The Protecting Americans’ Data from Foreign Adversaries Act (PADFA or the Act) was signed into law by President Joe Biden on April 24 as part of a larger foreign aid appropriations bill. Although other portions of the legislation have garnered much of the attention from the media and others, PADFA should not be overlooked. PADFA takes effect on June 23. The Act’s broad provisions will impact the social media and digital advertising industry as a whole, and it will be important to monitor how the industry reacts with so little time to prepare and take action to ensure compliance.

Generally, PADFA prohibits data brokers from transferring personally identifiable sensitive data to certain named foreign adversary countries or entities controlled by such countries. But the devil is in the details, and in this case, given the potential breadth of the Act, social media platforms and data-driven businesses like those in the digital advertising space should understand the impact of PADFA, lest they find themselves unexpectedly and quickly in the crosshairs of U.S. regulators.

The crux of the prohibition in PADFA is this:

It shall be unlawful for a data broker to sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available the personally identifiable sensitive data of a United States individual to (1) any foreign adversary country or (2) any entity that is controlled by a foreign adversary.

Data Broker

The term “data broker” is defined under the Act as any entity that makes available data of U.S. individuals that it did not collect directly from such individuals. Advertisers, publishers, social and ad tech platforms, and others involved in the digital advertising ecosystem frequently disclose data they did not collect directly from individuals. Indeed, digital advertising often involves the transfer of data across a chain of multiple intermediary parties. Some of those parties are U.S. companies, and others are companies with global reach and operations. And it is not clear, for example, whether collection of data through technologies such as SDKs and pixels placed on third-party apps and sites would constitute collection directly from an individual. PADFA is also limited to disclosures of data for “valuable consideration.” Although the term “valuable consideration” is not explicitly defined in PADFA, we know similar language has been interpreted very broadly in connection with U.S. state privacy laws such as the CCPA, and we expect it would be interpreted broadly here as well to extend beyond monetary consideration and to cover any form of benefit received. PADFA does exclude from the definition of data broker (1) entities providing a product or service wherein “personally identifiable sensitive data, or access to such data, is not the product or service” and (2) entities that are acting as a “service provider.” At this stage, it is unclear how the language will be interpreted or applied and what implementing regulations may follow. Notably, the definition of “service provider” under the Act differs from how similar terms are defined under U.S. state privacy laws. Given the breadth of this definition in PADFA, and the uncertainty around how it will be interpreted, companies that do not consider themselves to be a data broker in the ordinary sense of the word or industry usage should take caution before concluding that PADFA would not apply to them. Companies that do not review their data relationships in view of the Act may find themselves unknowingly participating in transactions that are subject to PADFA’s prohibition, thus placing themselves in a vulnerable position before U.S. regulators and potentially subject to reputational harm as well.

Entity Controlled by a Foreign Adversary

PADFA defines foreign adversary countries as North Korea, China, Russia and Iran, by way of reference in the statutory code to 10 U.S.C. § 4872(d)(2). And the Act provides that an entity is controlled by a foreign adversary if it is “(A) a foreign person that is domiciled in, headquartered in, or which has its principal place of business in, or is organized under the laws of a foreign adversary country; (B) an entity with respect to which a foreign person or combination of foreign persons described in subparagraph (A) directly or indirectly own at least a 20 percent stake; or (C) a person subject to the direction or control of a foreign person or entity described in subparagraph (A) or (B).” Notably, the definition is not relegated to foreign governments or companies but to individuals who are foreign persons who can indirectly or directly own or control an entity. Organizations need to examine their data outflows and consider whether they are sharing data, directly or indirectly, with an entity that would be treated as a party prohibited from receiving the data, including whether the scope of the data is covered under PADFA.

Personally Identifiable Sensitive Data

Personally identifiable sensitive data as used in the Act means “any sensitive data that identifies or is linked or reasonably linkable, alone or in combination with other data, to an individual or a device that identifies or is linked or reasonably linkable to an individual.” This would appear to include the type of identifiers typically used in the digital advertising space, e.g., device IDs, cookie IDs, mobile adverting IDs, IP addresses, etc. The Act also outlines 17 categories of sensitive data. Many of the specified categories will be familiar to those working in digital advertising because they generally align to categories of sensitive data outlined in U.S. state privacy laws, including healthcare information, biometric and genetic information, precise geolocation data, account or device log-in credentials, and information relating to race, color, ethnicity or religion.

But there are a few ways in which the Act may be broader than U.S. state privacy laws in terms of how it defines sensitive data. For example, the Act defines sensitive data to include “information identifying an individual’s online activities over time and across websites or online services.” Much of the information transferred and shared within the digital advertising space could potentially fall within this category. Although many U.S. state privacy laws contain provisions related to the use of personal data collected over time and across nonaffiliated websites and online services for “targeted advertising,” unlike those laws, PADFA is not limited to the use of such data in connection with targeting ads to consumers, and the transfer of such data is prohibited under PADFA regardless of whether an opt-out is provided or consent is obtained from the data subject.

Under PADFA, sensitive data also includes information that reveals the status of an individual as a member of the U.S. armed forces, which is not a category commonly found in existing U.S. state privacy laws. The last category of sensitive data outlined in the Act with broad implications is any other data provided “for the purpose of identifying the types of data listed in subparagraphs (A) through (P).” This residual catchall is likely to be important, noting that it is not clear at this point exactly what data would be implicated. Organizations should review their policies and procedures related to the sharing and processing of personal data and evaluate whether changes are needed in view of the broad definition of personally identifiable sensitive data under PADFA.

FTC Enforcement and Penalties

Under PADFA, a violation of the law is treated as a violation of a rule defining an unfair or a deceptive act or practice under the Federal Trade Commission (FTC) Act. For rule violations, the FTC can seek up to $51,744 in civil penalties per violation.

Anytime a federal agency receives new authority from Congress, it is generally expected that the agency will exercise that new authority. Although the FTC has not yet provided any guidance about PADFA, we anticipate that the agency is already pondering how to approach this new authority and when and how to initiate investigations. Given the high-profile nature of this statute, we anticipate that the FTC will initiate nonpublic inquiries or investigations in the relatively near future.

What You Should Be Doing Now

• Review data outflows and inflows to assess the extent to which PADFA may impact your company’s business model.
• Update agreements with vendors, customers and partners to include specific representations, warranties and obligations related to PADFA.
• Review company policies and procedures related to compliance with privacy laws and related legal requirements to ensure they address PADFA, as necessary.
• Ensure employees are educated about and understand the importance of complying with PADFA.
• Verify ownership of vendors, customers, partners, etc. to ensure that they are not considered a foreign adversary under PADFA.
• Reach out to outside counsel to discuss further and advise on what steps your organization should consider before and after the effective date of PADFA.

[View source.]