act. That classification would have imposed strict accuracy standards and consumer dispute rights across the data broker industry, similar to what Equifax, Experian, and TransUnion already operate under.

Following industry pushback challenging the CFPB's statutory authority to make that reclassification unilaterally, Acting Director Russell Vought formally withdrew the proposed rule, with the withdrawal published in the Federal Register on May 15, 2025. This means data brokers selling this kind of sensitive information remain outside FCRA's accuracy and dispute-rights framework for now — a substantially lighter compliance burden than the withdrawn rule would have imposed.


The Opt-Out Page You Can't Find: Congressional Findings on "Noindex" Tactics

A Senate Joint Economic Committee (JEC) Minority Staff report, released February 27, 2026 under Ranking Member Maggie Hassan, examined data broker transparency and found a specific, deliberate obstruction tactic: brokers IQVIA and Findem were using "noindex" HTML tags on their own required privacy and opt-out pages — code that tells search engines like Google not to index the page. Practically, this makes the opt-out mechanism invisible to anyone trying to find it through a normal web search, even though the page technically exists and the company can claim compliance.

The report noted that Findem did not respond to the Committee's oversight requests and continued using the noindex tag. Findem's own disclosures showed the company failed to process 80% of the privacy requests it received, citing "insufficient data" as the reason.

Why this matters if you've submitted an opt-out and heard nothing back: this kind of friction, unresponsive opt-out pages, high rejection rates, deliberately hidden mechanisms, is not rare or accidental at some brokers. It's part of why manually opting out of hundreds of individual brokers is such an unreliable, time-consuming process, and why persistent follow-up (or a service that handles the follow-up systematically) matters more than a single request.


What This Means If You're Trying to Get Your Own Data Removed

None of these enforcement actions directly remove your personal data from any broker's database — they're aimed at penalizing brokers for registration failures, illegal sales practices, and non-compliant opt-out systems, not at processing individual consumer requests. But they matter for a practical reason: they confirm what people submitting manual opt-out requests already experience. Response rates are inconsistent, some brokers actively obstruct the process, and regulatory follow-through, while increasing, is still new and uneven across states.

If you're in the middle of a broker cleanup and one isn't responding, this is a reasonable moment to escalate: file a complaint with the CPPA if you're a California resident, or with the FTC regardless of state, referencing your original opt-out submission date.


Frequently Asked Questions

Did any of these 2026 enforcement actions result in my data being automatically removed?

No. These actions penalize brokers for registration and compliance failures; they don't trigger automatic deletion of any specific person's data. You still need to submit your own opt-out or deletion request to each broker.

What is the California data broker registry penalty?

$200 per day that a broker operates in California without registering. In January 2026, CalPrivacy used this provision to fine three companies: Datamasters ($45,000), S&P Global ($62,600), and Background Alert ($50,000, tied to a mandatory operations shutdown through 2028).

Can data brokers still sell my precise location data?

Generally yes, unless a specific enforcement action applies to that company. The FTC's May 2026 order against Kochava specifically and permanently bans that one company from selling sensitive precise location data without affirmative express consent — it does not apply industry-wide.

Are data brokers regulated like credit bureaus now?

No. The CFPB withdrew its proposed rule that would have classified sensitive-data brokers as consumer reporting agencies under the FCRA. That withdrawal was finalized in May 2025, so data brokers selling sensitive personal information generally remain outside FCRA's accuracy and dispute-rights requirements.

Why do some data broker opt-out pages seem impossible to find?

A February 2026 Senate report found at least two brokers (IQVIA and Findem) had used "noindex" code specifically to keep their opt-out pages from appearing in search results, while technically maintaining the pages existed. This is a documented obstruction tactic, not an isolated glitch.


Related Guides

Take back your privacy today

Remove your personal information from data brokers and platforms in seconds.

Remove Your Personal Data Now

From $7.00 one-time · 546 data brokers · No subscription