The recent omnibus foreign relations package signed by President Biden on April 24, 2024, includes the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (the Act), a set of sweeping privacy provisions prohibiting data brokers from sharing sensitive personal information with a broad range of entities that may have ties to Russia, China, Iran, and North Korea. The Federal Trade Commission (FTC) will enforce these prohibitions and have the ability to seek civil penalties for violations. The provision takes effect 60 days after the date of enactment of the Act.

Main Provisions

What Does the Act Prohibit?

The Act makes it illegal for a “data broker” to make available “personally identifiable sensitive data” of a U.S. individual to a “foreign adversary country” or “entity that is controlled by a foreign adversary.”

Who Does the Act Apply To?

A “data broker” is any entity that, for valuable consideration, makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider. The Act includes certain exclusions from the definition, such as for information transmitted at the request of an individual, for information reported as part of journalism or entertainment, and for information transmitted to service providers.

What Is “Personally Identifiable Sensitive Data”?

“Personally identifiable sensitive data” is defined broadly. It includes the more traditional categories of sensitive information often considered to be sensitive data under state law, such as financial information, health and genetic information, biometric information, contents of communications, precise geolocation information, and information about children under 17. But it also includes categories such as calendar information, browsing information, “information revealing the video content requested or selected by an individual,” and any other personal data a data broker may sell for the purpose of making inferences about the categories of sensitive data described in the Act.

Who Are Foreign Adversaries and What Constitutes “Control” By One?

A “foreign adversary country” is defined as any country specified in 10 U.S.C. § 4872(d)(2), which currently lists Russia, China, Iran, and North Korea.

An “entity controlled by a foreign adversary” is defined broadly to include three categories:

• First, it includes any “foreign person” domiciled in, headquartered in, having a principal place of business in, or organized under the laws of a foreign adversary country. The term does not explicitly include citizens of those countries, though their inclusion is strongly implied by the words of the statute.
• Second, the term includes entities in which “foreign persons” have at least a 20 percent stake. For example, even if an entity is headquartered in the U.S., if one or more Chinese entities hold more than a 20 percent stake in the U.S. business, a data broker would not be able to sell sensitive personal information to the U.S. entity.
• Third, the term covers any person subject to the direction or control of the entities in the first two categories, though what it means to be “subject to the direction or control” of such entities is not defined. Based on recent legislation and regulations barring or limiting other interactions with entities associated with the same list of adversary nations, the FTC’s interpretation of this category could carry a wide variety of meanings, potentially including but certainly not limited to (a) employees of entities in the first two groups; (b) contractors of entities in the first two groups; or (c) foreign businesses with investors in the first two groups if those investors possess certain rights of influence over the business.

Overlap with Executive Order

The legislation comes on the heels of President Biden’s Executive Order and the corresponding Advance Notice of Proposed Rulemaking (ANPRM) released by U.S. Department of Justice (DOJ) in February 2024, which also included restrictions on data brokers’ sale of information to countries of concern. However, there are notable differences—and potential coordination challenges—between the two approaches. For example, the Act includes a much more expansive definition of sensitive data and does not include minimum thresholds for the amount of data disclosed. The ANPRM, by contrast, covers a narrower set of data but a broader set of transactions that go well beyond agreements related specifically to data brokers. In addition, the Act may apply to a broader range of entities—e.g., any entity where a foreign person has a 20 percent stake—and opens the door to a broad understanding of what it means to be under “foreign direction or control.” In the ANPRM, however, there is a comparatively tighter and clearer definition of which foreign entities are considered “covered persons” subject to restricted interactions.

The DOJ is required to prescribe final rules to implement the Executive Order, which will likely take several months. The bottom line is that this legislation will take effect first, and it is unclear how the DOJ will decide to account for it in its work.

Key Takeaways

• This legislation is just one example of heightened federal interest in the data broker industry. For example, in addition to the Executive Order, the Consumer Financial Protection Bureau recently announced that it intends to issue proposed rules under the Fair Credit Reporting Act to more broadly address data broker practices.
• While the Act’s “data broker” definition generally aligns with definitions in the five current state data broker laws, there are important distinctions. There may be entities that are not covered by state laws that are nevertheless covered by the Act, given its broad reach. Therefore, data brokers should carefully assess whether their activities trigger the Act’s application.
• Given the broad definition of “personally identifiable sensitive data,” it appears that many data brokers would likely collect “personally identifiable sensitive data.” Therefore the key questions for compliance would be (1) does a company fall within the Act’s specific definition of data broker; and (2) if so, does the company do business with a foreign adversary country or an entity controlled by a foreign adversary country?
• Companies engaged in data broker activities may want to start seeking representations from their commercial partners about whether they are “controlled by a foreign adversary country” to ensure compliance with the Act.

Wilson Sonsini Goodrich & Rosati routinely helps clients navigate complex regulatory schemes and manage risks related to the enforcement of privacy and data protection laws. For more information, please contact Maneesha Mithal, Joshua Gruenspecht, Libby Weingarten, or any member of the firm’s privacy and cybersecurity or national security practices.

Laura Ahmed, Rebecca Weitzel Garcia, and Clinton Oxford contributed to the drafting of this alert.