California Delete Act enforcement: the fines the CPPA is already issuing
· 6 min read · Drop Privacy
Is anyone actually being fined under the California Delete Act?
Yes. The California Privacy Protection Agency (CPPA) is already issuing penalties to data brokers under the Delete Act (SB 362), and the settlements are public. Enforcement is not a future threat waiting on the 2028 audit requirement — it is happening now, and it starts with the simplest obligation of all: registering as a data broker. If you are still treating the Delete Act as a "we'll get to it" item, the actions below are the clearest signal that the window has closed.
The settlements the CPPA has already reached
Each of these actions traces back to a registration or fee failure — the entry-level duty of the Delete Act, and the one the CPPA can verify with a single look at its public registry.
| Data broker | Penalty | What triggered it |
|---|---|---|
| Datamasters | $45,000 | Failing to register — also ordered to stop selling Californians' data after reselling health-condition and political-view lists. |
| Accurate Append | $55,400 | Failing to register and missing annual fee deadlines. |
| S&P Global | $62,600 | Failing to register as a data broker due to an administrative error. |
| Background Alert | Shut down through 2028, or $50,000 | Settlement required the company to cease all operations for three years (through 2028) or pay the fine for failing to register. |
| Growbots | $35,400 | Failing to meet registration deadlines. |
| UpLead | $34,400 | Failing to meet registration deadlines. |
The pattern is unmistakable: the CPPA is not starting with hard-to-prove deletion failures. It is starting with the box you either checked or didn't — registration — because it is trivially auditable.
Why registration is where enforcement begins
The most concrete penalty in the Delete Act is for failing to register. Any business that meets the definition of a data broker must register annually with the CPPA, and failing to do so carries a statutory penalty of $200 per day. That is a fixed, per-day meter that runs the entire time you are unregistered.
What makes it so easy to enforce is that the data-broker registry is public. The CPPA does not need to subpoena your systems or reconstruct what you deleted to prove non-registration — it can simply compare who is selling data against who is on the list. If you are not sure whether you even qualify, we break the definition down in who must register as a data broker.
What these fines tell you about what comes next
Registration is only the first duty. Once you are registered, the harder — and far more expensive — obligation begins: honoring deletion requests through the DROP platform on a recurring 45-day cycle.
This is where the numbers get serious. Regulators can levy administrative fines of $200 per consumer, per day for failing to process deletion requests correctly and on time — not a single flat penalty, but a meter that runs per unhandled request, every day it stays unhandled, on top of existing CCPA enforcement. The math compounds fast: a batch of just 10,000 requests left un-actioned past the processing window is $2,000,000 in exposure for every single day it lags. Because the duty repeats every 45 days, "mostly compliant" doesn't resolve — it quietly accumulates. We cover the full exposure in California Delete Act penalties.
The registration fine is $200 per day. The processing fine is $200 per consumer, per day. That second "per consumer" is what turns a missed cycle from an annoyance into a company-ending number.
The lesson from these early settlements is that the CPPA is willing to act, willing to name companies publicly, and willing to force a broker out of the California market entirely. Enforcement is prioritizing what is easy to prove first — and deletion recordkeeping becomes exactly that kind of provable obligation once the 2028 third-party audits begin. (See the full 2026 compliance timeline for every date.)
How to stay off the enforcement list
The two things the CPPA has fined so far are both avoidable:
- Register on time, and keep your annual fee current. This alone would have prevented every settlement above.
- Run an accurate, auditable deletion cycle every 45 days, and keep tamper-evident proof of what you deleted and when — so that when the duty shifts from "did you register?" to "prove you deleted," you already have the answer.
How Drop Privacy keeps you off the enforcement list
The settlements above start with registration, but the far larger long-term exposure is the recurring deletion duty — the one that becomes provable the moment the 2028 third-party audits begin. Drop Privacy is purpose-built to make that duty defensible, so a regulator's "prove you deleted" is a question you can answer in seconds instead of a liability. Here is what it does about each source of exposure the CPPA is enforcing:
- You never miss a cycle. Drop Privacy runs the full 45-day deletion cycle on a schedule from a background worker — never a manual, "hope someone remembered" task. It tracks each run against its response deadline and sends escalating reminders (well ahead of, and at, the due date) so a cycle is never quietly skipped past the window where administrative fines start accruing.
- You can prove every deletion. Every state-changing action is written to a hash-chained, tamper-evident audit log (each row is cryptographically linked to the one before it, so nothing can be altered after the fact). That turns "we think we deleted them" into a printable, themed proof-of-deletion attestation you can hand an auditor — exactly the defensible record the 2028 audits will demand.
- You attest truthfully. Drop Privacy submits a cycle's response to the CPPA only after every required deletion is actually performed and confirmed — never a premature "deleted" status that would itself be a false attestation. Auto-deletions that fail are surfaced for manual handling before the run is submitted.
- You shrink your breach and liability surface. Matching happens against a privacy-preserving hash index, so consumer PII never has to leave your systems — and with the on-prem agent, only hashes, statuses, and audit metadata ever cross your boundary. Less PII in motion means less to be fined over.
Registration is still on you (and it is the cheapest box to check). But once you are registered, Drop Privacy is what makes the ongoing obligation — the one that compounds every 45 days — auditable, on-time, and honest.
Sources
Every settlement and figure above is drawn from the CPPA's own public enforcement announcements:
- California Privacy Protection Agency — Datamasters (Rickenbacher Data) and S&P Global settlements ($45,000 and $62,600; January 8, 2026).
- California Privacy Protection Agency — Accurate Append settlement ($55,400; July 29, 2025).
- California Privacy Protection Agency — Background Alert settlement (cease operations through 2028 or a $50,000 fine; February 27, 2025).
- California Privacy Protection Agency — Growbots and UpLead settlements ($35,400 and $34,400; December 23, 2024).
- California Privacy Protection Agency — Information for Data Brokers: the $200-per-day registration penalty and the $200-per-deletion-request-per-day processing penalty under the Delete Act.
Request a demo to see a full cycle run end to end and the attestation it produces.
See Drop Privacy run a full Delete Act cycle on sample data. Request a demo →