FTC Looks to Leverage PADFAA Enforcement to Help Limit Exposure of Consumer Data

In recent comments, Commissioner Holyoak signaled that the Federal Trade Commission will prioritize enforcement of the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA), a law that empowers the FTC to police the disclosure of U.S. consumers’ personal information to entities based in China and other “foreign adversary” countries. Although the FTC has not yet publicly brought an action under PADFAA, the Commissioner’s remarks imply that any enforcement reprieve may be short-lived.

Consistent with a broader U.S. policy shift to more aggressively police against foreign misuse of Americans’ data, these recent comments underscore that the FTC views PADFAA as complementing the Department of Justice’s recently finalized regulations prohibiting or restricting access to certain personal information by China, Russia, and other countries deemed to pose a national security risk to the U.S. The current administration’s recent cybersecurity executive order has reinforced the focus on privacy and cybersecurity threats from foreign adversaries, a priority that federal agencies are expected to address.

The Unexpected Power of PADFAA

PADFAA is a powerful tool in the FTC’s arsenal because its broad definition of “data broker” applies to a wide range of conduct, including potentially companies that disclose consumer data obtained from a source other than the consumer—even if the company has a direct relationship with the consumer. The law could apply to companies that are not traditionally viewed as data brokers, such as business-to-consumer companies that collect data directly from consumers, enrich that first-party data with details obtained from third parties (such as data brokers or other partners), and then subsequently share the data with other companies for those companies’ own purposes.

Whether or not they view themselves as data brokers, companies that handle U.S. consumer data should assess their data collection and sharing practices to determine whether and how PADFAA applies to their business so that they may take any appropriate steps to comply with the law to mitigate enforcement risk.

In this alert/article, we summarize PADFAA’s scope, requirements, and exceptions, and identify the steps companies should take to avoid, and, if necessary, address FTC inquiries.

PADFAA Requirements

PADFAA prohibits companies that qualify as a “data broker” from making certain “personally identifiable sensitive data” of U.S. individuals available to entities affiliated with “foreign adversary” countries, including China, Iran, North Korea, and Russia. Critically, PADFAA does not include any data volume thresholds for applicability—so any amount of personal information a company discloses may trigger PADFAA’s restrictions.

The types of personal information PADFAA restricts include:

• Government-issued identifiers (such as a Social Security number);
• Precise geolocation information that reveals the physical location of an individual or device within a range of 1,850 feet;
• Biometric information;
• Genetic information;
• Health information;
• Financial account number, credit card number, or information revealing an individual’s account balance or income level;
• Private communications (such as email, text, or video) or information identifying the parties to such communications;
• Account login credentials;
• Information identifying sexual behavior of an individual;
• Calendar information, including address book;
• Phone and text logs, photos, videos, and audio recordings maintained for an individual’s private use;
• Photographs or videos showing an individual’s naked or undergarment-clad private area;
• Information revealing the video content requested or selected by an individual;
• Information about individuals under the age of 17;
• An individual’s race, color, ethnicity, or religion;
• Information identifying an individual’s online activities over time and across websites or online services;
• Military status; and
• Any other data made available to a foreign adversary for the purpose of identifying one of the data elements set out above.

PADFAA prohibits data brokers from making this information available to any foreign adversary country and to any “entity that is controlled by a foreign adversary,” which include:

• Non-U.S. individuals or entities that are domiciled in, organized under the laws of, headquartered in, or have their principal place of business in a foreign adversary country;
• Entities that are 20% or more owned by non-U.S. individuals or entities described above; or
• Any person subject to the direction or control by any non-U.S. individual or entity in the categories set out above.

PADFAA Exemptions

Given the FTC’s focus on using PADFAA to limit disclosure of consumer information to foreign adversaries, the Commission may interpret the law’s exemptions narrowly.

There are several notable—but limited—exclusions from the definition of “data broker” that companies should carefully consider:

First, PADFAA does not restrict data transfers to recipients acting as service providers, that is, entities that collect, process, or transfer data on behalf of, and at the direction of, the disclosing party. However, the scope of this exclusion is both limited and ambiguous.

For example, if the disclosing party is a foreign adversary or otherwise controlled by one, the data recipient—irrespective of their role in processing the data—cannot be a “service provider” as defined under the statute. As a result, interpreted broadly, PADFAA could prohibit entities designated as foreign adversaries—or entities controlled by them—from sharing covered data with any vendors at all, even if those vendors would otherwise qualify as service providers under the statute. Similarly, U.S. companies could be barred from disclosing covered data to vendors that also offer their services to foreign adversaries or entities they control. Enforcement activity and agency guidance will be critical to clarifying how this exclusion is interpreted and applied in practice.

Second, PADFAA’s restrictions do not apply to entities offering a product or service in which the consumer data (or access to such data) is not the entity’s product or service. For example, this exemption may apply to entities for which the disclosure of consumer information would be incidental to their business, such as a retailer that shares website user data with AdTech providers or messaging vendors to facilitate marketing communications. On the other hand, if a retailer is engaged in data-sharing partnerships with other retailers or entities, the FTC could view that data-sharing as a product or a service even if it’s not the core retail function.

In addition, PADFAA’s restrictions do not apply to:

• Transfers made at the individual’s request or direction;

• Entities reporting or publishing news or information that concerns local, national, or international events or other matters of public interest; or
• Entities reporting, publishing, or otherwise making available news or information (not including an obscene visual depiction) that is available to the general public, including information from books, movies, TV, or the Internet.

PADFAA Enforcement

PADFAA empowers the FTC to enforce violations of the law as unfair or deceptive acts or practices or violations of trade regulation rules under Section 5 of the FTC Act. Pursuant to this authority, the FTC can impose both injunctive relief and monetary penalties for PADFAA violations.

The FTC frequently has a low threshold for initiating inquiries under Section 5. Often, an inquiry can be triggered by a media report, whistleblower tip, blog post, or even a discussion on social media.

Before launching a formal inquiry with a Civil Investigative Demand that requires the production of documents and other relevant information, the FTC may approach a company with an opportunity to provide information voluntarily. This type of early interaction with the FTC can be challenging because, although cooperation can potentially deter a formal inquiry, the request to provide information may not be specific, and early cooperation may limit the company’s strategic options if the inquiry nonetheless moves forward.

Additionally, if the FTC does launch an inquiry, it likely would involve a broad examination of the target’s policies and practices. For example, an inquiry initially focused on PADFAA compliance may also include the target’s privacy and advertising practices, areas that the FTC also polices under its Section 5 authority. For this reason, companies contemplating their PADFAA compliance posture also should consider how their broader policies and practices would withstand Section 5 scrutiny.

The FTC also may use its Section 6 authority to launch a wide-ranging fact-gathering inquiry about industries or practices, which would require companies to respond even in the absence of allegations of wrongdoing. The FTC can then use the information it gathers to launch enforcement actions under Section 5. The FTC previously used this authority to examine data brokers. In 2014, the FTC published a report that documented its Section 6 investigation of the data broker industry, “Data Brokers: A Call for Transparency and Accountability.” That effort led many data brokers to change their practices, such as offering consumers the right to have their information deleted from the brokers’ databases.

Next Steps for PADFAA Compliance

To mitigate the risk of FTC enforcement of PADFAA, companies should consider taking the following steps:

• Conduct an internal risk assessment to determine what personal information the company collects, stores, and shares. This includes examining customer data, vendor-sourced data, and data buyers to identify whether any of these data flows involve a foreign adversary country or an entity controlled by a foreign adversary.
• Determine whether PADFAA applies. Specifically, assess whether the company falls under PADFAA’s expansive definition of a “data broker” and, if so, whether any exemptions apply. If PADFAA does not apply, document this conclusion and the reasoning.

• Update privacy policies, vendor agreements, and internal compliance controls to reflect the FTC’s requirements and expectations. This exercise may involve adding technical and contractual protections to prevent unauthorized access by foreign entities.

Hebani Duggal, a law clerk in our New York office, contributed to this client alert.