The Department of Justice bulk sensitive personal data rule (see Federal Register NPRM and final rule materials) restricts certain transfers of US sensitive personal data to countries of concern and covered persons. For precise geolocation, a rolling 12-month threshold can be as low as 1,000 linked US devices — a volume many mobility brokers exceed in a single metro pilot. Government-related data categories may lack a volume safe harbor. Data brokers licensing global mobility, POI geofencing, and maid feed must map buyer corporate trees, cloud regions, and end users before transfer. Align with PADFAA screening and federal procurement artifacts.
The rule enumerates sensitive personal data classes — including precise geolocation, human genomic data, biometric identifiers, personal health data, financial data, covered personal identifiers, and certain government-related data. Thresholds vary by category: geolocation may trigger at ≥1,000 US devices in a 12-month window when transferred to a country of concern or covered person. Brokers selling national mobility panels blow past that threshold routinely. Coarse mobility still demands analysis: combined with MAIDs, home-work inference, or venue labels, coarse data can become functionally precise.
Read the rule alongside Executive Order 14117 framing — DOJ implementation translates policy into licensing mechanics brokers feel in MSAs. The Department of Justice overview summarizes category definitions buyers can paste into security reviews.
The rule targets transfers to defined countries of concern and entities meeting covered person tests (foreign adversary nexus, military-industrial ties, etc.). Screening must include beneficial ownership, subsidiaries, and cloud administrative access — a US-incorporated buyer owned by a covered foreign entity is the classic failure mode. PADFAA uses overlapping adversary lists; operate one matrix for both regimes. Reference CFIUS thinking for M&A re-reviews when buyers change parents mid-contract.
Subprocessors and analytics vendors in third countries still matter: transfer includes access, not only disk location. Document subprocessors in /trust/security-program and DPA exhibits.
Licensed analytics consultancies in countries of concern can be covered-person access even when the buyer is US-based — sublicensing clauses must require written approval before any consultant environment touches sensitive fields. The same rule applies to offshore labeling vendors reviewing raw mobility traces.
Mobility vendors should cross-check FTC sensitive location orders — FTC defines consumer-harm patterns; DOJ defines export-style transfer limits. A feed can be FTC-compliant yet fail DOJ transfer rules if hosted by the wrong entity.
Include: transfer prohibitions to countries of concern and covered persons; volume attestations; sublicense approval; audit rights; 72-hour breach notification for impermissible access; and termination for screening failures. Federal buyers add DFARS-style flow-downs; commercial banks and telcos paste the same clauses for supply-chain risk. Link product schedules to global mobility delivery specs so precision claims match contract definitions of "precise geolocation."
Indemnity and compliance representations should be specific — "compliant with all laws" without screening methodology fails enterprise security review. Use RFP scorecard governance columns for transfer risk.
Historical archives raise retroactive transfer questions: if a buyer already stored three years of geolocation before screening matured, counsel may require deletion or segmentation of legacy partitions. New licenses should state that pre-effective-date archives are out of scope or must be certified clean.
Map minimum viable geography: do you need national US mobility or three DMAs? Right-size volume to business need and document aggregation if device-level traces are not required. For measurement, prefer aggregate cross-channel measurement outputs over raw traces when possible. Run geo-panel audit and sensitive location checklist in the same diligence pass as DOJ screening.
Treasury and Commerce export-control updates can expand countries of concern lists faster than vendor contracts update — build a regulatory watch step into quarterly business reviews. When lists change, trigger re-screening of active buyers even if contract term has not expired.
Identity-only buyers licensing core email file without geolocation still need PADFAA/DOJ review when files contain government IDs, health fields, or genomic data — geolocation is not the only triggered category.
Cloud architecture matters: data replicated to backup regions in countries of concern can be a transfer even when primary processing stays in the US. Map replication, analytics replicas, and disaster-recovery failover in the same questionnaire as primary hosting. For developers integrating APIs, require buyer certificates that name every environment (prod, staging, DR) that will hold sensitive fields.
When pilots convert to production, re-count devices — a three-market pilot under 1,000 devices can exceed thresholds nationally within weeks. Build renewal clauses that force re-screening when volume tiers change or when buyers add sublicenses.
Joint ventures and SPVs confuse screening — ask whether the licensee entity or the funding parent is the counterparty. If both can access storage, both need clearance. Escrow arrangements where data sits with a US trustee still require analysis of who can direct decryption.
Volume counters should be SKU-specific — a buyer under threshold on email may be over threshold on mobility; do not net across unrelated sensitive categories without counsel guidance. Export monthly transfer reports to buyers upon request so they can prove compliance to their regulators and boards. Reports should list unique US device identifiers counted, not just row volumes, because duplicate events inflate row counts without increasing covered risk.
Buyers building location, foot-traffic, or geofence programs can scope POI data with polygon coverage, brand hierarchy, and daily refresh before production licensing.