CPPA Fines Unregistered Data Broker for Selling Custom Audiences

On December 3, 2025, the California Privacy Protection Agency (CPPA) announced a significant enforcement action. ROR Partners LLC, a Nevada based marketing company operating as a data broker, was fined 56,600 dollars for selling "Custom Audiences" services without having registered under California law. This service enabled third-party advertisers to target individuals based on aggregated personal data, without the broker providing required transparency or sufficient opt-out and deletion mechanisms. The penalty underscores CPPA's renewed commitment to holding data brokers accountable under the state's privacy regulations.

CPPA Fines Unregistered Data Broker for Selling Custom Audiences

Increased Risk for Data Brokers and Advertisers

According to CPPA, the broker failed to register itself, failed to provide adequate disclosures around how personal data was processed and shared, and did not honor statutory rights for deletion or opting out. By doing so, the company violated key obligations under California’s privacy regime.

This enforcement action sends a loud and clear message. With CPRA and CPPA now in effect, simply running a marketing or data-sharing business is no longer enough. Data brokers, advertisers, and any business dealing with third-party data must comply with strict registration, disclosure, and user rights requirements, or face legal and financial consequences.

For many companies still relying on legacy data broker networks or opaque third-party data deals, the risk is now real and immediate. The old practices of selling or sharing data without user consent or visibility are under direct attack.

From the consumer perspective, the ruling reinforces individual privacy rights, including rights of deletion, sale or sharing opt-out, and the right to know when data is being sold or shared. This gives consumers more control and transparency than ever before.

Why A Unified Platform Like DROP Becomes Essential

With this renewed regulatory pressure, compliance cannot remain an ad hoc process. That is where DROP, the Delete Request and Opt-out Platform, becomes vital. DROP offers a unified, standardized channel for users to submit privacy-related requests (data deletion, opt-out of sale or sharing, profiling opt-out) and for businesses and data brokers to receive, verify, and manage those requests in a compliant way.

For users, instead of hunting down obscure data broker contact information, they can issue verified requests via DROP and track status in one place.

For businesses and data brokers, DROP provides a compliance-ready interface to manage, log, and respond to user requests, helping avoid fines and demonstrating adherence to transparency and user rights obligations.

For regulators, DROP ensures a clear, auditable trail of requests and responses, simplifying oversight and enforcement.

In a world where regulators are actively penalizing non-compliance, such as the CPPA’s recent action, having a robust privacy request platform is no longer optional, it is a necessity.

Choosing the Right Consent Management Platform (CMP)

In addition to using platforms like DROP, businesses should carefully evaluate and select a robust Consent Management Platform (CMP). A high-quality CMP goes beyond simple consent collection—it ensures that users are fully informed about how their personal data is collected, processed, and shared. It provides clear mechanisms for users to grant, withdraw, or modify consent, aligning with regulatory requirements such as CPRA and GDPR.

Selecting the right CMP also helps businesses maintain a consistent privacy strategy across all digital channels, including websites, mobile apps, and third-party integrations. Beyond regulatory compliance, a CMP can enhance consumer trust by demonstrating a transparent approach to data handling. Businesses that implement an effective CMP are better positioned to avoid costly fines, protect their reputation, and foster stronger relationships with privacy-conscious customers.

UniConsent: Simplifying Consent Management

UniConsent is a solution designed to streamline consent management for both businesses and users. By providing a centralized, easy-to-use interface, UniConsent allows companies to collect, track, and manage user consents across multiple platforms in a fully compliant manner. It automates compliance with privacy regulations such as CPRA, GDPR, and other global frameworks, reducing the operational burden on businesses.

For users, UniConsent offers clarity and control, making it easy to understand what data is being collected and how it is used. For businesses, it provides detailed audit trails and reporting capabilities, ensuring that consent practices are transparent and defensible in case of regulatory scrutiny. Integrating UniConsent into your privacy strategy not only helps meet legal obligations but also signals a commitment to respecting user privacy, a crucial factor in today’s data-driven economy.

About UniConsent

UniConsent is a part of Transfon's privacy-first User Experience Platform that serves tens of millions of users per day, providing a seamless privacy experience for both users and publishers in the post-GDPR age. Contact us to know more: hello@uniconsent.com