Data Brokers on FTC’s Radar Over Data Sharing With China, Russia

The FTC has sent warning letters to 13 unnamed data brokers that appear to be marketing or sharing sensitive data about U.S. residents, including information on whether individuals are affiliated with the U.S. armed forces, in ways that could make that data available to entities in China, Russia, and other “foreign adversary” countries.

What the FTC did

• The FTC issued letters reminding these 13 data brokers of their obligations under the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA). PADFAA is a federal law that bars data brokers from selling, transferring, or otherwise making “personally identifiable sensitive data” about Americans available to designated foreign adversaries or entities they control.

• The letters signal that the agency believes the brokers’ advertised “solutions and insights” may be allowing foreign adversaries to infer or obtain protected information, including whether a person is in the military, which the FTC treats as sensitive in this context.

Legal background

• PADFAA, effective June 23, 2024, covers a broad set of “personally identifiable sensitive data,” including health, financial, genetic, biometric, precise geolocation, sexual behavior data, account or device login credentials, and government identifiers like Social Security and passport numbers.

• The law prohibits data brokers from selling, licensing, renting, trading, transferring, disclosing, or providing access to such sensitive data to foreign adversary countries or entities they control; currently those adversaries are China, Russia, Iran, and North Korea.

• The FTC enforces PADFAA as an unfair or deceptive practice under the FTC Act and can seek significant civil penalties—on the order of tens of thousands of dollars per violation.

National security focus

• These actions fit into a broader U.S. policy effort (including a Biden executive order and DOJ “bulk data transfer” rules) to restrict flows of Americans’ sensitive personal data to “countries of concern” such as China and Russia, based on fears that such data can be used for surveillance, intelligence, or other national security harms.

• PADFAA is narrower than DOJ’s bulk-data regime (it applies specifically to data brokers) but is designed to close what policymakers see as a key loophole: commercial data brokerage making sensitive U.S. data easily purchasable by foreign adversaries.

Practical implications for data brokers

• Companies that buy, sell, license, or package personal data can qualify as data brokers even if data trading is not their primary business, so the letters function as a warning shot to a broad segment of the data economy.

• Brokers must inventory what sensitive data they hold, map any access or sales involving foreign counterparties, and ensure they are not making such data “available” (even indirectly via analytics or “insights” products) to entities tied to China, Russia, Iran, or North Korea.

• Violations can lead to FTC enforcement, civil penalties, and additional orders limiting how companies collect and share sensitive data going forward.

If you’d like, I can break down how PADFAA might affect a specific type of business (e.g., ad-tech, SaaS, or data-as-a-service platforms).