Question: What has changed about U.S. regulators’ intention to regulate data transfers to U.S. foreign adversaries in 2026?
Answer: Both federal regulators and state enforcement authorities have recently emphasized their intention to regulate the transfer of Americans’ sensitive data to foreign adversaries.
These developments follow the enactment of the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA) in 2024 and the Department of Justice’s 2025 regulations implementing Executive Order 14117 on preventing access to sensitive U.S. data by countries of concern (e.g., China and Russia) (“DOJ Data Security Program”).
Collectively, these trends signal that cybersecurity and data privacy regulation—particularly with respect to data flows to designated countries—is increasingly being treated as a matter of U.S. national security. Below is a short round-up of the recent announcements and what you need to know:
- FTC Sends Warning Letters to Data Brokers on PADFAA Compliance.
The Federal Trade Commission (FTC) recently sent warning letters to 13 data brokers reminding them of their obligations under PADFAA, a law that prohibits data brokers from selling, disclosing, or providing access to personally identifiable sensitive data of U.S. individuals to designated foreign adversary countries (such as China and Russia), or to entities controlled by them. (See our client alert regarding PADFAA’s requirements). PADFAA could apply broadly to companies that are not traditionally viewed as data brokers, such as companies that collect data directly from consumers, enrich that data with details obtained from third parties, and then subsequently share the data with other companies for those companies’ own purposes.
The FTC informed letter recipients that the Commission has identified instances in which the recipient companies offered solutions involving the status of an individual as a member of the Armed Forces, one of the data categories subject to the law. The FTC directed the recipients to review their practices for compliance and warned that violations could result in enforcement actions. Notably, unlike violations of Section 5 of the FTC Act (pursuant to which the FTC primarily brings its cybersecurity and privacy enforcement actions), violations of PADFAA can result in civil penalties of up to $53,088 per violation—which the FTC pointedly noted in its letters. The Commission also stated that it is monitoring the marketplace for potential violations, signaling that PADFAA enforcement will be a high priority for the FTC going forward. - Florida AG Announces CHINA Prevention Unit.
Florida Attorney General James Uthmeier recently launched the Consumer Harm from International Nefarious Actors (CHINA) Prevention Unit within the Florida Attorney General’s Office. The unit, which is the first of its kind, is charged with investigating and pursuing actions against companies that allegedly mishandle or transfer Floridians’ data to foreign adversaries—particularly entities with ties to the Chinese Communist Party (CCP).
The announcement highlighted Attorney General Uthmeier’s existing investigations into several companies over foreign ties and alleged unlawful data practices. The creation of the CHINA Prevention Unit demonstrates how state agencies are stepping more assertively into the national security arena—an area historically within federal authorities’ remit—to address data privacy and security concerns posed by foreign adversaries’ access to sensitive data of U.S. persons.
Why it Matters
Consistent with a broader U.S. policy shift to more aggressively police against foreign misuse of Americans’ sensitive data, the FTC’s PADFAA warnings and Florida’s new CHINA Prevention Unit, coupled with the recent DOJ Data Security Program, underscore both federal and state regulators’ intent to actively enforce data privacy and cybersecurity concerns as a national security priority.
Companies should assess compliance with these new regimes, including the DOJ Data Security Program, which applies broadly to essentially any U.S. company providing access to certain U.S. data to vendors, employees, investors, or other third parties located in or affiliated with countries of concern. Notably, violations of the DOJ Data Security Program can be both civil and criminal. (Learn more about the DOJ Data Security Program).
In particular, companies should review and monitor their data flows, conduct vendor due‑diligence, and evaluate how their data sharing practices comply with these new, rigorous regulatory requirements.