FTC issues warning letters on transfers of sensitive US personal data

The Federal Trade Commission (FTC) has warned 13 data brokers that their business practices may violate a federal law prohibiting the sale of sensitive personal data about Americans to hostile foreign governments, marking one of the clearest enforcement signals yet under the Protecting Americans’ Data from Foreign Adversaries Act of 2024.

In letters sent February 9, the FTC said it had identified unspecified instances in which data brokers appear to have offered products or analytics involving highly sensitive personal information, including data related to the military status of individuals.

The agency emphasized that such information falls squarely within the scope of PADFAA, which took effect in June 2024 and grants the commission direct enforcement authority.

PADFAA makes it unlawful for data brokers to sell, license, rent, trade, transfer, disclose, or otherwise make available personally identifiable sensitive data of U.S. individuals to any foreign adversary country or to entities controlled by those governments.

The law explicitly designates China, Russia, Iran, and North Korea as foreign adversaries and defines sensitive data broadly, covering health, financial, genetic, biometric, and precise geolocation information, as well as account credentials and government-issued identifiers such as Social Security, passport, and driver’s license numbers.

Information revealing an individual’s status as a member of the U.S. Armed Forces is also explicitly protected.

In the letters, the FTC urged recipients to conduct a comprehensive review of their data collection, aggregation, and resale practices and to immediately bring their operations into compliance if they have not already done so.

Violations of PADFAA are treated as unfair or deceptive acts or practices under Section 5 of the FTC Act and can result in civil penalties of up to $53,088 per violation.

“The FTC is committed to enforcing PADFAA and ensuring companies are complying with its requirements,” Christopher Mufarrige, director of FTC’s Bureau of Consumer Protection, said in a statement accompanying the agency’s action.

He added that the letters are intended to put the broader data brokerage industry on notice that the commission is actively “monitoring the marketplace for potentially violative acts or practices relating to making available personally identifiable sensitive data of a United States individual to any foreign adversary country or any entity that is controlled by a foreign adversary and will take additional action as warranted.”

While the FTC did not publicly identify the companies that received the letters, it stressed that the notices should not be interpreted as findings of wrongdoing. The agency said it has sent similar notifications to other data brokers and will pursue further action where warranted.

The restrictions imposed by PADFAA reflect long-standing national security concerns about how commercially available personal data can be exploited by hostile states.

Unlike traditional intelligence collection, data brokers aggregate and sell sensitive information at scale, often without individuals’ knowledge and outside the legal and procedural safeguards that govern government-held databases.

The categories of data covered by the law – precise location histories, biometric identifiers, health and financial records, login credentials, and government-issued identification numbers – can be used to map personal routines, identify vulnerabilities, and establish patterns of life.

When combined across multiple datasets, this information can allow foreign intelligence services to identify targets, track movements, and infer relationships with a level of precision that once required extensive espionage operations. The process is known as de-anonymization.

De-anonymization occurs when data that has been stripped of direct identifiers such as names or email addresses is combined with other datasets to re-identify individuals.

This process relies on quasi-identifiers like location, gender, birth date, or device IDs, which, when cross-referenced with other information, can uniquely identify people. For example, a combination of birth date, gender, and ZIP code can be enough to pinpoint an individual, even in anonymized datasets.

Location-based re-identification is a common method, as precise GPS data often reveals unique movement patterns. A person’s home address (their location at night) and workplace (their daytime location) can easily lead to their identification.

Behavioral data, such as shopping habits or browsing histories, also pose a risk. Patterns in this data can correlate with identifiable attributes in other datasets, linking anonymous records back to specific individuals.

U.S. officials have repeatedly warned that such data can be weaponized for counterintelligence, coercion, and influence campaigns. Location data can reveal where military personnel live, work, or deploy.

Last year a Government Accountability Office audit report warned that the Department of Defense is unprepared for the growing national security risks created by the enormous amount of personal digital information that is generated by service members, defense platforms, and official communications.

The audit found that publicly accessible data – from social media posts to commercial geolocation records – can be aggregated into detailed “digital profiles” that expose U.S. personnel, military operations, and senior leaders to targeting, coercion, and disruption.

Biometric and identity data can be used to defeat authentication systems or enable impersonation. Financial or health information can expose vulnerabilities that facilitate blackmail or recruitment. Even behavioral or demographic data, when aggregated, can be used to profile journalists, activists, government employees, or defense contractors.

Congress’ decision to explicitly include military status as protected sensitive data reflects concerns about force protection and operational security.

Commercial datasets that identify service members or their families can expose them to surveillance, targeting, or cyber-enabled harassment by foreign adversaries, particularly during periods of geopolitical tension.

Lawmakers framed PADFAA as a gap-closing measure, arguing that while classified and sensitive government information is tightly controlled, vast quantities of equally revealing personal data circulate through private markets with comparatively little oversight.

By barring data brokers from transferring this information to adversarial governments or entities they control, the law seeks to prevent hostile actors from bypassing traditional intelligence barriers by simply purchasing access to Americans’ lives.

The FTC’s warning letters come amid growing bipartisan concern that the commercial data economy has become a national security liability, not merely a consumer privacy issue.

Intelligence and defense officials have increasingly cautioned that foreign governments can exploit U.S.-based data markets to acquire insights that would otherwise be difficult, costly, or illegal to obtain through espionage.

By invoking its enforcement authority under PADFAA, the Commission is signaling that data brokers are expected to treat foreign access restrictions as a core compliance obligation, not a peripheral consideration.

The agency said it will continue monitoring the marketplace and will pursue investigations and enforcement actions where sensitive personal data about Americans is made available to foreign adversaries.

For data brokers, the letters serve as a warning that practices long tolerated in the largely opaque data trade now carry significant legal and financial risk. For regulators, they mark an early test of whether PADFAA can meaningfully curb the flow of sensitive U.S. personal data into the hands of hostile foreign states.

Article Topics

behavioral analysis  |  biometric data  |  biometric monitoring  |  biometrics  |  data brokers  |  data privacy  |  FTC  |  location data  |  re-identification  |  U.S. Government