California’s Delete Act Enforcement Escalates as Belgian Court Reconsiders IAB Europe TCF

Want to receive these privacy recaps in your inbox each week? Subscribe here.

Recent privacy enforcement developments in the United States and Europe highlight both escalating regulatory pressure and long-awaited legal clarification. In California, CalPrivacy continued enforcing the Delete Act against unregistered data brokers, while in Europe, a Belgian Market Court decision reshaped the path forward for IAB Europe’s Transparency and Consent Framework after years of uncertainty.

Keep reading to learn more and discover the key takeaways.

United States

Two More Data Brokers Fined for Failing to Register Under the Delete Act

CalPrivacy continued its pursuit of unregistered data brokers under the Delete Act, fining Rickenbacher Data (aka Datamasters), a Texas-based provider of targeted mailing lists, and S&P Global Inc., a New York-based provider of financial and automotive data and analytics. In addition to the monetary fine, Rickenbacher Data has been ordered to cease and desist selling, and permanently delete, Californians’ personal information. According to CalPrivacy’s announcement, this action will “effectively remov[e] it from the marketplace in California.”

TAKEAWAY

At this time, monetary fines are still somewhat low (the fines against Rickenbacher Data and S&P Global were $45,000 and $62,600, respectively).  However, the injunction against Rickenbacher may be a strong motivator for any unregistered data brokers that are still holding out. Additionally, monetary fines may soon increase dramatically. 

As of January 1, 2026, California residents can sign up for DROP, a central mechanism provided by CalPrivacy that enables users to request the deletion of their personal information across all or a subset of registered data brokers. Data brokers must begin honoring such requests starting August 1, 2026. At that time, monetary fines can include not only a penalty for failing to register (which increases by $200 every day that the data broker fails to register since the January 1, 2025 deadline), but also a $200 penalty for each deletion request for each day that the data broker fails to delete requests submitted to DROP after August 1. 

With tens of thousands of California residents registering for DROP within the first week of its availability, according to a report from Privacy Daily, and the numbers growing daily, fines after August 1 will likely be exponentially greater than they are today. 

Europe

Belgian Market Court Overturns APD Validation of IAB Europe Action Plan

IAB Europe won its appeal against the Belgian Data Protection Authority (APD)’s decision to validate and require implementation of the action plan IAB Europe submitted in response to the APD’s February 2022 order. The APD validated and attempted to enforce the action plan in 2023, despite the case still pending an appeal. 

In 2025, the Belgian Market Court partially annulled the APD’s 2022 decision, confirming some aspects and overturning others. Specifically, consistent with answers issued by the EU Court of Justice in 2024, the Market Court found in 2025 that:

1. the Transparency and Consent (TC) String of the TCF constitutes personal data under the GDPR; and
2. the IAB Europe acts as a joint data controller of the TC String for processing user preferences within the TCF; but
3. the IAB Europe does not act as a joint controller of other personal data that participants process using the TCF, such as data exchanged as part of the real-time-bidding (RTB) ecosystem for digital advertising. 

Because the action plan, in part, addresses the portion of the 2022 decision that was overturned (i.e., that IAB Europe acts as a joint controller of other personal data that participants process using the TCF), the Market Court in this most recent 2026 decision referred the case back to the APD to reassess the validation and give IAB Europe the opportunity to state its position.

TAKEAWAY

The length and complexity of this case have kept all TCF participants in limbo for four years and counting. While the saga isn’t over yet, confidence in a path forward may finally be warranted. As outlined in IAB Europe’s updated FAQs, IAB Europe has already released iterations of the TCF based on the portions of the action plan addressing the aspects of the 2022 decision that were upheld (i.e. that the TCF constitutes personal data, of which IAB Europe acts as a joint controller). Since the APD must now limit the new validation’s scope to the upheld aspects of the decision, the remaining (unreleased) portions of the action plan will likely be eliminated.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.