California’s Delete Act Grows Teeth: CPPA’s ROR Partners Fine and the New Data-Broker Risk Profile 🦷📡
What looked like a niche data-broker case is really the first “live fire” test of California’s Delete Act — and a warning shot at every ad-tech, mar-tech, and list-broker business that still thinks “we’re just a marketing vendor, not a data broker.”
On December 3, 2025, the California Privacy Protection Agency (CalPrivacy / CPPA) ordered ROR Partners LLC, a Nevada-based marketing firm, to pay $56,600 in fines and past-due fees for operating as an unregistered data broker under the Delete Act.(California Privacy Protection Agency)
The decision is short, but its implications for “shadow” data brokers are not.
Why this CPPA fine matters for the Delete Act ⚠️
In policy terms, SB 362 (the Delete Act) was always designed to do three things:
- Drag “data broker” activity into the open via mandatory public registration and disclosures.(California Privacy Protection Agency)
- Give Californians a one-stop deletion mechanism (DROP) to nuke their data from all brokers at once.(California Privacy Protection Agency)
- Layer on audits and metrics reporting so regulators can see who is deleting and who is stonewalling.(California Privacy Protection Agency)
Until now, most of the pressure was on large, obvious data brokers. ROR Partners is the pivot: a vertical marketing shop that built custom fitness/wellness audiences, claiming it was “just” selling marketing services — not personal information.(California Privacy Protection Agency)
CalPrivacy’s answer was blunt:
“A sale is a sale.”(California Privacy Protection Agency)
Bundling personal data into “audience products” doesn’t move you out of the statute. It moves you squarely into it.
Quick refresher: what the Delete Act actually requires 🧩
At a high level, the Delete Act and its implementing regulations sit on top of the existing data-broker statute (Civ. Code §§ 1798.99.80–.88) and the CCPA/CPRA.(Justia Law)
Here’s the operational picture in one table:
| 📅 Date / Phase | 🧱 Requirement | 🔍 Source (high level) |
|---|---|---|
| Jan 1, 2024 → ongoing | Annual Registration. Any business that meets the data broker definition (collects and sells PI about consumers it has no direct relationship with) must register with CalPrivacy and pay the annual fee. Failure to register by Jan 31 exposes the broker to administrative fines and costs.(California Privacy Protection Agency) | Data Broker Registration statute; CalPrivacy data-broker guidance |
| Jan 1, 2026 | DROP goes live. CalPrivacy’s Delete Request and Opt-Out Platform (DROP) launches as the “accessible deletion mechanism” the statute requires.(California Privacy Protection Agency) | Delete Act / DROP regulations |
| Aug 1, 2026 | 45-day deletion cycles. Registered brokers must pull DROP lists at least every 45 days, delete covered data, and report status back to CalPrivacy.(California Privacy Protection Agency) | Cal. Civ. Code § 1798.99.86(c); CPPA guidance |
| July 1 following first “data-broker” year | Public metrics. Brokers must publish metrics on deletion/knowledge/opt-out requests and response times, and later report these metrics to the Agency with their registration.(California Privacy Protection Agency) | Civ. Code § 1798.99.82, .85 |
| Jan 1, 2028 and every 3 years | Independent audit. Brokers must undergo third-party audits and furnish reports to CalPrivacy on request.(California Privacy Protection Agency) | Delete Act audit provisions |
| SB 361 (2025 amendments) | Expanded disclosures & penalties. SB 361 adds detailed disclosure requirements (e.g., sensitive data categories, AI sharing, foreign recipients) and refines penalty rules for non-compliance.(California Privacy Protection Agency) | SB 361; CPPA guidance |
Two key points for practitioners:
- Registration is the first tripwire. CalPrivacy can hit an unregistered broker with daily fines before DROP ever touches them.(California Privacy Protection Agency)
- DELETE and CCPA rights will stack. DROP doesn’t replace CCPA/CPRA deletion and opt-out flows; it gives consumers a parallel “nuclear” channel directed at the broker ecosystem itself.(California Privacy Protection Agency)
The ROR Partners decision in plain English 🧮
From CalPrivacy’s own announcement:(California Privacy Protection Agency)
- Who: ROR Partners LLC, a Nevada-based marketing firm serving fitness and wellness brands; operates nationwide, including in California.
- What they did:
- Used “billions of data points” to build detailed profiles on more than 262 million Americans.
- Created custom audience segments — e.g., “health club regulars” — and sold those segments to clients for targeted advertising.
- Engaged in these activities in 2024 without registering as a data broker.
- What CPPA ordered:
- $56,600 in fines and past-due fees for failing to register under the Delete Act.
- Registration going forward and explicit recognition that their profiling and audience-sale model makes them a data broker.
The Board’s messaging does most of the doctrinal work for you:
- You can be a data broker even if you never sell raw name + email lists; selling inferences and segments is enough.(California Privacy Protection Agency)
- You cannot dodge the statute by wrapping personal information into a “larger suite of products and services” — the decision calls this out and responds with “a sale is a sale.”(California Privacy Protection Agency)
- Consumer profiles themselves are “personal information” under the CCPA/CPRA, and trafficking in them can put you squarely in data-broker territory.(California Privacy Protection Agency)
In other words, this is not a quirky edge case. It is the archetype of what CalPrivacy thinks a modern data broker looks like.
The Data Broker Enforcement Strike Force: who’s next? 🚔
ROR Partners is also the first high-visibility product of CalPrivacy’s Data Broker Enforcement Strike Force, announced in November 2025 as an outgrowth of its 2024 investigative sweep.(California Privacy Protection Agency)
From CalPrivacy’s own description:(California Privacy Protection Agency)
- The Strike Force is explicitly tasked with identifying unregistered brokers and bringing enforcement actions.
- CalPrivacy has already:
- Brought multiple actions against unregistered brokers (including earlier cases like Accurate Append),(Hunton)
- Imposed daily-accruing fines and forced registration in stip settlements, and
- Used high-profile decisions to send “wake-up call” signals to the market.
Add in SB 361’s expanded disclosure scheme and the impending 2026 DROP launch, and the direction of travel is obvious:
The registration deadline is now an enforcement chokepoint, not a paperwork date.
Are you a “shadow data broker”? A practical test 🕵️♀️
The statutory definition is deceptively simple:
A data broker is a business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”(Justia Law)
Two phrases do most of the work:
- “Sells … for monetary or other valuable consideration” — so data trades, co-op arrangements, or discounted services can qualify, not just cash payments.(FindLaw Codes)
- “Direct relationship” — narrowed by regulation to consumers who intentionally interact with the business for its products/services within the last three years, and even then, a business is still a data broker if it sells data it did not collect directly.(California Privacy Protection Agency)
Here’s a quick “shadow broker” matrix you can adapt for clients:
| 🧪 Scenario | Likely status under Delete Act |
|---|---|
| You buy large volumes of geo, purchase, or membership data from multiple sources, build audience segments, and sell those segments to brands or agencies for ad targeting. | High risk data broker. You’re selling inferences and segments about people who mostly have no direct relationship with you. Registration is almost certainly required.(California Privacy Protection Agency) |
| You run a SaaS mar-tech or CDP platform that lets customers onboard their own customer lists, then enrich and resell combined datasets (e.g., “lookalike audiences”) across the client base. | High risk. Even if you call yourself a “platform,” the combination + sale of enriched data is classic data-broker behavior under the regs.(California Privacy Protection Agency) |
| You are a DTC brand that only uses first-party customer lists to run campaigns for your own products, with no sales or sharing outside service-provider relationships. | Probably not a data broker, but you are still a CCPA/CPRA “business” with all associated obligations. Watch for feature creep (e.g., “monetizing” your list).(California Privacy Protection Agency) |
| You are a membership organization / publisher that rents hashed email or postal lists of your members/subscribers to sponsors or partners. | Medium to high risk. You are selling personal information (even if pseudonymized) about people who may have only a tenuous, time-limited direct relationship with you. The 3-year “direct relationship” horizon matters.(California Privacy Protection Agency) |
| You only aggregate de-identified statistics and never transfer persistent identifiers or linkable profiles. | Lower risk, but you need to be honest about whether data is truly de-identified under CCPA standards.(California Privacy Protection Agency) |
For many clients, the uncomfortable truth is that they’ve slipped into data-broker status without ever calling themselves one.
How the Delete Act reshapes contracts and governance 📜⚙️
From a product-counsel and commercial perspective, ROR Partners is the precedent you can point to the next time someone says “we’re not really a data broker.”
A few concrete implications:
Vendor diligence and DPAs
- Ask explicitly whether a vendor meets the data-broker definition and whether it is registered with CalPrivacy.
- Require vendors engaged in audience building, enrichment, or list sales to represent and warrant compliance with the Delete Act and data-broker regulations.
- For “borderline” players, require an internal legal memo or outside counsel opinion on whether they need to register.
Marketing, co-op, and list-share agreements
- Treat any arrangement where personal information (or profiles/inferences) move to a third party in exchange for discounts, features, or access as a potential “sale” under CCPA and data-broker law.(FindLaw Codes)
- Bake in Delete Act clauses:
- If the counterparty is a data broker, it must stay registered.
- It must implement DROP deletion flows and audit duties.
- It must flow those duties down to its own service providers.
Internal AI and analytics programs
- If your in-house team is building audience models using external broker data, make sure you know which entity is the “data broker” and which is the “business” or “service provider” in the chain.
- If you later resell those models or segments to others, you may have crossed the line into data-broker status yourself.
A practical Delete Act checklist for data-driven businesses ✅
For clients who touch marketing data at scale, the immediate, ROR-informed checklist looks something like this:
- Inventory your “audience products.” Anything that looks like a segment, score, or profile that you sell or license is a red flag.
- Map direct vs indirect relationships. Ask, for each dataset: did the consumer intentionally interact with us in the last three years? If not, assume “no direct relationship.”(California Privacy Protection Agency)
- Evaluate “sale” exposure. Remember that “other valuable consideration” beyond cash can convert an exchange into a sale.(FindLaw Codes)
- Decide: register or restructure. Once you conclude you are (or soon will be) a data broker, decide whether to:
- Register and comply, or
- Restructure so personal information never leaves service-provider channels and you don’t sell across client boundaries.
- Prepare for DROP. Even if you’re only dealing with registered brokers as a customer, understand how DROP requests will flow through to you once your vendors begin processing them.(California Privacy Protection Agency)
FAQs (for clients – and for your own policies) 💬
Does the Delete Act apply to out-of-state companies like ROR Partners?
Yes. The Delete Act and data-broker statute apply to any business “doing business in California” that meets the data-broker definition, regardless of where it is incorporated or headquartered.(California Privacy Protection Agency)
ROR Partners is a Delaware/Nevada entity, but CalPrivacy had no trouble asserting jurisdiction because the company conducted data-broker activity affecting California consumers. That is the model for ad-tech, mar-tech, and list brokers nationwide.
How do Delete Act obligations interact with existing CCPA/CPRA deletion rights?
Think of it this way:
- CCPA/CPRA rights (Civ. Code §§ 1798.105, 1798.120, etc.) run between the consumer and each business they interact with. Deletion and “do not sell/share” requests go one-to-one.(California Privacy Protection Agency)
- The Delete Act layers on a parallel channel where the consumer can send a single request to CalPrivacy (via DROP) and have it propagated to every registered data broker, with 45-day processing cycles and auditability baked in.(California Privacy Protection Agency)
For product and privacy counsel, that means:
- You still need robust CCPA/CPRA flows and
- If you or your vendors are brokers, you must also build a DROP-response pipeline that can withstand regulatory scrutiny.
From a distance, the ROR Partners decision is “just” a $56,600 fine. Up close, it’s California’s privacy regulator planting a very visible flag:
If you walk and talk like a data broker, expect to be treated like one — registration fees, daily penalties, DROP obligations, audits and all.