On February 9, 2026, the Federal Trade Commission (“FTC”) sent letters to thirteen data brokers reminding them of their obligations to comply with the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (“PADFAA”). We previously wrote an article and Peter Swire published a white paper at the Cross-Border Data Forum (“CBDF”) describing PADFAA in detail. PADFAA went into effect on June 24, 2024.
PADFAA regulates “data brokers”, which are defined as any entity that “for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of US individuals that the entity did not collect directly from such individuals to another entity that is not acting a service provider.” This expansive definition encompasses many more businesses than those traditionally considered “data brokers.” PADFAA prohibits data brokers from selling, licensing, renting, trading, transferring, releasing, disclosing, providing access to, or otherwise making available personally identifiable sensitive data of US individuals to any foreign adversary country or any entity controlled by a foreign adversary. The list of foreign adversary countries currently includes China, Iran, North Korea, and Russia. “Sensitive data” under PADFAA is broader than typical US privacy law definitions, and includes biometric, genetic, and health information, as well as private communications, calendar information, online activity over time and across websites, and information revealing the status of any individual as a member of the Armed Forces, among other categories.
The FTC has enforcement authority over PADFAA under its mandate to regulate unfair and deceptive practices under Section 5 the FTC Act and can pursue enforcement actions and civil penalties of up to $53,088 per violation against companies who violate PADFAA.
The letters provide that the FTC has identified instances in which the recipient companies have offered solutions and insights involving the military status of individuals, which falls under PADFAA’s requirements. They also indicate that the FTC is monitoring the marketplace for potential violations, suggesting a ramp-up in enforcement activity and potentially culminating in a sweep in the coming months.
Companies whose business practices may fall under the broad definition of “data broker,” or who do business in, or with companies from, foreign adversary countries, may consider reviewing their applicable data sharing practices to comply with PADFAA, particularly if the business practices may involve information on military status of US individuals. If you have questions about PADFAA, our Privacy, Cyber, and Data Strategy Team can assist.
