California Privacy Agency Issues $50,000 Fine for Data Broker Registration Failure: What the ROR Partners Decision Means for Marketing Companies

Written By John H. Henson


The CPPA's first Delete Act enforcement action sends a clear message: marketing agencies that sell consumer data must register as data brokers--no exceptions.

In a landmark enforcement action that should put every marketing technology company on notice, the California Privacy Protection Agency (CPPA) fined ROR Partners, LLC $50,000 for failing to register as a data broker under California's Delete Act. The November 26, 2025 decision in _In the Matter of ROR Partners, LLC_ (Case No. ENF25-245-D-RO) establishes important precedent for how the CPPA will interpret data broker obligations--and it's broader than many companies might expect.

The Core Issue: When Does a Marketing Agency Become a Data Broker?

ROR Partners is a Delaware-based marketing agency focused on fitness and wellness brands. The company describes itself as the "#1 Fitness and Wellness Marketing Agency In North America," claiming to deliver over 1 billion advertising impressions monthly and reach more than 100 million unique individuals.

What caught the CPPA's attention wasn't just the company's size--it was its business model. ROR Partners operates a "Data Spine" providing access to demographic data, behavioral patterns, and unique identifiers for over 262 million U.S. adults. The company offers clients AI-driven audience modeling using billions of data points to create detailed consumer profiles.

Here's where it gets legally significant: ROR Partners collects personal information from third-party sources including health and fitness companies, wellness companies, and data compilers. It then creates inferences about consumers--for example, placing someone who frequently attends a health club into a "fitness enthusiast" audience segment--and makes that data available to clients for targeted marketing.

The CPPA determined this constitutes "selling" personal information under California law, making ROR Partners a data broker subject to registration requirements.

The CPPA's Key Holding: "A Sale Is a Sale"

The most consequential aspect of this decision is the CPPA's rejection of what appears to have been ROR Partners' primary defense: that its data disclosures were merely incidental to broader marketing services.

The agency's language is unambiguous: "A sale is a sale. A business cannot bypass the CCPA's and the Delete Act's requirements by selling personal information as part of a larger suite of products and services it offers."

This holding has significant implications for the marketing technology industry. Many companies that provide audience data, consumer analytics, or targeting services as part of bundled offerings may have assumed they fell outside data broker registration requirements. The ROR Partners decision makes clear that the CPPA will look at the underlying data practices, not the packaging.

Delete Act Registration Requirements: A Quick Refresher

Under the Delete Act (Civil Code § 1798.99.82), businesses that meet the definition of "data broker" must register with the CPPA by January 31 following each calendar year in which they operated as a data broker.

A business qualifies as a data broker if it:

  • Is a for-profit entity

  • Knowingly collects and sells to third parties the personal information of consumers with whom it does not have a direct relationship

  • Annually processes personal information of 100,000 or more consumers or households

The registration requirement comes with an annual fee established by regulation, and failure to register can result in administrative enforcement action--as ROR Partners learned.

What ROR Partners Must Do Now

The Stipulated Final Order requires ROR Partners to:

Pay $50,000 within 14 days. — This administrative fine, while not the maximum available, represents the CPPA's willingness to impose meaningful financial penalties for registration violations.

Complete registration within 14 days. — ROR Partners must pay the annual registration fee and submit a registration form to effectuate its 2025 registration for data broker activity in 2024.

Maintain ongoing compliance. — The company must continue registering for any future years in which it operates as a data broker, and must notify the CPPA in writing if it ceases data broker operations.

Disclose CCPA request metrics. — ROR Partners must update its privacy policy to include required metrics about CCPA requests received, complied with, and denied during the previous calendar year, along with response times.

The order binds the company's successors and transferees, and failure to comply may result in Superior Court enforcement with attorney fees awarded to the CPPA.

Practical Implications for Marketing and AdTech Companies

This enforcement action creates several clear takeaways for companies operating in the consumer data space.

  • Evaluate your data flows. If your company collects consumer information from third parties and makes that information available to clients--even as part of broader services--you may meet the data broker definition. The fact that you're providing "marketing services" rather than raw data sales doesn't create an exemption.

  • The 100,000 threshold matters. Companies that annually process personal information of 100,000 or more consumers or households and share that data with clients should carefully assess their registration obligations. ROR Partners' 262 million U.S. adult database clearly exceeded this threshold, but the bar is relatively low for any company operating at scale.

  • Bundling provides no protection. The CPPA explicitly rejected the argument that data sales bundled with other services escape regulatory requirements. If consumer data disclosure is a component of your value proposition to clients, you're likely selling personal information under the CCPA's definition. Because "a sale is a sale" in the eyes of the CPPA.

  • Registration deadlines are firm. ROR Partners' failure to register by the January 31, 2025 deadline triggered the enforcement action. The CPPA isn't providing grace periods or warnings--it's opening investigations. The registration requirement is for activities in the prior year. Therefore, the January 31, 2026 deadline will be for companies who performed data broker activities in 2025.

  • Consider the "direct relationship" element. The data broker definition focuses on personal information of consumers with whom the business does not have a direct relationship. Marketing agencies that collect data directly from consumers through their own platforms may have different obligations than those acquiring data from third parties. This "direct relationship" carve out is key for lead generation companies to understand. Generating leads and getting that direct relationship is important to companies who want to avoid data broker registrations.

The Broader Enforcement Landscape

The ROR Partners decision arrives as California's privacy enforcement apparatus matures. The CPPA has been steadily building its enforcement capabilities since becoming fully operational, and this case demonstrates its focus on the data broker ecosystem that California's legislature specifically targeted with the Delete Act.

Companies should expect continued enforcement activity in this space. The Delete Act was designed to increase transparency around data brokers and eventually give consumers a streamlined way to request deletion from multiple data brokers through a single mechanism. Registration is the foundational requirement that makes the rest of the Delete Act framework function.

Action Items for Compliance

If your company operates in marketing technology, audience data, or consumer analytics, consider taking these steps:

Conduct a data inventory. Map how consumer personal information flows into and out of your organization, including data received from third parties and information disclosed to clients.

Assess the "sale" question. Review whether your data disclosures to clients or partners constitute "sales" under the CCPA's broad definition, which includes disclosing personal information for monetary or other valuable consideration.

Evaluate direct relationships. Determine whether you have direct relationships with the consumers whose data you process, or whether your data comes from third-party sources.

Check registration status. If you determine you meet the data broker definition, verify whether you're registered with the CPPA and whether your registration is current.

Update privacy policies. Ensure your privacy policy includes required CCPA metrics if you're subject to those disclosure obligations.

The ROR Partners enforcement action may be the CPPA's first Delete Act case, but it's unlikely to be the last. Companies that haven't evaluated their data broker status should do so promptly--before the CPPA's Enforcement Division comes calling.


John H. Henson

John Henson founded Henson Legal, PLLC in May 2025 after a career guiding household-name brands through TCPA, state privacy laws, and FTC regulations—including serving as interim General Counsel at LendingTree. He focuses on helping lead sellers and lead buyers manage TCPA vicarious liability risks, and advising AI voice product builders on FCC artificial voice compliance. John's clients span insurance, financial services, and technology companies on the leading edge of customer acquisition.

https://www.henson-legal.com/about
Previous

Trump's AI Executive Order: New AI Voice Rules and Insurance Compliance Impact
Next

Consent Language Placement on Websites: Court Lessons for TCPA & Terms of Use Compliance