The FTC Just Warned 13 Data Brokers: Stop Selling Americans' Data to China and Russia

The Warning Letters

The Federal Trade Commission sent letters to 13 data brokers on February 9, 2026, warning them to comply with the Protecting Americans' Data from Foreign Adversaries Act of 2024 (PADFAA). The letters make clear that the FTC has identified specific instances where recipients have been selling data that falls under the law's protections.

The FTC did not publicly name the 13 companies that received warning letters but released a template letter showing the scope of the warnings. The letters instruct companies to conduct a comprehensive review of their business practices to ensure compliance.

What PADFAA Prohibits

PADFAA makes it illegal for data brokers to sell, release, disclose, or provide access to personally identifiable sensitive data about Americans to any foreign adversary. The designated adversary nations are North Korea, China, Russia, and Iran, including any entity controlled by those countries.

The law covers an extensive list of sensitive data types:

• Health and financial information
• Genetic and biometric data
• Precise geolocation data
• Sexual behavior information
• Account and device login credentials
• Government issued identifiers including Social Security numbers, passport numbers, and driver's license numbers

The Military Data Problem

One particularly alarming detail in the FTC's letters: the agency identified instances where some of the letter recipients have "offered solutions and insights involving the status of an individual as a member of the Armed Forces."

Selling data that identifies active military personnel to adversary nations creates obvious national security risks. Foreign intelligence services could use this information to identify, track, and target service members, their families, and their associates. The data could also be used for espionage recruitment, blackmail, or operational planning.

The Data Broker Industry

Data brokers operate largely out of public view, collecting information from public records, commercial sources, and online activity to build detailed profiles on individuals. These profiles are then sold to advertisers, insurers, employers, and, as PADFAA specifically addresses, foreign buyers.

The industry has faced increasing scrutiny. California's Delete Act created a mechanism for consumers to request deletion of their data from all registered brokers at once. The FTC's enforcement action under PADFAA represents a new regulatory front, focused not on consumer consent but on national security implications of unrestricted data sales.

Penalties and Enforcement

The warning letters carry significant teeth. A violation of PADFAA may result in enforcement action by the FTC, which could include civil penalties of up to $53,088 per violation. For companies selling data on millions of Americans, the potential fines are enormous.

The letters effectively put the entire data broker industry on notice. While only 13 companies received direct warnings, the public release of the template letter signals that the FTC is prepared to expand enforcement to any broker that continues selling sensitive data to foreign adversaries.

What You Can Do

While PADFAA targets data brokers selling to foreign governments, the underlying problem is the vast amount of personal data being collected in the first place. Every data point that a broker collects, whether from public records, commercial transactions, or online tracking, is a data point that could be sold to the highest bidder.

Reducing the data available about you starts with controlling what you share. Use privacy focused tools to limit tracking across the web and in your inbox. Block email tracking pixels that reveal your location, device, and reading habits to senders. Opt out of data collection where possible. The less data that exists about you, the less there is for brokers to sell, regardless of who the buyer is.