December 2025 Privacy Pulse: The End of the “Public Data” Excuse

People-search data brokers are running out of places to hide. California’s privacy regulator has drawn a hard line: when a data broker turns public records into a searchable profile, that profile becomes subject to California privacy law. No more loopholes. No more excuses about “public data.”

This change affects every individual and every employer. It reshapes the threat landscape. It raises the stakes. And it makes active privacy protection more urgent than ever.

In this month’s Privacy Pulse, we break down the latest enforcement actions, new regulatory powers now in effect, and why these developments make a rights-focused service like mePrism Privacy even more critical.

The old myth: “public data” means no privacy rights

People-search data brokers built their business on a simple claim: “We only use public records. Privacy laws don’t apply.”

That claim is starting to collapse.

California’s Consumer Privacy Act and the CPRA define “publicly available information” much more narrowly than these companies suggest. The exemption applies only to specific pieces of information taken directly from a government record or broadly public source — used in that same narrow context.

It does not apply when a broker:

• Aggregates scattered records

• Adds data from commercial or scraped sources

• Builds “possible relatives” lists

• Creates relationship maps

• Scores or ranks individuals

• Draws behavioral or risk inferences

• Packages the results into a dossier sold online
  
  

CalPrivacy and the California Attorney General have been consistent: once a broker starts connecting, inferring, or enriching information, the output becomes personal information protected under California privacy law.

This includes:

• Relationship clusters

• Risk markers

• Patterns or “possible associates”

• Address histories built from multiple sources

• Employment details collected from scraped content

• Behavioral predictions
  
  

You can read the current law and commentary here:
CCPA legal text

Analysis of public-data limits under CCPA/CPRA:

California’s position is simple: enrichment turns “public” inputs into regulated private data.

Background Alert: the case that changed the landscape

The clearest example is the enforcement action against Background Alert, a people-search broker built on billions of public records. The company marketed its ability to reveal a “scary” amount of information and provide relationship insights consumers could not find on their own.

CalPrivacy treated this activity as regulated data processing.
The agency forced Background Alert to shut down its data-broker operations through 2028.

This was not a fine.
Not a warning.
But a multi-year shutdown.

That action established several baselines:

• Inferences are personal information

• Enriched dossiers fall under CCPA, CPRA, and the Delete Act

• “Public data” does not exempt people-search brokers

• Severe enforcement — including shutdowns — is now on the table
  
  

Legal and regulatory summaries now cite the Background Alert case as a model for dealing with people-search brokers that rely on aggregated public data.

Penalties get real: Delete Act fines and the Strike Force

California’s Delete Act gave regulators powerful new tools. They are already using them aggressively.

Beginning in 2026, the statewide DELETE Request and Opt-Out Platform (DROP) will allow consumers to submit a single deletion request that every registered broker must honor.

Violations bring significant penalties:

• $200 per day for failing to register

• $200 per day per consumer for deletion failures

• Public enforcement notices

• Binding settlements

• Possible multi-year shutdown orders
  
  

In 2025, CalPrivacy launched a Data Broker Enforcement Strike Force. That team has already taken action against companies such as Accurate Append for registration failures, missing deletion workflows, and misleading disclosures.

In multiple cases, daily statutory penalties were converted into large lump-sum settlements. In others, brokers were required to overhaul deletion processes, add compliance controls, and submit reporting — conditions many data brokers are unprepared to meet.

DROP will multiply the impact.
Millions of consumers will be able to send a single deletion request.
Every registered broker must comply or face substantial daily penalties.

• For consumers, this strengthens privacy rights.

• For brokers, compliance pressure increases.

• For attackers, the environment changes — but they will still use whatever data they can find.

For employers, open-web exposure remains a major security risk.

Why this matters now: exposed profiles fuel real-world attacks

People-search profiles are no longer just annoying.
They create direct safety and security risks.

Attackers use them to:

• Target executives with phishing

• Track family members

• Map home addresses

• Combine open-web data with breach data

• Launch SIM-swap attacks

• Impersonate staff in help-desk scams

• Pressure at-risk employees

• Enable stalking or harassment
  
  

Recent cyber events highlight the danger:

• A healthcare ransomware group used detailed open-web profiles to impersonate hospital staff during extortion calls.

• Retail workers were targeted at home after people-search sites published their addresses and work schedules.

• Energy-sector employees reported phishing campaigns referencing relatives extracted from data-broker profiles.

• A Fortune 500 IT help-desk manager was impersonated using data pulled entirely from a people-search site.

• Deepfake-enabled executive impersonation attacks surged, with attackers relying on age, location, and social ties from broker dossiers.
  
  

Federal agencies have repeated the same warning all year:
threat actors gather detailed personal information before launching attacks.

When a profile includes home ownership data, relatives, phone numbers, court records, past employers, and scraped social details — it becomes a weapon.

Why employers should care

Many organizations underestimate the risk of open-web personal data. Attackers do not.

If your workforce includes:

• Executives

• Public-facing staff

• Healthcare workers

• Developers

• HR employees

• IT help-desk personnel

• Anyone with network privileges
  
  

…their people-search profiles create risk for your entire organization.

These profiles help attackers bypass MFA, impersonate employees, guess security answers, or pressure staff into sharing credentials.

• Regulators may fine data brokers or shut them down.

• But regulators cannot remove your team’s profiles for you.

• They cannot monitor hundreds of brokers.

• They cannot prioritize your highest-risk individuals.

The burden falls on employers — which is why hospitals, financial institutions, energy firms, and large enterprises now include people-search deletion in their security programs.

Mass General Brigham publicly encourages the use of mePrism Privacy for at-risk employees and families:
https://meprism.com/media/mass-general-brigham-recommends-meprism-coverage

Where mePrism Privacy fits into this enforcement era

The new regulatory landscape strengthens a message we’ve shared for years: you need a service that can find and remove these profiles at scale.

Regulators enforce the law. They do not protect individuals one by one.

A service like mePrism Privacy closes that gap.

Continuous exposure detection

We scan across the full broker ecosystem:

• People-search sites

• Public-record aggregators

• Data brokers built on scraped data

• Sites relying heavily on inference and enrichment
  
  

Whether or not a broker claims to use “public data” is irrelevant. Our scans surface the profiles either way.

Automated rights enforcement

We handle every opt-out and deletion request under CCPA, CPRA, and the Delete Act.
You get a full audit trail for every action.

This supports:

• Individuals needing proof deletions occurred

• Employers documenting risk-reduction measures

• Cyber insurers evaluating coverage

• Security teams keeping deletion records for incident response
  
  

Ongoing monitoring and re-removal

Brokers re-publish profiles frequently.
We detect these reappearances and request deletion again.

This ensures long-term protection that regulators cannot provide.

Real risk reduction

When attackers lose access to personal data, they lose leverage.
You cut down the number of data points that can be weaponized.
This strengthens your defense against impersonation, phishing, and doxxing.

Documented protection for organizations

mePrism Privacy provides reporting for:

• Compliance audits

• Internal risk reviews

• Cyber-insurance renewals

• Board-level updates

• Vendor due-diligence

• Incident-response planning
  

This turns privacy protection into a measurable, trackable control.

Final reminders for protecting yourself right now

A few simple steps can further reduce your exposure. These steps are free, fast, and strongly recommended for every mePrism customer.

1. Freeze your credit at the three major credit bureaus

A credit freeze blocks criminals from opening accounts in your name.
It’s free. It won’t affect your score. You can lift it anytime.

Freeze your credit here:

• Equifax
  Select “Place or Manage a Freeze” and follow the identity-verification steps.

• Experian
  Click “Freeze Your Experian Credit File,” verify your identity, and set a PIN.

• TransUnion
  Choose “Add Freeze,” log in or create an account, and confirm the freeze.
  

2. Add your number to the FTC Do Not Call Registry

You reduce telemarketing calls and make it easier to spot scams.

Register here:
https://www.donotcall.gov/

Click “Register Your Phone,” enter your number and email, and confirm the email verification.

You can register more than one number. There is no expiration.

3. Turn on multi-factor authentication

Enable MFA for:

• Email

• Banks

• Cloud accounts

• Your password manager

• Any app that supports it
  
  

Use an authenticator app instead of SMS when available.

4. Use a password manager

A password manager creates long, unique passwords and stores them securely.
It also prevents autofilling on fake sites, which reduces phishing risk.

Explore more from Our Team

Browse more posts written by our team to help you stay in control.