As part of our series to provide practical insights into emerging Federal Trade Commission (FTC) priority areas for consumer protection and data privacy enforcement, we are taking a deep dive into the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFA)—a recent law that took effect in mid-2024 and that is enforced by the FTC. Earlier this year, FTC Commissioner Melissa Holyoak highlighted PADFA as an agency enforcement priority, signaling forthcoming enforcement activity.
At a high level, PADFA prohibits certain sales of personally identifiable sensitive data to foreign adversary countries, or any entities controlled by a foreign adversary country. Notably, the law applies to a broad range of sensitive data; has a definition of “data broker” that is distinct from other frameworks; and includes a unique threshold for foreign adversary control. Additionally, PADFA is not sector-specific, so its reach extends across industries, including financial services and health-related apps. Accordingly, any company under FTC authority that is engaged in consumer data sales, including for advertising-related purposes, may be subject to the law’s unique restrictions.
Below we provide tips to identify PADFA risks, develop appropriate compliance strategies, and prepare for enforcement.
Key Tips for PADFA Compliance Strategies
1. Know Whether PADFA Applies to You
The first step in identifying risk and developing appropriate compliance strategies is to understand whether the statute applies to your organization. Two key thresholds to evaluate are (1) whether your company qualifies as a “data broker” under PADFA’s definition and (2) whether any sensitive personal data transfers fall within the law’s prohibitions.
First, PADFA defines “data broker” to mean “an entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider.” In addition to the service provider exception built into the definition, the statute also sets forth certain exemptions, including an exemption where an entity transmits data at the request or direction of the individual; as part of a news report; or incidental to a product or service that is not the data itself. Accordingly, whether your organization is a data broker under PADFA will be fact-specific and may change from one transaction to the next. Importantly, the definition of “data broker” under PADFA is different from the definition of “data broker” under other regimes—such as the DOJ’s Data Security Program—so it is important to do a PADFA-specific assessment.
Second, PADFA has an expansive definition of “sensitive data” that includes precise geolocation information, information about minors under 17, government-issued identifiers, information indicative of an individual’s health conditions or treatment, certain financial information, biometric and genetic information, private communications, account or device log-in credentials, calendar information, photos, and videos, among other things. Notably, it also includes “information identifying an individual’s online activities over time and across websites or online services,” which could implicate online advertising practices.
Given these PADFA-specific definitions, companies should assess whether their data practices fall within the law’s scope, even if data sharing is not their core business.
2. Assess Your Data Flows and Data Partners
Understanding where your organization’s data goes—and who ultimately controls it—is also essential for PADFA compliance planning. PADFA’s foreign adversary restrictions hinge on ownership and control of the entities to whom an organization sells covered data, so companies must evaluate the corporate structures and beneficial ownership of the partners with whom they share data, to the extent such sharing is covered by PADFA. PADFA considers an entity “controlled by a foreign adversary” if it is “domiciled in, is headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country.” Notably, this includes businesses that are at least 20% owned by or “subject to the direction or control of” such entities, which is a different threshold than other similar federal frameworks.
In addition to reviewing data flows and ownership structures of the entities with which your organization is sharing data, it may also be beneficial to engage in reasonable due diligence and know your customer practices. These best practices can help companies with developing forward-looking compliance strategies and mitigating the risk of FTC scrutiny.
3. Implement Internal Controls
Implementing internal controls to identify PADFA risks and ensure compliance is also key. Companies can consider a range of best practices, including screening transactions involving sensitive personal data, monitoring data flows, and documenting compliance efforts. This may include updating internal policies and procedures, refreshing due diligence checklists and approval workflows, and training for relevant teams. It can also be beneficial to engage senior leaders, like designated compliance officials or Chief Privacy Officers, to enhance compliance by adding a layer of review and emphasizing to teams the important nature of this work.
Preparing for PADFA Enforcement
PADFA’s enforcement is part of a broader federal effort across the federal government to safeguard national security by limiting foreign access to Americans’ sensitive personal data. As the FTC and DOJ ramp up oversight, companies should expect increased scrutiny of data practices that implicate foreign ownership or cross-border transfers.
For its part, the FTC has broad investigative powers and a track record of aggressive enforcement in the privacy space. In addition to civil penalties, the FTC can seek injunctive relief that may require changes to business practices. Even absent formal charges, the process of responding to an investigation can be disruptive, especially for companies unprepared for the volume of data and documentation involved.
We outlined practical tips for companies receiving an FTC inquiry in a previous post. In addition, companies receiving a PADFA civil investigative demand (CID) from the FTC should consider how to identify relevant documents that may not have been requested in the CID, such as those reflecting strong implementation of compliance policies. And, where CIDs request information about data transfers to specific entities, CID recipients should carefully evaluate whether and how to inform that entity and whether and how to continue their business relationship with that entity going forward.
Companies receiving a civil investigative demand (CID) from the FTC should also be aware that the FTC can, and often does, share information received from companies responding to CIDs with other law enforcement agencies. Such government information sharing may be particularly impactful here, given the increase in state data broker registry laws and the DOJ’s enforcement of its own Data Security Program that regulates data brokers. Given the possibility of inter-agency information sharing, companies responding to an FTC PADFA CID should also consider how their business practices fit with these other frameworks regulating data brokerage.
[View source.]
