The Federal Trade Commission issued warning letters to 13 data brokers, putting them on notice about their obligations under the Protecting Americans' Data from Foreign Adversaries Act of 2024 (PADFAA), which prohibits the sale of sensitive American personal data to foreign adversaries.

PADFAA specifically targets data transactions with North Korea, China, Russia, and Iran, or any entities controlled by those countries. The law represents a significant federal effort to protect American consumers' personal information from foreign intelligence gathering operations.

The legislation defines personally identifiable sensitive data broadly to include health records, financial information, genetic data, biometric identifiers, geolocation information, and details about sexual behavior. The law also covers account or device log-in credentials and government-issued identifiers such as Social Security numbers, passport numbers, and driver's license numbers.

"The FTC is committed to enforcing PADFAA and ensuring companies are complying with its requirements," said Christopher Mufarrige, Director of the FTC's Bureau of Consumer Protection. "These letters should send a message to all data brokers to be aware of the law's requirements and ensure they are not engaging in practices that violate it."

The warning letters reveal that the FTC has identified specific instances where some recipients "offered solutions and insights involving the status of an individual as a member of the Armed Forces." Military personnel information falls squarely within PADFAA's protective scope, highlighting the national security implications of the data broker industry.

Data brokers operate by collecting, aggregating, and selling personal information about consumers, often without direct consumer knowledge or consent. These companies compile detailed profiles from various sources including public records, social media activity, purchase histories, and location data from mobile devices.

The FTC's enforcement action comes as concerns mount about foreign adversaries' efforts to collect intelligence on American citizens, military personnel, and government officials. Chinese and Russian intelligence services have previously been accused of using commercial data purchases to supplement traditional espionage activities.

Under PADFAA, violations can result in substantial financial penalties. The FTC warned that enforcement actions could include civil penalties of up to $53,088 per violation, creating potentially massive liability for companies that fail to comply with the new requirements.

The letters instruct data brokers to conduct comprehensive reviews of their business practices to ensure full compliance with PADFAA. This review process should examine current data sharing agreements, customer vetting procedures, and geographic restrictions on data sales.

The law's scope extends beyond direct sales to foreign adversaries. It also prohibits providing access to or disclosing sensitive American data to entities controlled by the four designated countries. This broader language captures subsidiaries, joint ventures, and other corporate structures that foreign adversaries might use to circumvent the law's restrictions.

For data brokers, compliance will require implementing new due diligence procedures to verify the identity and ownership of potential customers. Companies will need to screen buyers against lists of foreign adversary entities and establish ongoing monitoring systems to detect ownership changes that could trigger PADFAA restrictions.

The FTC's action signals that the agency intends to actively enforce the new law rather than rely solely on voluntary compliance. By sending warning letters to specific companies, the agency has created a paper trail that could support future enforcement actions if violations continue.

The data broker industry has grown rapidly in recent years, with companies collecting increasingly detailed information about Americans' daily activities, financial status, health conditions, and personal relationships. This information has proven valuable not only for commercial purposes but also for foreign intelligence operations seeking to identify potential recruitment targets or gather insights about American society.

The warning letters were handled by Katherine McCarron and Bhavna Changrani from the FTC's Bureau of Consumer Protection, indicating the agency has assigned experienced enforcement attorneys to oversee PADFAA implementation.

Looking ahead, data brokers will need to balance compliance costs against business opportunities in international markets. Companies may need to invest in new compliance systems, legal reviews, and ongoing monitoring programs to avoid violating the federal law.

The FTC's enforcement approach suggests that the agency will continue monitoring the data broker industry closely and may pursue formal enforcement actions against companies that fail to adequately address the concerns raised in the warning letters. This proactive stance reflects the federal government's growing focus on protecting American data from foreign intelligence collection efforts.