Alert February 10, 2026

FTC Sends Warning Letters to Data Brokers on PADFA Compliance

February 10, 2026

The Federal Trade Commission (FTC) announced it sent warning letters to 13 data brokers on February 9, 2026, cautioning them of requirements under the Protecting Americans’ Data from Foreign Adversaries Act (PADFA) and urging a comprehensive review of their data practices. At a high level, PADFA prohibits certain sales of personally identifiable sensitive data to foreign adversary countries or any entities controlled by a foreign adversary country. These warning letters emphasize the broad scope of data that PADFA covers.

PADFA has emerged as a high-priority enforcement issue for the FTC, as a law at the intersection of privacy concerns about the transfer of sensitive data and broader national security concerns. As we have noted recently, regulators and enforcers are increasingly using consumer protection and privacy laws to address national security and foreign policy goals. With potential penalties up to $53,088 per violation, domestic companies that transfer third-party personal data abroad should review their PADFA compliance.

What PADFA Requires and Who It Impacts

PADFA broadly prohibits data brokers from selling, licensing, transferring, or otherwise providing access to “personally identifiable sensitive data” of U.S. individuals to foreign adversary countries or to any entity controlled by those countries. The law defines a data broker as any company that “for valuable consideration sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals,” subject to a few exemptions. PADFA’s definition of sensitive data is broad, with 17 categories of information including data often deemed sensitive under privacy laws, such as government-issued identifiers like Social Security or driver’s license numbers, health and financial information, and precise geolocation data. But it also includes any information about a minor and “[i]nformation that reveals the status of an individual as a member of the Armed Forces.” Foreign adversary countries include China, Iran, North Korea, and Russia.

The Warning Letters Address Transfer of Data Identifying Military Personnel

The FTC did not identify the specific warning letter recipients, but it released a template as an example. The template letter explains PADFA’s basic scope and requirements and does not allege specific violations of the law. But it does state that “[w]e have identified instances in which your company offers or has offered solutions and insights involving the status of an individual as a member of the Armed Forces. Such information is subject to PADFAA’s requirements.”

The warning letters also urge the recipients to “conduct a comprehensive review of [their] practices and immediately bring [those] acts and practices into compliance” and remind them of the steep civil penalties the FTC may obtain under PADFA. The warning letters are signed by the director of the FTC’s Bureau of Consumer Protection, and they identify staff attorneys in that Bureau’s privacy enforcement division as contacts for any follow-up questions, indicating engagement on this issue from multiple levels of agency staff.

Key Tips for Companies that Transfer Third-Party Personal Data Abroad

  1. Perform PADFA-specific compliance:
    • Keep in mind that the definition of a data broker is different under PADFA than under regulations like the U.S. Department of Justice’s Data Security Program;
    • Carefully assess whether data is sensitive under PADFA; and
    • Perform appropriate diligence to understand ownership and control of downstream recipients, in light of PADFA’s specific thresholds for determining foreign control.
  2. Review and Adjust Data Sharing Practices:
    • Screen for PADFA-covered sensitive data against lists of prohibited recipients.
    • Ensure contracts and policies reflect PADFA requirements.
  3. Document Compliance Efforts:
    • Maintain records of risk assessments, compliance policies, training efforts, and remedial actions taken.
    • Always document current compliance. Even if prior policies differed, evidence of current compliance can influence FTC investigative decisions.
    • If your company receives an inquiry from the FTC, consider these tips for responding.
Read Time: 3 min
Jump to top of page

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek