Privacy and consumer protection enforcement actions against data broker companies.
35
Total Actions
$250.6M
Total Fines
The FTC issued warning letters to 13 data brokers reminding them of their obligations under the Protecting Americans' Data from Foreign Adversaries Act (PADFAA), which bans the sale or disclosure of sensitive personal data to foreign adversaries like China, Russia, Iran, and North Korea. The letters cite instances where recipients offered data on Armed Forces members, which is protected under PADFAA. Non-compliance could result in civil penalties up to $53,088 per violation.
The Federal Trade Commission (FTC) sent warning letters to 13 data brokers reminding them of their obligations under the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA). PADFAA prohibits data brokers from selling or providing sensitive personal data about Americans to foreign adversaries such as China, Russia, Iran, and North Korea. The letters warn that violations could result in civil penalties of up to $53,088 per violation and urge companies to review their business practices for compliance.
Datamasters, a data broker, failed to register with the California Data Broker Registry as required by the Delete Act. The company sold sensitive personal information including health conditions, age, race, and political views. As a result, it must pay a $45,000 fine and cease all sales of Californians' personal information.
$45K
CalPrivacy issued Enforcement Advisory No. 2025-01 to remind data brokers of their annual registration obligations under California's Delete Act, including disclosing all trade names and websites and registering independently rather than through a parent company. The advisory warns that failures to comply may result in administrative fines of $200 per day, plus fees and recovery costs. It also highlights the upcoming Delete Request and Opt-Out Platform (DROP) launching January 1, 2026.
The California Privacy Protection Agency fined ROR Partners LLC $56,600 for failing to register as a data broker under the Delete Act. The Nevada-based marketing firm must pay the fine and past-due fees. This action is part of CalPrivacy's enforcement against unregistered data brokers.
$57K
The California Privacy Protection Agency (CalPrivacy) announced the creation of a Data Broker Enforcement Strike Force to investigate privacy violations by data brokers. The strike force will focus on compliance with the Delete Act's registration requirement and the CCPA, building on previous enforcement actions. This initiative aims to hold data brokers accountable and protect Californians' personal information.
The California Privacy Protection Agency (CalPrivacy) announced the creation of a Data Broker Enforcement Strike Force to investigate privacy violations by data brokers under the CCPA and Delete Act. The strike force will focus on compliance with registration requirements and other obligations, building on previous enforcement actions to increase accountability.
The California Privacy Protection Agency (CPPA) ordered Accurate Append, Inc. to pay a $55,400 fine for failing to register as a data broker under the Delete Act by the January 31, 2024 deadline. The company registered only after being contacted during an enforcement sweep and agreed to injunctive terms, including paying attorney fees for future non-compliance.
$55K
The California Privacy Protection Agency (CPPA) ordered Jerico Pictures, Inc., doing business as National Public Data, to pay a $46,000 fine for failing to register and pay the annual fee required under California's Delete Act. The order was issued by default after the company did not contest the allegations. This enforcement action highlights the CPPA's efforts to ensure data broker compliance with registration laws.
$46K
The California Privacy Protection Agency ordered Jerico Pictures, Inc., doing business as National Public Data, to pay a $46,000 fine for failing to register and pay the annual fee required under the Delete Act. The order was issued by default after the company did not contest the allegations, highlighting CPPA's enforcement of data broker registration requirements.
$46K
The California Privacy Protection Agency settled with data broker Background Alert, Inc. for failing to register and pay fees under the Delete Act. The company must shut down its operations through 2028 or face a $50,000 fine. This action is part of a broader enforcement sweep against non-compliant data brokers.
The California Privacy Protection Agency (CPPA) filed an administrative action against Jerico Pictures, Inc., doing business as National Public Data, for failing to register and pay the required annual fee under the California Delete Act. The action seeks a $46,000 fine for the company's 230-day late registration, as part of CPPA's enforcement sweep against data brokers.
$46K
The California Privacy Protection Agency (CPPA) filed an administrative action against National Public Data, a Florida-based data broker, for failing to register and pay the required annual fee under California's Delete Act. The agency is seeking a $46,000 fine for the violation, which occurred 230 days late, as part of an enforcement sweep targeting non-compliant data brokers.
$46K
The FTC finalized an order banning Mobilewalla Inc. from selling sensitive location data after alleging the company sold such data without verifying consumer consent. The order prohibits Mobilewalla from collecting data from ad exchanges for non-auction purposes, misrepresenting data practices, and using location data from sensitive locations like health clinics and places of worship.
The California Privacy Protection Agency (CPPA) settled with two data brokers, PayDae, Inc. (Infillion) and The Data Group, LLC, for failing to register as required by Senate Bill 362 (the Delete Act). Infillion paid $54,200 and The Data Group paid $46,600, and both agreed to injunctive terms to ensure future compliance with registration requirements.
The California Privacy Protection Agency (CPPA) settled with two data brokers, Infillion and The Data Group, for failing to register and pay annual fees as required by the Delete Act. Infillion paid $54,200 and The Data Group paid $46,600, and both agreed to injunctive terms. This is part of a broader enforcement effort against non-compliant data brokers.
$101K
The FTC took action against Gravy Analytics Inc. and Venntel Inc. for unlawfully tracking and selling sensitive consumer location data without consent. The proposed consent order prohibits the sale or use of sensitive location data, requires deletion of historic data, and mandates compliance programs. This is part of the FTC's series of actions against data brokers selling sensitive location data.
The California Privacy Protection Agency (CPPA) settled with data brokers Growbots, Inc. and UpLead LLC for failing to register and pay annual fees under the California Delete Act. Growbots paid $35,400 and UpLead paid $34,400, and both agreed to injunctive terms including payment of attorney fees for non-compliance. This action enforces the Delete Act's requirements for data broker transparency and consumer privacy.
$70K
The California Privacy Protection Agency (CPPA) announced an investigative sweep to enforce data broker registration compliance under the Delete Act. Data brokers must register annually and pay fees, with penalties of $200 per day for non-compliance. The CPPA will take enforcement actions against unregistered data brokers and is developing a consumer deletion platform (DROP) for 2026.
Texas Attorney General Ken Paxton sent notification letters to over 100 companies for failing to register as data brokers under Texas Business and Commerce Code Chapter 509, which requires registration by March 1, 2024, and implementation of data safeguards. This action is part of an initiative to enforce privacy laws and protect consumer data.
Texas Attorney General Ken Paxton issued warning letters to over 100 data brokers for failing to register with the Texas Secretary of State as required by the Texas Data Broker Law. The law, which took effect March 1, 2024, mandates that data brokers register and implement data protection safeguards. This enforcement action is part of a new initiative to protect Texans' privacy.
The FTC settled with InMarket Media for unlawfully collecting and using consumers' precise location data without adequate notice and consent. The order prohibits InMarket from selling or sharing precise location data, requires deletion of collected data, and mandates consumer consent mechanisms and privacy programs.
The FTC finalized an order against data broker X-Mode and its successor Outlogic for selling precise location data that could track visits to sensitive locations like medical clinics and places of worship. The order bans them from sharing or selling sensitive location data and requires them to delete collected data, implement privacy programs, and ensure downstream compliance.
The California Privacy Protection Agency settled with data broker Key Marketing Advantage, LLC for failing to register and pay fees under the Delete Act. KMA will pay $55,800 and agree to injunctive terms. This is the fifth enforcement action in a sweep against unregistered data brokers.
$56K
The California Privacy Protection Agency (CPPA) settled with data broker Key Marketing Advantage, LLC for failing to register and pay fees under the Delete Act. KMA will pay $55,800 and comply with injunctive terms, including covering attorney fees for non-compliance. This is the fifth enforcement action in CPPA's sweep against unregistered data brokers.
$56K
The FTC settled with data brokers X-Mode Social and Outlogic for selling precise location data without informed consent and failing to protect sensitive information. The proposed order bans the sale of sensitive location data, requires deletion of collected data, and mandates a comprehensive privacy program. This is the FTC's first action against a data broker for sensitive location data practices.
The FTC and CFPB settled with Trans Union LLC and its subsidiary for violating the Fair Credit Reporting Act by including inaccurate and incomplete eviction records in tenant screening reports, harming consumers' ability to obtain housing. The settlement requires Trans Union to pay $15 million, with $11 million for consumer compensation and $4 million as a civil penalty, and to implement measures to ensure report accuracy and disclose data sources.
$15.0M
The FTC settled with background report providers TruthFinder and Instant Checkmate, charging they deceived consumers about the accuracy of their reports (often mischaracterizing traffic tickets as criminal records) and violated the Fair Credit Reporting Act (FCRA) by operating as consumer reporting agencies without following its requirements, including ensuring accuracy and limiting permissible purposes. The companies will pay a $5.8 million penalty and implement a comprehensive FCRA compliance monitoring program.
$5.8M
Connecticut, as part of a 40-state coalition, secured multistate settlements totaling over $16 million with Experian and T-Mobile related to data breaches in 2012 and 2015 that exposed consumers' personal information. Experian agreed to pay $12.67 million and implement enhanced data security measures, while T-Mobile agreed to pay $2.43 million and strengthen vendor management. Additionally, Experian Data Corp. paid $1 million to resolve a separate 2012 breach investigation, with all entities required to improve data protection practices.
$16.0M
The FTC and CFPB filed an amicus brief with the Third Circuit Court of Appeals to overturn a lower court ruling that exempted furnishers from investigating indirect disputes under the FCRA. The brief argues that all disputes must be investigated to ensure consumers can correct inaccurate credit information and be notified of outcomes, upholding key FCRA protections.
The FTC and DOJ settled with MyLife.com, Inc. and its CEO for deceiving consumers with misleading background reports that falsely implied criminal records and for engaging in difficult-to-cancel subscription practices. MyLife violated the Fair Credit Reporting Act, Restore Online Shoppers’ Confidence Act, and Telemarketing Sales Rule. The settlement includes a permanent ban on negative option marketing, $33.9 million in judgments for consumer refunds, and a monitoring program.
$33.9M
AppFolio, Inc., a tenant background report provider, settled with the FTC for $4.25 million over allegations it violated the Fair Credit Reporting Act by failing to implement reasonable procedures to ensure the accuracy of its screening reports and by including eviction and non-conviction criminal records older than seven years. The settlement prohibits including old records and requires maintaining accuracy procedures.
$4.3M
The FTC filed a complaint against MyLife.com, Inc. and its CEO for deceiving consumers with 'teaser background reports' that falsely claimed to include criminal and arrest records, and for violating the Fair Credit Reporting Act by failing to ensure accuracy and permissible purpose. The company also engaged in misleading billing practices under the Restore Online Shoppers’ Confidence Act and Telemarketing Sales Rule.
California Attorney General led a multistate settlement with Equifax for a 2017 data breach that exposed personal information of 147 million consumers due to security failures and delayed disclosure. Equifax must pay $175 million in state penalties, $425 million for consumer restitution, and implement data security enhancements including a comprehensive Information Security Program and credit monitoring for up to ten years.
$175.0M
New Jersey Attorney General Christopher Porrino announced that New Jersey has joined a multi-state investigation into Equifax following a data breach affecting 143 million consumers. The multi-state group sent a letter demanding Equifax disable fee-based credit monitoring services and reimburse consumers for credit freeze fees with other bureaus, citing unfair practices and a months-long delay in breach disclosure.