Pryvii
All Posts
Case Studies
February 25, 2026

FTC Warning Letters to 13 Data Brokers: PADFA Compliance Now

On February 9, 2026, the FTC sent warning letters to 13 data brokers over PADFA violations, prohibiting sales of sensitive data like geolocation and health info to foreign adversaries such as China and Russia. Website owners learn how to audit third-party vendors and avoid $53,088 per-violation fines.

Share:

FTC Warning Letters to 13 Data Brokers: PADFA Compliance Now

Imagine waking up to find your website's analytics tool, ad network, or customer data platform under FTC scrutiny—not because of a data breach, but because it quietly funneled sensitive user data to a foreign adversary like China or Russia. On February 9, 2026, the Federal Trade Commission (FTC) sent warning letters to 13 data brokers, spotlighting violations of the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA).1 2 3 This move signals a new era of enforcement where even indirect data flows through third-party vendors could expose your business to fines up to $53,088 per violation.4 2 3 For website owners relying on these brokers for marketing, personalization, or insights, the message is clear: audit your vendors now to avoid becoming the next target.

What is PADFAA and Why Does It Matter?

PADFAA, enacted in 2024, targets a critical national security gap: the unchecked sale of Americans' sensitive personal data to foreign adversaries.1 2 It prohibits data brokers from selling, licensing, transferring, releasing, disclosing, providing access to, or otherwise making available personally identifiable sensitive data of U.S. individuals to countries like China, Russia, North Korea, or Iran—or any entity they control.1 4 5 3

A data broker under PADFAA is broadly defined as any entity that, for valuable consideration, handles data on U.S. individuals that it didn't collect directly from them. This includes vendors offering geolocation tracking, health inferences from fitness apps, or even military status insights—exactly what the FTC flagged in these letters.1 2 6 The agency identified instances where recipients offered "solutions and insights involving the status of an individual as a member of the Armed Forces," deeming this sensitive data subject to the law.2 6 3

Violations count as unfair or deceptive practices under Section 5 of the FTC Act (15 U.S.C. § 45), opening the door to injunctions, enforcement actions, and those hefty civil penalties.4 3 PADFAA's scope overlaps with privacy laws like CCPA (Cal. Civ. Code § 1798.100 et seq.), which requires businesses to know their data flows, and GDPR Article 28 on processor obligations—making compliance a multi-layered imperative.1 4

Breaking Down the Warning Letters

The FTC's letters, signed by Christopher Mufarrige, Director of the Bureau of Consumer Protection, urged recipients to "conduct a comprehensive review of [their] practices and immediately bring [those] acts and practices into compliance."1 2 3 They weren't accusations of illegality but stark reminders: the FTC is watching, with staff from the privacy enforcement division ready to follow up.1

Key elements from the template letter include:

  • Prohibited data types: Health, financial, genetic, biometric, geolocation, sexual behavior info, account/device log-in credentials, and government-issued IDs like Social Security numbers, passports, or driver's licenses.4 2 6 5
  • Enforcement hook: PADFAA ties directly to FTC Act Section 5(m)(1)(A), enabling penalties without proving consumer harm.3
  • Call to action: Discontinue noncompliant practices immediately and ensure ongoing adherence.3

This isn't isolated; it's part of the FTC's broader push on data brokers, echoing past actions under the Gramm-Leach-Bliley Act and COPPA.2 With 13 letters out and more potentially coming, data brokers—and their customers—are on notice.1 7

Who Counts as a Data Broker? It Might Be Your Vendor

You might think data brokers are shadowy firms you've never heard of, but PADFAA's definition catches many website staples:

  • Analytics providers selling aggregated-but-identifiable location data.
  • Ad tech platforms trading user profiles with precise geolocation.
  • CRM tools inferring health or financial status from behavior.

If your third-party vendor meets the criteria—handling U.S. person data not collected directly from them, for compensation—they're a data broker.1 3 Websites using these for personalization or targeting amplify the risk: your consent banners might cover GDPR Article 6 lawful bases, but they don't touch PADFAA's national security angle.2

Real-world overlap: A mapping service tracks user geolocation for your site, then licenses it to a broker chain that reaches foreign entities. Even if unintentional, you're liable if you didn't audit.4 5

Actionable Steps: Audit Your Third-Party Vendors

Website owners can't afford complacency. Here's a practical, step-by-step audit framework to assess PADFAA exposure—adapt it alongside your CCPA vendor risk assessments or PIPEDA Principle 4.1.3 accountability requirements.

1. Inventory Your Vendors

Map every third-party script, API, or service touching user data:

  • Use tools like CSP reports or network logs to list trackers (e.g., Google Analytics, Facebook Pixel).
  • Categorize by data type: Does it access geolocation (latitude/longitude), health inferences (from wearables), or precise identifiers?4 2
  • Tip: Export your tag manager (e.g., GTM) audit log for a full picture.

2. Classify Sensitive Data Flows

For each vendor, document:

  • Data collected: IP-derived location, device IDs, browsing history.
  • PADFAA categories matched: Geolocation if <1,850 ft precision; government IDs if scraped.2 5
  • Recipients: Demand Data Processing Agreements (DPAs) detailing downstream sharing. Cross-check against foreign adversary lists (China, Russia, etc.).1 4
Data TypeExamplesPADFAA Risk if Shared with Adversaries
GeolocationGPS coordinates, IP-mapped addressesHigh – Enables surveillance4 2
Health/FinancialInferred from app data, purchase historyHigh – Profiles for targeting6
Biometric/GeneticFace scans, DNA uploadsExtreme – Irreversible harm5
Military StatusInferred from job titles, visits to basesFlagged by FTC2 3
IdentifiersSSNs, loginsHigh – Identity theft vector4

3. Vetting and Contracting

  • Request PADFAA certifications: Ask for attestations of no sales to adversaries, similar to GDPR Article 28(3)(h) sub-processor notices.
  • Update contracts: Include audit rights, breach notifications within 72 hours (mirroring CCPA §1798.150), and termination clauses for PADFAA violations.
  • Red flags: Vendors in or owned by adversary countries; vague privacy policies; history of FTC scrutiny.

4. Implement Controls

  • Technical fixes:
    • Geoblock adversary IPs at the edge (Cloudflare, Akamai).
    • Anonymize data: Aggregate geolocation to census-block level; hash identifiers.1
  • Monitoring:
    • Quarterly vendor questionnaires.
    • Automated scans for new trackers (e.g., via browser extensions).
  • Training: Educate teams on PADFAA alongside PIPEDA Principle 7 safeguards.

5. Incident Response and Reporting

If you spot a violation:

  • Halt data flows immediately.
  • Document remediation (FTC loves evidence of good faith).3
  • Self-report if material risk, potentially mitigating penalties.

This process typically takes 2-4 weeks for mid-sized sites but scales with automation. Small businesses: Start with top 10 vendors handling 80% of data.

Broader Implications for Website Compliance

PADFAA doesn't exist in a vacuum. It intersects with state laws like CCPA/CPRA, requiring "sale" disclosures (opt-outs for sharing), and international regimes:

  • GDPR: Processors must ensure sub-processors don't export to "third countries" without adequacy (Russia/China lack it – Article 45).4
  • PIPEDA: Organizations accountable for transferred data (Principle 4.1.3), with safeguards against unauthorized access.

Enforcement trends show escalation: Post-warning, expect FTC lawsuits mirroring Epic Games' $520M COPPA fine. Websites ignoring vendor risks face joint liability, as seen in CCPA §1798.145(c)(6) actions against platforms.2

For devs: Embed PADFAA checks in SDK reviews. Product managers: Prioritize in RFPs. Owners: Budget $5K-20K annually for audits—cheaper than $53K fines.

Key Takeaways

  • Act now: FTC's February 9 letters to 13 brokers prove PADFAA enforcement is live—review vendors today.1 2
  • Sensitive data is expansive: Geolocation, health, military status—all off-limits to adversaries.4 6
  • Fines sting: Up to $53,088 per violation under FTC Act Section 5.3
  • Audit systematically: Inventory, classify, contract, control, monitor—repeat quarterly.
  • Holistic compliance: Layer PADFAA atop CCPA, GDPR, PIPEDA for robust protection.

By treating PADFAA as a vendor risk signal, websites fortify privacy and national security. Stay vigilant; the FTC is.

(Word count: 1,128)

Sources

Footnotes

  1. wiley.law

  2. ftc.gov

  3. ftc.gov

  4. jdsupra.com

  5. digitalpolicyalert.org

  6. thewbkfirm.com

  7. ftc.gov

Share:

Related Posts

Case Studies

CA's Todd Snyder CCPA Fine: Third-Party Opt-Out Pitfalls

California's $345K settlement with Todd Snyder for delaying opt-outs via unmonitored third-party tools warns sites to vet privacy vendors and streamline consumer rights requests under CCPA.[2]

Stay Compliant with Pryvii

Scan your website for privacy compliance issues across 17 regulations including GDPR, CCPA, and UK GDPR. Get actionable recommendations and fix problems before regulators find them.