Surprising Breadth

In the past,  data brokers were generally considered to be entities that sell personal information associated with individuals with whom the entities do not have a direct relationship.  However, PADFA defines “data broker” more broadly, as: 

an entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider.

This definition creates a three-step analysis to determine whether an organization is a data broker under PADFA.

1. First, assess whether the entity collects personal information from sources other than individuals themselves.  Many (if not most) organizations collect personal information from third-party sources, including, but not limited to, affiliates and subsidiaries, service providers, lead generation companies, background check companies, references, certification bodies, and government sources. 

2. The next step is to assess whether the entity makes that information available to non-service providers for valuable consideration.  Almost any exchange of data that is governed by contractual agreements might be considered an exchange for valuable consideration, as parties often agree to undertake some effort (e.g., safeguard the data) or provide some benefit (e.g., provide some service) in exchange for receiving data. 

3. Then, consider whether the data exchanged is personally identifiable sensitive data.  PADFA defines this category of personal data broadly to include:  government-issued identifiers, health care information; financial information; biometric information; genetic information; precise geolocation information; private communications; account or device log-in credentials; sexual behavior information; private calendar and address book information, phone or text logs, photos, audio recordings, and videos; video content requests; information about individuals under the age of 17; race, color, ethnicity, or religion information; information about an individual’s online activities over time and across websites or online services; and military status.

And finally, to assess whether data transfers may be prohibited, consider whether any recipients of such data are controlled by a foreign adversary.  PADFA establishes that an entity is controlled by a foreign adversary if:

• It is domiciled in, headquartered in, holding its principal place of business in, or organized under the laws of a foreign adversary (i.e., China, Russia, Iran, or North Korea);

• A foreign entity (or group of entities) satisfying the condition above directly or indirectly owns at least 20% of the entity; or

• It is subject to the control or direction of a foreign entity satisfying any of the above conditions.

An example may help illustrate how broadly PADFA may apply under these criteria.  Consider a U.S. entity that receives from an affiliate, franchisee, or service provider identifiable information of a 16-year old U.S. resident.  If the recipient of the information makes that information available to affiliates via a data lake or similar repository and the disclosure is made subject to a data sharing agreement, the disclosure may be considered in exchange for valuable consideration.  And if one of the affiliates that participates in the data exchange is based in or subject to the jurisdiction of China, the U.S. entity’s disclosure of the information may now be unlawful.

Penalties and Exemptions

PADFA will be enforced by the FTC, subject to its jurisdictional limits, treating violations as unfair or deceptive acts or practices prohibited by an FTC rule.  As such, the potential civil penalties are $50,120 per violation, which might be counted on a “per data transfer” basis. 

The Act is subject to a number of exemptions.  For example, PADFA establishes no enforcement authority for entities that are not subject to FTC jurisdiction; sensitive personally identifiable information does not include publicly available information; and entities are not data brokers when disclosing information to service providers, at the request of individuals, or in association with products or services where personally identifiable sensitive data is not the product or service.

Next Steps

To prepare for the June 23, 2024, effective date, organizations subject to FTC jurisdiction may assess whether:

• they are collecting personally identifiable sensitive data from sources other than the individuals to which the data relates;
• they are disclosing such data to other entities for valuable consideration;
• any recipients may be deemed subject to the control of China, Russia, Iran, or North Korea; and
• exceptions to PADFA’s prohibitions may apply.