Sunstein Insights Shape Created with Sketch.

Back to All Publications

Data Brokers May Need to Avoid: Selling Personal Information to Foreign Adversaries

Thomas C. Carey

Thomas C. Carey | Partner, Business Chair View more articles

Thomas is a member of our Business Practice Group

On March 20, 2024 the U.S. House of Representatives unanimously approved a privacy-related bill, H.R. 7520 (the “Data Broker Bill).” This comes on the heels of another privacy-related bill approved by the House on March 13, 2024, H.R. 7521 (the “Tik-Tok Bill”), which would put in place a mechanism that could lead to a forced sale of Tik-Tok.

The Data Broker Bill (formally named the “Protecting Americans’ Data from Foreign Adversaries Act of 2024”), would forbid data brokers that are subject to the jurisdiction of the Federal Trade Commission from selling sensitive personal information about U.S. residents to entities that are located in, or are 20% or more owned by entities located in, Russia, China, Iran and North Korea (described as “foreign adversaries”). This list is statutory, so there is little chance that it can be expanded by the FTC absent further legislative action.

“Sensitive personal information” is defined in section 7(c) of the bill. It includes social security numbers, other government-issued identifiers, and health, financial, biometric, genetic, geolocation and web browsing information. It also includes voicemails, emails, text messages, telephone call information, log-in credentials, calendar information, and information that reveals the status of an individual as a member of the armed forces. There is yet more detail in this definition.

The law applies only to data brokers, a term that includes entities that sell information about U.S. residents that they did not collect directly from the individual. There are exclusions for organizations reporting or publishing news, publishers of publically available information, and service providers.

The prohibition of selling personal information is not limited to the sale of large quantities of data, but could be invoked in connection with the sale of information about a single individual. And it covers more than ordinary sales, picking up any transaction in which the data broker receives consideration of any kind. Similarly, it is not limited to the transmittal of data, but includes providing access to it.

This bill now proceeds to the Senate. Given its unanimous support in the House, it seems likely to be approved by the Senate. The Tik-Tok bill is more likely to be slowed down. The ACLU says that it amounts to censorship, and some Senators have expressed reservations about the broad discretion that it gives the President. The Data Broker Bill does not present similar concerns.

The White House has expressed support for the Tik-Tok Bill but has so far been silent on the Data Broker Bill, which overlaps with an Executive Order issued on February 28, 2024 (the “EO”). The EO authorizes the Department of Justice to issue regulations governing the bulk transfer of personal information to “countries of concern”. Unlike the Data Broker Bill, which targets certain foreign countries by reference to an existing statute, the EO authorize the Department of Justice, with the concurrence of the Secretaries of State and Commerce, to identify the countries of concern. Press reports indicate that, in addition to the four countries targeted by the Data Broker Bill, the EO is also aimed at Cuba and Venezuela.

The Tick Tok and Data Broker bills constitute the first major U.S. privacy legislation in several years. While they are narrow in the sense that they focus on foreign adversaries, they are broad in the scope of activities that they cover. Data brokers will, if the bill becomes law, have to undertake due diligence regarding their customers to ensure that they are not 20% or more owned by entities having certain ties to foreign adversaries.

Running afoul of the Data Broker law would constitute an unfair and deceptive trade practice giving the FTC the power to impose fines and demand consent decrees. If passed, it will present another compliance worry for data brokers.

We use cookies to improve your site experience, distinguish you from other users and support the marketing of our services. These cookies may store your personal information. By continuing to use our website, you agree to the storing of cookies on your device. For more information, please visit our Privacy Notice.

Subscribe to our Newsletters

Subscribe to: