PADFAA makes it unlawful for a data broker to sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available personally identifiable sensitive data of a United States individual to any foreign adversary country or any entity controlled by a foreign adversary; violations are enforced by the FTC as unfair or deceptive acts under the FTC Act.
PADFAA (and the statute) defines a data broker as an entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of U.S. individuals that the entity did not collect directly from those individuals to another entity that is not acting as a service provider (with several exclusions listed in the law).
The law’s definition of “personally identifiable sensitive data” includes government‑issued identifiers (SSN, passport, driver’s license), health and medical information, financial account numbers and income/balance data, biometric and genetic information, precise geolocation, private communications and call/text logs, account/device credentials, sexual‑behavior information, photos/audio/videos stored for private use, data on minors, race/ethnicity/religion, online activities over time, military status, and related categories listed in the statute.
PADFAA uses the term “foreign adversary country” by reference to 10 U.S.C. §4872(d)(2); that provision currently identifies North Korea (DPRK), the People’s Republic of China, the Russian Federation, and the Islamic Republic of Iran.
The FTC enforces PADFAA as an unfair or deceptive‑acts violation under the FTC Act and may bring enforcement actions using the Commission’s full powers (injunctions, orders, civil penalties and other remedies); the agency’s press release warned violations could lead to civil penalties up to $53,088 per violation.
The FTC press release does not name the 13 firms; the agency’s announcement simply says it sent letters to 13 data brokers and posts the letters under its Warning Letters/Legal Library when available—no public list of recipients was included in the Feb. 9, 2026 release.
The press release says the letters ask recipients to conduct a comprehensive review of business practices to ensure compliance; PADFAA gives the FTC broad authority (the Commission’s usual investigative and enforcement tools) but the release does not describe a specific audit program or verification schedule—how the FTC will verify compliance is not detailed in the notice.
For consumers, the notice reinforces that data brokers are banned from providing Americans’ listed sensitive data to foreign adversaries; it does not create a new private right but increases FTC oversight risk for brokers and could reduce the availability of some data in foreign markets or prompt brokers to tighten sales/sharing practices—potentially lowering foreign exposure of sensitive personal data.