Regulators Cite Sales of Sensitive Health, Demographic Data
California state regulators fined a Texas company that buys and sells data for targeted marketing, including lists pertaining to health conditions of older adults, as part of a crackdown on data brokers. The firm is now banned from selling all Californians’ personal information.
See Also: On-Demand | NYDFS MFA Compliance: Real-World Solutions for Financial Institutions
The California Privacy Protection Agency Board announced Thursday the action against Rickenbacher Data, which does business as DataMasters, following a settlement reached by the board’s enforcement division’s Data Broker Enforcement Strike Force. CalPrivacy said in November it would amp up investigations into data broker industry privacy violations.
The state agency said the firm traded in data pertaining to “millions of people with Alzheimer’s disease, drug addiction, bladder incontinence and other health conditions for targeted advertising.”
The data broker also bought and sold lists of people sorted into categories such as “Seniors” or “Hispanic,” as well as by political affiliation, grocery store purchases, banking activity and health-related purchases, CalPrivacy said.
DataMasters engaged in these activities in 2024 without registering with the California Data Broker Registry. Under California privacy statute, data brokers must register with the attorney general and pay a registration fee, currently set at $6,000.
CalPrivacy additionally banned the company from selling all forms of personal information about Californians, “effectively removing” the company from the marketplace in California.
“Reselling lists of people battling Alzheimer’s disease is a recipe for trouble,” said Michael Macko, the head of enforcement at CalPrivacy in a statement.
“In the wrong hands, these lists could be used to target people for more than just advertising. The same risks apply to selling lists of seniors, people who identify as conservative or liberal, or people who purchase sensitive health products. History teaches us that certain types of lists can be dangerous.”
CalPrivacy last week also disclosed it levied a $62,600 fine against S&P Global, Inc., a New York-based provider of data and technology, for failing to register as a data broker due to “an administrative error.”
“The data broker market is huge and to-date fairly unregulated,” said cybersecurity attorney Lily Li, founder of law firm Metaverse Law. “In addition to targeted advertising companies getting access to this data, in order to personalize healthcare advertising, malicious actors can buy and trade this information in order to engage in social engineering campaigns, phishing campaigns and Medicare/Medicaid fraud,” she said.
Besides California, a small handful of other states – Oregon, Vermont and Texas – also require data brokers to register with the state, Li said. California is unique among states, she added, because of an additional requirement that registered data brokers honor consumer deletion requests made through a state platform.