Enterprise Tech 12 min read

The FTC Just Warned 13 Companies About a Data Law You've Probably Never Heard Of. Here's Why It Matters for Tech Companies.

The FTC sent warning letters to 13 data brokers under PADFAA. If your tech company shares user data it didn't collect directly, you could be a data broker under federal law. Fines start at $53,088.

By Meetesh Patel

On February 9, the Federal Trade Commission (the FTC, the main federal agency responsible for protecting consumers and policing unfair business practices) sent warning letters to 13 companies. The letters told these companies to review how they handle personal data under a federal law called PADFAA, short for the Protecting Americans' Data from Foreign Adversaries Act. President Biden signed PADFAA in April 2024, and it does something straightforward: it makes it illegal for any "data broker" to share Americans' sensitive personal information with China, Russia, Iran, or North Korea.

The companies that got these letters were selling data products that could reveal whether someone is a member of the U.S. military. That's one of 17 types of sensitive data the law protects.

Here's the number that matters: $53,088. That's the fine for each violation. And PADFAA has no minimum. You don't need to transfer thousands of records to get in trouble. Sharing a single person's protected data with the wrong recipient is enough.

If you run a tech company that collects, combines, or shares user data, especially data you got from somewhere other than the users themselves, keep reading. This law may apply to your business even if you've never thought of your company as a "data broker." And a separate set of rules from the Department of Justice makes the picture even more complicated.

What happened

The FTC fires a warning shot

The FTC's Bureau of Consumer Protection, the division that enforces consumer data protections, sent the letters on February 9, 2026. Christopher Mufarrige, the bureau's director, said the FTC is "committed to enforcing PADFAA and ensuring companies are complying with its requirements."

At least one company was named publicly: Datasys Group, Inc., a data aggregation company based in Boca Raton, Florida. The FTC published its warning letter for anyone to read.

What caught the FTC's attention? These companies were offering data products that identified whether someone serves in the U.S. Armed Forces. Under PADFAA (H.R. 7520), military status is one of 17 categories of "personally identifiable sensitive data." The full list of protected categories is broad:

  • Government-issued IDs (Social Security numbers, driver's licenses, passports)
  • Health and medical information
  • Financial account details
  • Biometric data (fingerprints, facial recognition data)
  • Genetic information
  • Precise location data (GPS-level tracking, not just city or state)
  • Private communications (emails, text messages)
  • Account login credentials (usernames, passwords)
  • Any information about children under 17
  • Online browsing activity tracked across websites

These warning letters aren't lawsuits or fines. Not yet. They're the step the FTC typically takes before bringing formal enforcement actions. Think of them as the agency putting companies on notice: fix this, or we're coming back with something more serious. Based on the FTC's track record with other laws, formal legal action often follows within months if companies don't change course.

What is a "data broker" under this law?

This is the part that matters most for tech companies. When most people hear "data broker," they think of companies whose entire business model is buying and selling personal data. Companies like data list providers, people-search websites, or background check services.

PADFAA defines it much more broadly. Under the statute, a "data broker" is any company that shares or makes available personal data about Americans that it didn't collect directly from those Americans. The key phrase is "did not collect directly." If your company gets user data from a source other than the user, and then passes that data along to someone else for something of value, you could be a data broker under federal law.

Say you run a software company. Your customers install your product, and it collects user behavior data from their platforms. You then buy demographic data (age, income, location) from a separate data vendor to enrich those user profiles. You package those enriched profiles into audience insights and share them with advertising partners. Under PADFAA, you're likely a data broker for that enriched data, because you didn't collect the demographic information directly from the users.

Or say you run a background check platform. You pull public records, court filings, and government databases together into reports that your clients use for due diligence. If those reports include sensitive data like government IDs or financial records, your platform could qualify as a data broker under PADFAA.

There are some exemptions. If you're purely a "service provider," meaning you're only processing data under someone else's direction and control (like a cloud hosting company storing data for a client), you're excluded. You're also excluded if sensitive data isn't the actual product or service you're selling. But these exemptions are narrow, and the FTC hasn't published any guidance explaining how it interprets them. There are no detailed regulations fleshing out the law. Companies are left reading the statute's plain text and making their best guesses about where the lines are.

Two federal agencies, two sets of rules

While the FTC enforces PADFAA, a different federal agency, the Department of Justice (DOJ), has its own separate program restricting how companies handle sensitive data tied to foreign adversaries.

The DOJ's program is called the Data Security Program, or DSP. It went into effect in April 2025, with the full set of requirements (including mandatory audits and reporting) kicking in on October 5, 2025. The DSP was created through Executive Order 14117, a presidential directive aimed at protecting Americans' personal data from foreign adversaries.

These two programs overlap in some ways but differ in others. The differences matter because a company could be compliant with one program and still violating the other.

PADFAA applies only to "data brokers" as defined above. The DSP applies more broadly, to any U.S. person or company that handles covered data.

PADFAA restricts data transfers to four countries: China, Iran, North Korea, and Russia. The DSP covers those four plus Cuba and Venezuela.

PADFAA has no minimum amount of data. One record is enough. The DSP only kicks in when you're dealing with "bulk" data, meaning larger volumes that cross certain thresholds.

Under PADFAA, if you're a data broker, transferring sensitive data to a covered country is banned. Period. No contracts or technical safeguards make it legal. Under the DSP, some transfers are allowed if you put the right security measures and compliance programs in place.

Here's the one that really catches people off guard. PADFAA says a company is "controlled by a foreign adversary" if a person or entity from one of those four countries owns at least 20% of it. The DSP uses a higher bar of 50%. So you could have a business partner with, say, 25% Chinese ownership. Under the DOJ's rules, that partner is fine. Under the FTC's rules, transferring sensitive data to that partner is illegal if you're a data broker. Same partner, same data, different legal outcome depending on which agency is looking.

PADFAA fines go up to $53,088 per violation, enforced by the FTC. The DSP penalties are steeper: up to $368,136 per violation (or double the value of the transaction, whichever is more), enforced by the DOJ. The DSP also carries criminal penalties for intentional violations, up to $1 million in fines and 20 years in prison.

What it means

Why this matters for tech companies that don't think of themselves as data brokers

Our read: the traditional data broker industry already knows it's in the crosshairs. The real risk is for tech companies that don't see themselves as data brokers but whose everyday business practices happen to fit the legal definition.

Think about how many tech companies handle data they didn't collect directly from users. Customer data platforms pulling in records from multiple sources. Analytics tools combining their own data with purchased datasets. Marketing software processing audience segments built from third-party data. Any of these could qualify as a data broker under PADFAA. That's a lot of companies that have probably never given this law a second thought.

The "service provider" exemption sounds like it should protect most tech companies. But it only applies if you're processing data strictly under someone else's direction. The moment you do something independent with that data, combining it with another source, enriching it, repackaging it into a new product, the exemption probably doesn't cover you anymore.

The other side of the argument

Not everyone thinks PADFAA will be enforced aggressively against mainstream tech companies. Critics have pointed out that the law has at least five significant drafting problems. For example, PADFAA doesn't require the government to prove a company knowingly violated the law. That means a company could face penalties even if it had no idea its data was reaching a prohibited recipient. The law also treats web browsing data as categorically sensitive, which sweeps in a huge range of routine online activity. Congress may fix these issues eventually, but no bill has been introduced yet.

There's also a practical argument that the FTC will start with the most obvious offenders, companies deliberately selling military personnel data to foreign buyers, rather than going after software companies with incidental international data flows. That may be true for now. But the text of the law doesn't make that distinction. And the fact that the FTC is already sending warning letters suggests it's building the capacity to go further.

How this affects sales and partnerships

If your company sells to large enterprises or government contractors, expect questions about PADFAA to start showing up in vendor questionnaires and security assessments over the next six months. Companies that are already subject to the DOJ's Data Security Program need to verify their vendors aren't sending sensitive data to covered countries. PADFAA adds another set of questions on top.

Your prospective customers' legal and compliance teams will want to know: Are you a data broker under PADFAA? Have you mapped your data flows? What controls do you have in place?

For companies with international investors or partners, the 20% ownership rule is especially important. If any entity in your ownership chain, an investor, a joint venture partner, a parent company, has ties to one of the four covered countries, you need to figure out whether they cross the 20% threshold. Getting this wrong could mean your standard data-sharing practices are illegal under PADFAA, even if you've been doing them for years without issue.

Practical takeaways

Here are eight things your team can start on this week:

1. Map where your data comes from and where it goes. Make a list of every case where your company receives personal data from a source other than the person it's about, and then shares that data with someone else. This is the data that PADFAA covers.

2. Figure out if you're a "data broker" under the law. Don't assume you're safe because your company is a software company, not a data company. If you handle data you didn't collect directly from users and you share it with others, you may qualify. Have your legal team compare your data practices against the actual statutory definition.

3. Check who you're sharing data with. Screen your customers, partners, and vendors against the four covered countries: China, Iran, North Korea, and Russia. Don't just check the company's headquarters. Check their parent companies and any entity that owns 20% or more of them.

4. Check what types of data you handle. Military status triggered these warning letters, but the law covers 17 categories of sensitive data, including Social Security numbers, health records, financial data, fingerprints, GPS-level location tracking, and information about anyone under 17. If any of your third-party data falls into these categories, you're in scope.

5. Assess the DOJ's Data Security Program separately. These are two different programs with different rules. You might need to comply with the DOJ program even if you're not a data broker under PADFAA, or vice versa. The DOJ's Compliance Guide walks through the requirements.

6. Update your contracts. Add clauses to your vendor and partner agreements that address PADFAA compliance and data transfer restrictions. If you're a vendor yourself, expect your enterprise customers to start requiring these.

7. Tell your leadership team. Frame this as two overlapping sets of federal rules, one from the FTC and one from the DOJ. The fine exposure is real (starting at $53,088 per violation with no minimum data threshold), and this isn't something companies can put off.

8. Keep records of your compliance work. PADFAA doesn't have a formal "safe harbor" that protects companies making a good-faith effort. But the FTC has historically been more lenient with companies that can show they took the issue seriously and documented their steps. Keep your data flow maps, screening results, and legal memos on file.

What we're watching

The FTC's first PADFAA lawsuit. Warning letters are the step before lawsuits. If any of these 13 companies don't change their practices, the FTC's first formal case under PADFAA could come by mid-2026.

FTC guidance on how it interprets the law. The DOJ published a detailed FAQ and compliance guide for its Data Security Program. The FTC has published nothing for PADFAA. No FAQs, no examples, no guidance on the gray areas. That silence makes compliance harder for companies trying to do the right thing.

Whether Congress fixes the law's drafting problems. At least five flaws have been publicly identified, including the lack of a "knowledge" requirement and a definition of foreign control that's arguably too broad. Legislative fixes would make the law easier to comply with, but nothing is pending.

Whether the FTC and DOJ coordinate their enforcement. Right now, two agencies have overlapping authority over the same issue but haven't explained how they plan to divide the work. Joint enforcement guidance would help clarify where one program ends and the other begins.

Looking ahead

The February 9 warning letters are a clear signal: PADFAA enforcement has started. The law has been on the books since June 2024, and the FTC is done waiting for companies to figure it out on their own. If you run a tech company that touches personal data, the question isn't whether this law might apply to you. It's whether you've done the work to find out before the FTC comes asking.

Related Resources

Service

Commercial Contracts

Customer and vendor agreements

 Service

Regulatory Compliance

Navigate complex regulations

 Industry

Enterprise Technology

SaaS, cybersecurity, and B2B tech
Back to SparkPoint

Disclaimer: This article is provided for informational purposes only and does not constitute legal advice. The information contained herein should not be relied upon as legal advice and readers are encouraged to seek the advice of legal counsel. The views expressed in this article are solely those of the author and do not necessarily reflect the views of Consilium Law LLC.