HomeBlog › California Delete Act enforcement: the fines the CPPA is already issuing

California Delete Act enforcement: the fines the CPPA is already issuing

· 6 min read · Drop Privacy

Is anyone actually being fined under the California Delete Act?

Yes. The California Privacy Protection Agency (CPPA) is already issuing penalties to data brokers under the Delete Act (SB 362), and the settlements are public. Enforcement is not a future threat waiting on the 2028 audit requirement — it is happening now, and it starts with the simplest obligation of all: registering as a data broker. If you are still treating the Delete Act as a "we'll get to it" item, the actions below are the clearest signal that the window has closed.

Scoreboard of real California Delete Act settlements: Datamasters $45,000, Accurate Append $55,400, S&P Global $62,600, Growbots $35,400 and UpLead $34,400, and Background Alert shutting down its operations through 2028 or facing a $50,000 fine — plus two per-day penalty meters: $200 a day while unregistered, and $200 per consumer per day for late or incorrect deletions.
Publicly reported CPPA settlements against data brokers under the Delete Act. Most began with a failure to register on time.

The settlements the CPPA has already reached

Each of these actions traces back to a registration or fee failure — the entry-level duty of the Delete Act, and the one the CPPA can verify with a single look at its public registry.

Data brokerPenaltyWhat triggered it
Datamasters$45,000Failing to register — also ordered to stop selling Californians' data after reselling health-condition and political-view lists.
Accurate Append$55,400Failing to register and missing annual fee deadlines.
S&P Global$62,600Failing to register as a data broker due to an administrative error.
Background AlertShut down through 2028, or $50,000Settlement required the company to cease all operations for three years (through 2028) or pay the fine for failing to register.
Growbots$35,400Failing to meet registration deadlines.
UpLead$34,400Failing to meet registration deadlines.

The pattern is unmistakable: the CPPA is not starting with hard-to-prove deletion failures. It is starting with the box you either checked or didn't — registration — because it is trivially auditable.

Why registration is where enforcement begins

The most concrete penalty in the Delete Act is for failing to register. Any business that meets the definition of a data broker must register annually with the CPPA, and failing to do so carries a statutory penalty of $200 per day. That is a fixed, per-day meter that runs the entire time you are unregistered.

What makes it so easy to enforce is that the data-broker registry is public. The CPPA does not need to subpoena your systems or reconstruct what you deleted to prove non-registration — it can simply compare who is selling data against who is on the list. If you are not sure whether you even qualify, we break the definition down in who must register as a data broker.

What these fines tell you about what comes next

Registration is only the first duty. Once you are registered, the harder — and far more expensive — obligation begins: honoring deletion requests through the DROP platform on a recurring 45-day cycle.

This is where the numbers get serious. Regulators can levy administrative fines of $200 per consumer, per day for failing to process deletion requests correctly and on time — not a single flat penalty, but a meter that runs per unhandled request, every day it stays unhandled, on top of existing CCPA enforcement. The math compounds fast: a batch of just 10,000 requests left un-actioned past the processing window is $2,000,000 in exposure for every single day it lags. Because the duty repeats every 45 days, "mostly compliant" doesn't resolve — it quietly accumulates. We cover the full exposure in California Delete Act penalties.

The registration fine is $200 per day. The processing fine is $200 per consumer, per day. That second "per consumer" is what turns a missed cycle from an annoyance into a company-ending number.

The lesson from these early settlements is that the CPPA is willing to act, willing to name companies publicly, and willing to force a broker out of the California market entirely. Enforcement is prioritizing what is easy to prove first — and deletion recordkeeping becomes exactly that kind of provable obligation once the 2028 third-party audits begin. (See the full 2026 compliance timeline for every date.)

How to stay off the enforcement list

The two things the CPPA has fined so far are both avoidable:

How Drop Privacy keeps you off the enforcement list

The settlements above start with registration, but the far larger long-term exposure is the recurring deletion duty — the one that becomes provable the moment the 2028 third-party audits begin. Drop Privacy is purpose-built to make that duty defensible, so a regulator's "prove you deleted" is a question you can answer in seconds instead of a liability. Here is what it does about each source of exposure the CPPA is enforcing:

Registration is still on you (and it is the cheapest box to check). But once you are registered, Drop Privacy is what makes the ongoing obligation — the one that compounds every 45 days — auditable, on-time, and honest.

Sources

Every settlement and figure above is drawn from the CPPA's own public enforcement announcements:

Request a demo to see a full cycle run end to end and the attestation it produces.


See Drop Privacy run a full Delete Act cycle on sample data. Request a demo →

← All articles