On December 17, 2025, CalPrivacy, California’s privacy enforcement agency, issued Enforcement Advisory No. 2025-01 to provide guidance on data broker registration. The Advisory focuses on requirements related to trade names, websites, and parent or subsidiary relationships, with the overall theme registering a warning to companies not to try to game the Data Broker Registry or the Delete Request and Opt-out Platform (DROP) system.

The Advisory emphasizes that companies must register by January 31, 2026, and establish a DROP account if they were operating as data brokers for any period of time in the prior year (i.e., 2025). This should come as no surprise to the data broker industry, as California (and other) regulators have been clear about their intentions to increase oversight and focus enforcement on non-compliance in the data broker industry. Companies should assess whether they qualify as a “data broker,” as companies may fall within scope based on various data practices, even if data brokerage is not their core business.

According to the Advisory, “Data brokers must register in accordance with the law, without hiding their activity or interfering with consumers’ ability to exercise their privacy rights.” The CalPrivacy Enforcement Division found that some data brokers “hide the ball” from consumers and make it difficult for consumers to understand who they are or how to opt out. Examples of “hiding the ball” observed around the data broker industry include: operating under various trade names, operating multiple websites, avoiding registration by restructuring corporate entities, attempting to rely on a parent or affiliated entity’s registration, or otherwise testing potential loopholes in the data broker definitions.

California consumers will be able to access DROP on January 1, 2026, allowing them to make a single request to all registered data brokers to delete their personal data on a recurring basis.

Key points from the Advisory include:

• Data brokers are not permitted to rely on a related entity to register. If a business meets the definition of “data broker”, it must register and establish a DROP account.

• Data brokers are required to list their trade names (i.e., “DBAs”) and any websites, including functioning links to a page where consumers can exercise privacy rights without dark patterns.
• Failure to register results in multiple possible fines and costs, including $200 per day, any fees due, and expenses incurred by the regulator in the related investigation or administration.

In addition to establishing enhanced data broker requirements, California regulators have taken multiple recent actions against data brokers, launched the Data Broker Enforcement Strike Force in November, and announced plans to step up enforcement against data brokers in the coming months. Other state regulators such as in Texas and the FTC have been focusing on data broker issues as well, a trend that is expected to continue to ramp up in 2026.

Next steps:

Companies should carefully consider their data ecosystem to confirm whether they are in scope for any data broker requirements based on their activities in 2025 (and looking ahead to 2026). Current data brokers should assess whether additional entities should register and should determine the scope of information to include on their 2026 registrations. Companies outside the data broker industry should assess potential exposure from data broker (or data broker adjacent) relationships, particularly in scenarios where sensitive data is shared (e.g., precise geolocation, health-related data, youth data).