DOJ Bulk Sensitive Data Regulations Update: New Compliance Guidance and Temporary Non-Enforcement Policy for Companies Working in Good Faith to Achieve Compliance

On Friday, April 11, 2025, the U.S. Department of Justice (DOJ) issued guidance about how the regulations would be applied, namely, a Compliance Guide and answers to 108 Frequently Asked Questions. Most significantly, the DOJ also announced a temporary implementation and enforcement policy that “will not prioritize civil enforcement actions against any person for violations of the [regulations] that occur from April 8 through July 8, 2025 so long as the person is engaging in good faith efforts to comply with or come into compliance with the [regulations] during this time.” Despite this brief reprieve, the DOJ made clear that it expects companies to be in full compliance at the end of the 90 days.

The DOJ's groundbreaking regulations governing access to bulk sensitive U.S. personal data and U.S. government-related data entered into force on Tuesday, April 8, 2025 (“Regulations”). (For a robust discussion of the Regulations please see our full analysis, webinar, second webinar, and podcast.)

Here is what you need to know about the DOJ’s recent compliance guidance and temporary non-enforcement policy:

• Non-enforcement until July 8, 2025 for companies engaged in good faith efforts to achieve compliance: Although the regulations went into effect on April 8, 2025, the DOJ announced that it will not target affected U.S. companies for enforcement through July 8, 2025 so long as they are working in good faith to achieve compliance.  DOJ’s temporary non-enforcement posture, however, is contingent on affected companies being able to demonstrate their good faith efforts to work towards compliance.  According to the DOJ, good faith efforts include (but are not limited to):
• Assessing data flows and access to sensitive personal data;
• Renegotiating vendor agreements or adding new contractual language to contracts with vendors or other foreign person counterparties to data brokerage transactions;
• Transferring products and services to new vendors;
• Establishing new due diligence methods, which include screening for vendors’ geographical location (e.g., headquarters, subsidiary, and branch locations) and foreign ownership structures;
• Adjusting employee work locations, roles, or responsibilities; and
• Implementing CISA’s Security Requirements, if entities are engaged in restricted transactions.
• Compliance Guide Sets Expectations for Compliance Program: Although the DOJ made clear that adhering to the Compliance Guide does not automatically constitute compliance, the guide is informative about the DOJ’s expectations for compliance programs, including:
• Board and Top Executive Expected to Oversee Compliance:
• The DOJ’s Compliance Guide sets forth its expectations for the involvement of senior management and boards, including having qualified compliance managers and having the CEO, board, and audit committee review the annual audit report for companies engaged in restricted transactions.
• The Guide also indicates that that the CEO is expected to consult with the chief compliance officer and other appropriate stakeholders to verify the statements in the annual certification of the data compliance program implementation and due diligence, implementation of the security requirements, and the completeness and accuracy of the recordkeeping document as supported by an audit.
• Adoption of Appropriate Policies and Procedures: The DOJ noted that failure to adopt and maintain adequate policies and procedures may be a violation of the regulations. The program must include risk-based procedures for verifying data flows and vendor screening (discussed further below).
• Training: Although not expressly required, the DOJ also encouraged U.S. companies to institute training for employees, conduct ongoing risk assessments, and implement internal controls to facilitate escalation and reporting.
• Security Policy: U.S. companies engaged in a “restricted transaction” must have a written security policy describing implementation of the CISA Security Requirements.
• Vendor Due Diligence Limits:
• The DOJ clarified that U.S. companies are not required to conduct due diligence on vendors’ employment practices (e.g., to determine whether the vendor employs individuals in countries of concern). Likewise, U.S. companies are not expected to conduct diligence to determine control or influence by countries of concern or covered persons.
• However, U.S. companies are required to conduct diligence regarding counterparties’ ownership and geographical location to determine whether they meet the definition of a covered person. The DOJ has not prescribed or endorsed any specific method to screen counterparties, but instead noted the process should be based on a company’s individual risk profile.
• Contracting with Foreign Persons:
• The DOJ provided sample contract language that U.S. companies can consider regarding the prohibitions on onward transfers for foreign counterparties. This includes optional language requiring periodic certification of compliance with these contractual obligations.
• Notably, the DOJ made clear that contract provisions alone are insufficient to ensure compliance: U.S. companies still must maintain appropriate systems and controls, including reasonable diligence, to mitigate the risk of violations.
• Voluntary Disclosure of Violations: The DOJ stated it will review the “totality of the circumstances” surrounding a violation, including whether a matter was voluntarily self-disclosed. The DOJ indicated that specific enforcement guidance is forthcoming and will provide additional information on voluntary disclosures and other mitigating factors.

Things to Consider over the Next 90 Days

When navigating this 90-day non-enforcement period, U.S. companies should consider that:

1. The regulations may apply to your company regardless of whether you have operations or conduct business in a country of concern.

2. The regulations rely on non-traditional definitions of terms like “access” and “data brokerage,” and broader interpretations of “sensitive” data than are typical in privacy law.

• The DOJ guidance emphasized that implementation of the CISA security requirements does not take the transaction outside the scope of the Regulations, but it is not clear whether and how existing security controls (separate from the CISA requirements) are relevant to an analysis of “access” under the regulations.
• “Data brokerage” transactions include “the sale of data, licensing of access to data, or similar commercial transactions,” which DOJ confirmed to include first-party data brokers (which collect information directly from customers) and more traditional third-party brokers (which receive data from and subsequently engage in commercial transactions).
• Unlike existing data privacy laws, the regulations also apply to “sensitive personal data” categories that have been anonymized or de-identified.

3. Determining whether and how the regulations apply is a fact-intensive endeavor. Among other things, exemptions are narrow and nuanced and may impose additional requirements if you rely upon them.

4. The DOJ expects you to “Know Your Data.”

5. The DOJ expects you to “Know Your Vendors and Customers.”

6. If you are engaged in a “restricted transaction,” the security requirements—which apply at both the data and systems levels—are onerous and go beyond standard industry frameworks.

7. You may receive outreach from third parties about your compliance status, and you should be prepared to respond and document the basis for those responses.

8. You should implement or update your compliance programs, policies, and procedures appropriate to your risk profile, and document your decision-making.