Wiley Recommends Companies Assess New FTC Data Broker Law
Understanding definitions for “data broker” and sensitive personal data will help companies determine if they’re subject to FTC compliance under its new data broker law, Wiley attorneys said Wednesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Congress in 2024 passed the Protecting Americans’ Data from Foreign Adversaries Act (PADFA) to block data brokers from selling Americans’ personally identifiable sensitive data to foreign adversaries like China. FTC Commissioner Melissa Holyoak said in April that PADFA enforcement will be a priority for the agency (see 2504230041).
Wiley attorneys noted the definition for data broker differs from the definition in DOJ’s data transfer rule.
PADFA defines data broker as “an entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider,” they said. Wiley noted there are exceptions and exemptions for service providers, data transfers at the direction of an individual, news reporting and incidental data processing.
The definition for sensitive data “includes precise geolocation information, information about minors under 17, government-issued identifiers, information indicative of an individual’s health conditions or treatment, certain financial information, biometric and genetic information, private communications, account or device log-in credentials, calendar information, photos, and videos,” they noted.