On February 9, 2026, the Federal Trade Commission (FTC) sent warning letters to 13 data brokers, which should be viewed as a shot across the bow for the data broker industry, reminding them of their legal obligations under the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA). The move signals that the agency is actively monitoring the data brokerage industry and is prepared to take enforcement action against companies that fail to comply.
What Is PADFAA?
Enacted in 2024, PADFAA is a federal law designed to prevent sensitive personal data about Americans from falling into the hands of foreign adversaries. Specifically, the law prohibits data brokers from selling, releasing, disclosing, or otherwise providing access to personally identifiable sensitive data to:
- Any foreign adversary country (North Korea, China, Russia, or Iran), or
- Any entity that is controlled by those countries (here is a due diligence nightmare)
The categories of data covered under the law are broad and include:
- Health and genetic information
- Financial records
- Biometric data
- Precise geolocation information
- Sexual behavior information
- Account or device login credentials
- Government-issued identifiers such as Social Security numbers, passport numbers, and driver’s license numbers
In short, PADFAA covers some of the most personal and sensitive information that data brokers routinely collect and trade.
Why Did the FTC Act Now?
The FTC’s warning letters were not sent at random. The agency noted that some of the recipients appeared to be offering “solutions and insights” related to individuals’ status as members of the Armed Forces — a data category that falls squarely within PADFAA’s protections. Military status, when combined with other sensitive personal data, could pose significant national security risks if shared with adversarial foreign powers.
Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection, was direct in his message: “These letters should send a message to all data brokers to be aware of the law’s requirements and ensure they are not engaging in practices that violate it.”
The FTC’s action underscores a growing concern at the federal level about the exposure of sensitive American data to adversarial nations — a concern that has intensified as geopolitical tensions have risen and as data has become an increasingly powerful tool for espionage, influence operations, and military targeting.
What the FTC Is Asking Companies to Do
The warning letters carry a clear directive: conduct a comprehensive review of your business practices to ensure full compliance with PADFAA. Companies that fail to do so risk more than reputational damage. A violation of PADFAA may result in an FTC enforcement action that could include civil penalties of up to $53,088 per violation — and, in a world where data transactions occur at massive scale, those per-violation penalties can add up quickly.
What This Means for the Data Broker Industry
This FTC action has broad implications for any company that collects, aggregates, or resells personal data:
1. PADFAA compliance must be proactive, not reactive. Companies cannot afford to wait for an enforcement action to understand their obligations. The law is already on the books, and the FTC is watching.
2. Know your customers — and their controllers. PADFAA’s reach extends to entities “controlled by” foreign adversaries. This means data brokers need to conduct meaningful due diligence on who their customers are and what relationships those customers may have with foreign governments or entities.
3. Military and government data deserve extra scrutiny. The FTC’s specific mention of military status data is a strong signal that data touching national security-sensitive populations will receive heightened regulatory attention.
4. Data categories matter. The breadth of PADFAA’s covered data types means that many common data broker products — background check reports, consumer profiles, location history data, health data aggregates — may contain information that triggers compliance obligations.
5. Enforcement is coming. The fact that the FTC sent warning letters to 13 named companies rather than issuing general guidance suggests the agency has done its homework. Companies that don’t act on these letters could be the subjects of the first PADFAA enforcement cases.
A Broader Context: Data Privacy in the National Security Era
PADFAA represents a new frontier in data privacy regulation — one where the stakes extend beyond consumer protection and into national security. For years, the U.S. has debated whether to enact comprehensive federal privacy legislation. PADFAA is narrower in scope, but it reflects a bipartisan consensus that some categories of sensitive data require protection not just from corporate misuse, but from foreign exploitation.
This FTC action also arrives as regulators more broadly are scrutinizing the data broker ecosystem. The FTC has previously published reports highlighting the opacity and risks of the data broker industry, and enforcement actions under laws like the Fair Credit Reporting Act (FCRA) have shown the agency is willing to hold companies accountable for how they handle personal data.
For data brokers, the message is clear: the era of operating in the shadows is over. Regulatory scrutiny is intensifying, and PADFAA adds a powerful new enforcement tool to the FTC’s arsenal.
Key Takeaways
- The FTC sent PADFAA warning letters to 13 data brokers in February 2026, citing concerns about military status data being offered in data products.
- PADFAA prohibits data brokers from sharing sensitive personal data with foreign adversaries (China, Russia, North Korea, Iran) or entities they control.
- Covered data includes health, financial, biometric, geolocation, genetic, and government identifier information.
- Non-compliance can result in civil penalties of up to $53,088 per violation.
- Companies should immediately review their data products, client lists, and business practices to ensure PADFAA compliance.
Troutman Amin, LLP will continue to monitor these directives as they come down.
Because there is a right way and a wrong way to do things, and the FTC has the executioner’s axe to inform you.
Troutman Amin, LLP believes in doing things the right way. And in helping others to do the same.
Be safe, everybody, and remember the Law Conference of Champions IV, May 4-6, 2026, in Irvine, CA.
CIPAWorld 