More than a year ago, the U.S. Congress enacted the Protecting Americans’ Data from Foreign Adversaries Act (PADFA) with overwhelming bipartisan support. Congress passed PADFA to address urgent national security concerns that sensitive information about Americans, including military members, was being sold to entities in China or other adversary nations. The legislation prohibits “data brokers,” companies that collect personal information and then sell it to third parties, from disclosing “personally identifiable sensitive data” of U.S. individuals to designated foreign adversary countries or entities “controlled by a foreign adversary.” The statute, which became effective on June 23, 2024, authorizes the Federal Trade Commission (FTC) to seek penalties of more than $50,000 per violation.
Since then, there has been no public action on, and scant public discussion of, this critical national security law. Although there are some hurdles to FTC enforcement, these do not excuse the lack of action. For those of us who would like to see the FTC as a leader in data protection enforcement, and for anyone who would like to believe that federal preemption of state privacy laws is at all politically viable or wise, the FTC’s inaction on this critical federal data protection law is concerning.
The FTC Has the Expertise to Enforce PADFA
The FTC, an independent agency tasked with enforcing antitrust laws and protecting American consumers, has the experience and authorities to be an effective enforcer of PADFA.
PADFA exists entirely independent of the Justice Department’s Bulk Data Regulations, which arose out of Executive Order 14117 and went into effect on April 4. Among other things, PADFA applies to non-bulk data transfers so long as they fit its (broad) definition of personally identifiable information. And, although PADFA is more limited because it applies only to data brokers, the scope of prohibited transferees includes any entity with 20 percent ownership by a person from an adversary country, whereas the Bulk Data Regulations require 50 percent ownership.
The FTC is particularly well-suited to enforcing PADFA because the Commission has a history of bringing cases that have involved or potentially involved the disclosure of sensitive U.S. consumer information to companies located in countries considered foreign adversaries.
- In February 2017, the Commission settled an action against VIZIO for collecting, using, and disclosing consumers’ television viewing information without consent. The FTC took this action during an attempted $2 billion acquisition of VIZIO by Chinese electronics company LeEco. The deal was abandoned in April 2017.
- In April 2018, the Commission took action against discount phone manufacturer BLU for failing to disclose to consumers that BLU pre-installed spyware on consumers’ phones that allowed a China-based third-party to collect detailed personal information about the phone users.
- In May 2023, the Commission settled an action against fertility tracking app Premom, regarding allegations that the company deceptively shared users’ sensitive health data with analytics firms based in China. A related class-action lawsuit further claimed that this shared data was stored on servers located in China, raising concerns about potential access by the Chinese government.
- In June 2024, the Commission referred to the DOJ an action against TikTok. Although the complaint does not refer to allegations that TikTok transferred user data to China, these concerns have been publicly aired in a variety of settings.
The Commission also has deep expertise involving data brokers. The Commission first turned its focus to data brokers more than a decade ago, when it published its report: Data Brokers: A Call for Transparency and Accountability. In just the last two years, the Commission has taken action against five location data brokers, including one still in litigation:
- In August 2022, the FTC filed a lawsuit against Kochava Inc., alleging that the company’s sale of customized geolocation data feeds allowed purchasers to identify and track specific mobile device users at sensitive locations. The FTC sought to halt Kochava’s sale of this sensitive data and require the deletion of previously collected information.
- In January 2024, the FTC announced a settlement with X-Mode Social, Inc. (now Outlogic LLC), prohibiting the company from selling or sharing precise geolocation data that could track people to defined sensitive locations like reproductive health clinics and places of worship. The settlement also required X-Mode to implement a supplier assessment program to ensure data was collected with consent.
- Also in January 2024, the FTC announced a settlement with InMarket Media, LLC, prohibiting the company from selling or licensing precise location data after alleging they didn’t fully inform consumers and obtain their consent for the collection and use of this data for advertising. The order also requires InMarket to delete previously collected location data unless they obtain consent or de-identify it.
- In December 2024, the FTC announced a settlement with Mobilewalla, Inc., alleging the company unlawfully tracked and sold consumers’ sensitive location data, including visits to healthcare facilities and places of worship, without reasonable steps to verify consent. The order bans Mobilewalla from selling sensitive location data and requires them to implement a comprehensive privacy program.
- Also in December 2024, the FTC announced a settlement with Gravy Analytics Inc. and its subsidiary Venntel Inc., alleging they unlawfully tracked and sold consumers’ sensitive location data, including visits to healthcare facilities and places of worship, without verifiable user consent. The order prohibits Gravy Analytics and Venntel from selling sensitive location data and requires them to delete historical data.
The Commission also has a wealth of experience unraveling complex corporate structures. The bad actors that the Commission pursues in its fraud work typically hide their ownership of companies behind a series of shell companies. Commission investigators routinely are required to determine the real ownership behind companies. This makes the Commission uniquely capable to do the work to identify which companies might have 20 percent ownership stakes held by individuals from nations on the adversary list.
Finally, the Commission has broad authority to compel responses to a Civil Investigative Demand (CID), a subpoena used in civil investigations, even absent any indication that the target company was breaking the law. Given the Commission’s enforcement experience and public reporting on the availability of U.S. data overseas, the Commission has strong reason to begin an investigation. For example, the Commission could send a short CID to dozens of advertising exchanges to determine what entities are receiving consumers’ information on the exchange, and then proceed to evaluate the ownership of those entities either through subsequent CIDs or through its internal databases.
Headwinds to FTC Enforcement
Unfortunately, there are a handful of obstacles to FTC enforcement. First, PADFA is a national security law, and the FTC is not considered an agency with any particular national security expertise. The Commission’s lack of national security credibility might undermine the potential for the type of interagency information sharing that might provide the Commission with what it needs to identify and pursue a target. Practically speaking, there are very few employees at the FTC that have clearance to receive the sort of classified information that might be necessary to build a case under PADFA. It’s unknown if the Commission has engaged in efforts to remediate this problem under Chairman Andrew Ferguson.
Second, PADFA authorizes the FTC to seek civil penalties only through an arcane referral process, which creates obstacles to enforcement. Although the Commission’s PADFA authority is independent from the DOJ’s Bulk Data Regulations, the Commission cannot bring a civil penalty action under PADFA without referral to the DOJ. PADFA states that the Commission may pursue a violation of PADFA in the same manner as it pursues a violation of a trade rule:
A violation of this section shall be treated as a violation of a rule defining an unfair or a deceptive act or practice under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
This formulation, which is the same authority provided to the Commission under other statutes, such as the Children’s Online Privacy Protection Act (COPPA), requires that the Commission refer a matter seeking civil penalties to the Attorney General. Practically speaking, if the DOJ believes the Commission should not bring an action because of the Bulk Data Regulations or any other reason, the DOJ could accept the referral and then substantially neuter or delay the action. If the current Commission leadership is inclined to defer to DOJ’s National Security Division’s more regulation-forward process established pursuant to the Executive Order 14117, it may be persuaded by colleagues in the Department of Justice to never bring up these matters for referral. This problematic process was the subject of several unusually public referrals and a highly critical statement when Lina Khan was the Chair of the FTC. At the very least, the arcane and unnecessary referral process will give companies several bites at the apple to attempt to dissuade the government from bringing a case.
Finally, one technical headwind against application of PADFA is that the statute authorizes the Commission to pursue data brokers only for the transfer of information that the data brokers did not collect “directly from” consumers. This provision may have been drafted to target shady actors with whom consumers have no relationship, and therefore no ability to refuse to consent to certain data practices. In practice, though, this provision exempts a huge number of data brokers, including many of the location data brokers that recently settled with the FTC, because they collect location information directly from consumers through Software Development Kits, or SDKs, embedded in smartphone apps. Some commentators have suggested that there is some uncertainty about how the Commission might interpret “directly,” observing that “SDKs, third-party pixels, and cookies, for example, could be considered as tools for indirect data collection,” thus putting those data brokers within the law’s scope. However, regarding COPPA, the Commission has already stated that “directly from” includes the makers of plug-ins and or other ad networks operating on a child-directed site. (In the context of COPPA, the broader definition of “directly from” expands the scope of the protections, whereas in PADFA, the broader definition of “directly from” narrows the scope of the law.) This position has been confirmed in sub-regulatory guidance and at least one enforcement action against an ad exchange. Although COPPA is a different statute and context, the Commission’s interpretation of identical language in COPPA will be a significant defense for data brokers as to personal information they collect through SDKs or other comparable technologies.
Explanations for Inaction
Notwithstanding these potential headwinds, it seems clear that the Commission should have taken action on PADFA already. Of course, one possible explanation is that the Commission is, in fact, taking action on PADFA, and some public announcements are right around the corner. It does take time to identify targets, build cases, and refer matters to the DOJ. And, a change in administration inevitably slows the progress of matters making their way through the Commission as a new cadre of decision-makers attempts to understand and put their stamp on cases in the pipeline.
Another possible explanation is that Congress just gives the Commission too much to do for its size. At a May 15 House appropriations hearing, Ferguson deftly navigated between talking about downsizing the Commission to match its budget and also enthusiastically endorsing robust enforcement across the Commission’s many critical mandates. For example, he confirmed his commitment to strong enforcement of the “TAKE IT DOWN ACT,” an initiative against “revenge porn,” championed by First Lady Melania Trump, while at the same time noting that the Commission would have to develop and hire for an entirely new enforcement apparatus, unlike anything the Commission has ever done before. Ferguson probably cannot publicly admit this, but there is substantial tension between his admirable commitment to the FTC’s many congressional mandates, and also to the Trump administration’s alleged goals of fiscal restraint.
Lastly, in the past few transitions, Republican administrations at the FTC have tended to take a step back on data protection as compared to their Democratic predecessors. This has meant fewer personnel dedicated to privacy matters, as well as fewer resources and decreased bureaucratic prioritization. But, typically such retrenchment has focused only on reining in the expansive use of the unfairness prohibition of the FTC Act, a feature of the FTC Act that allows the Commission to prohibit practices based on a weighing of injury versus countervailing benefits. By contrast, specific congressional mandates involving data protection (such as the FCRA, COPPA, GLBA, and HBNR) have continued to be robustly enforced. Even if it were true that the current leadership is less interested in data protection, the Commission should still want to vigorously implement a law like PADFA, which has popular support.
Implications for the Success of Federal Privacy Law that Preempts State Laws
The first order implication of the FTC’s inaction on PADFA is that the personal information of U.S. citizens can continue to be transferred to adversarial nations without consequences. That is bad for U.S. consumers and bad for national security.
A second order implication of the FTC’s inaction on PADFA is that it undermines the case for federal privacy law that preempts state laws. Federal privacy legislation that has proposed preemption of state laws has also made the Federal Trade Commission the principal enforcer of those laws. Although such proposed legislation, such as the American Data Privacy and Protection Act (ADPPA) also contains provision for enforcement by states’ attorneys general, the FTC would ultimately become the driving force behind enforcement of privacy laws in the United States. Any political consensus around putting Americans’ privacy in the hands of federal enforcers, and eliminating state privacy laws, requires, at a minimum, an FTC that takes action on its congressional mandates to protect consumer privacy. If the FTC fails to take action on a bipartisan privacy law motivated by national security, like PADFA, legislators will be justifiably circumspect on entrusting the FTC with all consumer privacy, at the expense of state protections.
Time for the FTC to Step Up on Data Protection
During his confirmation hearing in September 2023, Ferguson emphasized the need for federal data protection laws, and said that the FTC was a “good candidate” for such authorities. In his dissent from the Commission’s published regulatory agenda in December 2024, Ferguson stated that the Commission must “vigorously and faithfully enforce the laws that Congress has passed.” He repeated this sentiment in his May 15 budget testimony.
In PADFA, the FTC has a data protection law that Congress passed with overwhelming bipartisan support. But the Commission has taken no public action on PADFA for nearly a year. To the extent the Commission wants to be taken seriously as a data protection authority, and also to adhere to Ferguson’s commitment to enforcing the authorities granted by Congress, the Commission must commit meaningful resources to the enforcement of PADFA.
