California Launches Data Broker Enforcement Strike Force: What the Delete Act Means for Your Business in 2025–2026

By Ramyar Daneshgar
Security Engineer | USC Viterbi School of Engineering

Disclaimer: This article is for educational purposes only and does not constitute legal advice.

1. Introduction: California’s New Enforcement Era Has Arrived

California has launched one of the most aggressive privacy enforcement programs in the United States. The California Privacy Protection Agency has formally created the Data Broker Enforcement Strike Force, a specialized unit whose mandate is to identify, audit, and penalize any company that collects, sells, or trades data about California residents without meeting legal requirements under the California Consumer Privacy Act and the state’s newly enacted Delete Act.
Source: California Privacy Protection Agency

This shift is not symbolic. The CPPA has publicly stated that many brokers are failing to register, failing to disclose their data sources, and failing to honor deletion rights. Analysts at the National Law Review and privacy law specialists across the country have warned that California’s enforcement posture has fundamentally changed.
Source: National Law Review

For business owners, this is not a theoretical privacy update. It is a direct risk to your operations. Businesses that rely on purchased consumer data, marketing lists, enrichment data, AI training data, or analytics feeds now fall inside the regulatory blast zone. California expects every business to verify the provenance of any consumer data it purchases, regardless of whether the company performed the collection itself.

The consequence is simple. If you use data from a broker that violated the law, your business becomes part of the regulatory investigation.

2. What the Data Broker Enforcement Strike Force Actually Does

The Strike Force operates with the sophistication of a cybersecurity incident-response team. Instead of waiting for complaints or data breaches, the CPPA is conducting proactive sweeps across entire industries.

Identifying unregistered data brokers
Under California Civil Code Section 1798.99.80, any company that sells personal information about California residents must register as a data broker.
Source: California Civil Code §1798.99.80

Many brokers have ignored this requirement for years. The Strike Force is now using OSINT methods, supply-chain mapping, and industrywide monitoring to identify unregistered entities that trade in consumer data without disclosure.

Conducting compliance sweeps across entire sectors
The CPPA is issuing compulsory information requests to entire categories of companies at once. These sweeps target high-risk industries such as digital advertising networks, mobile SDK analytics platforms, location data vendors, people-search engines, and retail loyalty programs. The purpose is to map the full lifecycle of data collection and resale.

Reviewing brokers’ data sourcing, deletion practices, and disclosures
The Delete Act requires brokers to support a single statewide deletion mechanism, disclose every category of data they collect, and maintain documentation of data sources.
Source: California Senate Bill 362

The Strike Force evaluates whether these disclosures are accurate, whether deletion capabilities actually function in practice, and whether the broker’s systems track data in a verifiable manner.

Imposing penalties and referring cases for civil litigation
Violations of the CCPA or the Delete Act can result in significant statutory penalties. Brokers that misrepresent data sources, fail to delete data upon request, or trade in sensitive information without consent may face fines, mandatory deletion orders, or public enforcement actions. Some cases will be referred to the California Attorney General for prosecution.

This is a fundamental shift from complaint-driven enforcement to an active, continuous monitoring model. California is now treating data brokers as a systemic risk to consumer privacy, similar to how cybersecurity teams treat unauthorized data exfiltration.

3. The Delete Act: A New Set of Obligations That Most Brokers Are Not Ready For

The Delete Act is the most far-reaching regulation targeting data brokers in the United States. It introduces requirements that many brokers are structurally unable to meet.

A one-stop statewide deletion mechanism
Beginning in 2026, consumers will be able to request deletion of their personal data through a centralized CPPA portal. Every registered broker must permanently delete all data associated with that individual, including data purchased from other brokers, scraped data, enriched data, and inferences generated from that data.
Source: CPPA Rulemaking Overview

This requirement forces brokers to maintain complete audit trails and traceability for every dataset they handle.

Mandatory data retention and sharing audits
Brokers must maintain internal logs documenting what data they collect, from whom they collect it, and how they use or sell it. These logs must be available for inspection during compliance sweeps. Most brokers have never maintained data lineage systems capable of supporting this level of auditability.

Annual independent audits
The Delete Act requires brokers to undergo yearly third-party audits assessing compliance with data sourcing, deletion obligations, and lawful handling of sensitive data.
Source: National Law Review

Disclosure of precise data categories
Brokers must specify whether they collect geolocation data, behavioral data, browsing history, demographic profiles, information about minors, health-related signals, or biometric identifiers. Full transparency is now a statutory requirement.

The combined effect of these obligations is clear. California has eliminated the opacity that allowed the data-broker economy to operate quietly for decades.

4. Why This Creates Direct Risk for Your Business

Many companies assume that liability ends with the data broker. California rejects this assumption. Businesses that purchase or use illegally collected data can face enforcement inquiries, subpoenas, and civil liability.

Regulators and litigators want to know which companies benefited from the broker’s data. If your business purchased that data, used it for profiling, integrated it into an AI model, or relied on it for marketing, you may be required to justify your data handling practices.

California regulators are already collecting downstream purchaser lists from brokers under investigation. Businesses on those lists can expect follow-up inquiries about their own compliance posture.

This affects:

• Any company buying consumer data for marketing
• Companies using behavioral or geolocation datasets
• Companies enriching CRM records using third-party sources
• Companies training or fine-tuning AI models using data purchased from external vendors
• Companies using vendor-provided audience segments or lookalike models

If the broker violated the law, your business becomes a point of regulatory interest.

5. Why Enforcement Will Move Quickly

California’s enforcement posture has shifted toward continuous monitoring rather than reactive penalties. Evidence from other regulatory actions shows that when regulators gain visibility into upstream collection, they immediately scrutinize downstream use. This has already been observed in major federal actions targeting data brokers selling location data tied to sensitive places such as health clinics and religious facilities.
Source: Federal Trade Commission

California is adopting similar investigative strategies. The Strike Force uses systematic sector scans, contractual disclosure requirements, and cross-referencing of registration databases to identify noncompliance.

Businesses cannot assume that enforcement will take years to materialize. The regulatory model is now proactive, continuous, and data-driven.

6. What Business Owners Must Do Now

Business owners need to treat data sourcing as a high-risk cybersecurity and compliance function. The following actions are now essential:

Conduct a full inventory of third-party data inputs
Document every external dataset your business uses, including marketing lists, enrichment feeds, AI training data, and analytics inputs.

Require contractual warranties of lawful data sourcing
Contracts must ensure that your vendor collected data in compliance with California law. Vendors that refuse to provide these assurances should be treated as high-risk suppliers.

Implement deletion workflows
Businesses must be prepared to delete data they received from a broker if the broker is subject to a deletion order.

Map data flows and maintain audit trails
Your business should maintain detailed logs showing where data originated, how it is used, and which systems store it. These are the same artifacts regulators request during investigations.

Evaluate AI models for tainted training data
If your AI vendors used broker-supplied datasets, you may need provenance documentation and retraining strategies.

This is not optional. California has tied marketing operations, vendor management, data governance, and cybersecurity controls into a unified regulatory framework.

7. The Bottom Line: Your Business Cannot Ignore Data Provenance Anymore

California has made it clear that the era of opaque data brokerage is over. Businesses that rely on purchased consumer data must now verify the legality of that data. If your vendor cannot prove lawful sourcing, your business may be exposed to enforcement, reputational damage, and operational disruption.

Data provenance is no longer a technical detail. It is a core business risk. Companies that treat it as such will stay ahead of regulators and ahead of litigation.