California’s Privacy Protection Agency (CPPA) is seeking a $46,000 fine against National Public Data, a data broker that suffered one of the largest data breaches in 2024. The breach, which occurred in April, involved hackers stealing databases containing Social Security numbers and other personal data, totaling around three billion records, impacting approximately 270 million individuals. Despite the severity of the breach, much of the data appeared to be inaccurate. In response to the breach, National Public Data filed for bankruptcy protection, but a Florida bankruptcy court rejected the petition in November 2024, allowing authorities to continue legal actions.
The CPPA has been enforcing the California Consumer Privacy Act (CCPA), which requires data brokers to register with the agency by January 31, 2024, or face fines.
National Public Data failed to register by this deadline, instead submitting its registration on September 18, 2024, after the CPPA’s enforcement officials reached out. The company’s delay in registration prompted the CPPA to file a claim against it, seeking the $46,000 fine for non-compliance. Data brokers like National Public Data collect and sell personal information, often for profit, and the CCPA aims to regulate their activities to ensure consumer privacy rights are protected.
This legal action against National Public Data marks the CPPA’s sixth enforcement effort against a data broker since its establishment. Previous enforcement actions ended in settlement agreements, reflecting the agency’s ongoing effort to hold companies accountable for privacy violations. While the company registered after the breach, it continues to face the consequences of its delayed compliance with state privacy laws. The CPPA’s actions are part of a broader push to regulate data brokers and their handling of personal information, which has raised concerns due to increasing data breaches and privacy risks.
The breach and ongoing legal proceedings have put National Public Data under intense scrutiny. The company’s parent, Jerico Pictures, has not commented on the matter, and questions remain about the company’s ability to pay the fine, especially after its bankruptcy proceedings were dismissed. The CPPA’s continued enforcement against the company highlights the importance of adhering to state privacy regulations and ensuring that sensitive personal data is adequately protected. This case also underscores the growing power of regulatory agencies in holding companies accountable for data security lapses.
