FTC Warns Data Brokers on PADFAA Compliance

Detected February 10th, 2026

Summary

The FTC has warned 13 data brokers about their obligations under the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA). The letters remind companies that selling sensitive personal data to foreign adversaries is prohibited and violations could result in civil penalties of up to $53,088 per violation.

View original document View source feed page

What changed

The Federal Trade Commission (FTC) has issued warning letters to 13 data brokers, reminding them of their legal obligations under the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA). This act prohibits data brokers from selling, disclosing, or providing access to sensitive personally identifiable information of Americans to foreign adversaries, including China, North Korea, Russia, and Iran, or entities controlled by them. The FTC highlighted that information related to an individual's status as a member of the Armed Forces is specifically covered by PADFAA.

Data brokers receiving these letters are instructed to conduct a thorough review of their business practices to ensure compliance with PADFAA. Failure to comply may lead to FTC enforcement actions, including significant civil penalties of up to $53,088 per violation. This action signals the FTC's commitment to enforcing the new law and underscores the importance for all data brokers to understand and adhere to its requirements to avoid penalties.

Source document (simplified)

Tags:

Consumer Protection
Bureau of Consumer Protection
Privacy and Security
Consumer Privacy The Federal Trade Commission sent letters to 13 data brokers warning them of their responsibility to comply with the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA).

PADFAA prohibits data brokers from selling, releasing, disclosing, or providing access to personally identifiable sensitive data about Americans to any foreign adversary, which include North Korea, China, Russia, and Iran, or any entity controlled by those countries. The law defines personally identifiable sensitive data to include health, financial, genetic, biometric, geolocation, and sexual behavior information as well as account or device log-in credentials and government-issued identifiers such as Social Security, passport, or driver’s license numbers.

“The FTC is committed to enforcing PADFAA and ensuring companies are complying with its requirements,” said Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection. “These letters should send a message to all data brokers to be aware of the law’s requirements and ensure they are not engaging in practices that violate it.”

The letters note that the agency has identified instances in which some of the letter’s recipients have “offered solutions and insights involving the status of an individual as a member of the Armed Forces. Such information is subject to PADFAA’s requirements.”

The letters warn the companies to conduct a comprehensive review of their business practices to ensure they comply with PADFAA, adding that a violation of the act may result in an enforcement action by the FTC, which could include civil penalties of up to $53,088 per violation.

The lead staffers on this matter include Katherine McCarron and Bhavna Changrani with the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission works to promote competition and protect and educate consumers. The FTC will never demand money, make threats, tell you to transfer money, or promise you a prize. Learn more about consumer topics at consumer.ftc.gov, or report fraud, scams, and bad business practices at ReportFraud.ftc.gov. Follow the FTC on social media, read consumer alerts and the business blog, and sign up to get the latest FTC news and alerts.