PADFAA) (Protecting Americans' Data from Foreign Adversaries Act, enacted 2024) defines data brokers as entities that sell, license, or otherwise transfer data of US individuals they did not collect directly from those individuals. It prohibits making personally identifiable sensitive data available to foreign adversary countries — China, Russia, Iran, North Korea, Venezuela, and entities they control — or to entities subject to their jurisdiction. For commercial brokers, PADFAA is a transfer gate: know the buyer's ultimate parent, hosting geography, and subprocessor tree before shipping identity, mobility, email, or clickstream products. Pair with DOJ bulk sensitive data rule and federal procurement when defense-adjacent buyers appear.
PADFAA's broker definition covers entities that obtain data of US individuals and sell, license, rent, trade, or transfer it to another entity. Direct collectors can be brokers when they resell third-party enrichment. Platforms that only provide infrastructure may still face downstream pressure when their customers are brokers. GSDSI buyers should ask vendors whether they self-classify as brokers under PADFAA and how they implement transfer prohibitions in master agreements. The FTC's data broker rulemaking and state DELETE regimes overlap — use /trust/data-broker-registrations as a diligence index.
If your organization buys brokered sensitive data, you inherit supply-chain questions: did the upstream broker screen your corporate family and hosting? Enterprise procurement should push screening upstream, not only at the final license signature.
State DELETE and broker-registration laws do not replace PADFAA — they overlap. A vendor registered in California still must block adversary-country transfers of PADFAA-sensitive fields. Index registrations at /trust/data-broker-registrations and require written PADFAA programs in the same security packet.
Sensitive categories include precise geolocation, government identifiers, financial account and payment data, private communications content, biometric and genetic data, personal health information, and persistent online activity that reveals details of an individual's life. Coarse ZIP-level mobility may still be sensitive when combined with timestamps, MAIDs, or household graphs. Read alongside FTC sensitive location thresholds and sensitive location checklist. POI geofencing programs should confirm whether visit-level feeds include coordinates precise enough to trigger PADFAA-sensitive treatment.
Federal and critical-infrastructure buyers increasingly paste PADFAA-style language into commercial MSAs even when the deal is not a government contract. Align answers with security overview and privacy center disclosures.
Data management platforms and clean rooms are not automatic safe harbors: if a buyer in a covered country can query sensitive fields through a shared clean room, treat it as a transfer. Map query interfaces, export buttons, and support engineer VPN access in the same diligence pass as SFTP credentials.
Ask vendors for: (1) written PADFAA compliance policy, (2) sample transfer denial log (redacted), (3) list of countries and entities blocked, (4) subprocessors with access to sensitive SKUs, and (5) how Octopus or SFTP endpoints enforce geography. Buyers activating audience targeting in multinational agencies should map which legal entity receives the feed — a US subsidiary licensing data that flows to an adversary-country parent is the scenario PADFAA targets.
Cross-border transfers for EU or UK programs still require GDPR tools; PADFAA is an additional US export-style gate for sensitive US person data. Document both in RFP scorecard governance rows.
Procurement should add a PADFAA attestation line item beside FCRA and HIPAA-adjacent questions: "List all countries where employees or contractors can access sensitive fields" and "Confirm no adversary-country parent owns >X% of buyer." Vendors answering "US only" without subprocessor detail should receive follow-up questionnaires, not automatic approval.
PADFAA does not create a private right of action — enforcement is federal. That does not make it optional: enterprise security teams treat violations as deal-stopper risk, and federal agencies mirror restrictions in supply-chain rules. The DOJ NPRM on bulk sensitive personal data adds volume thresholds and countries of concern framing that complements PADFAA. Vendors licensing mobility at scale should read geo-panel audit before promising unrestricted global access.
Insurance and financial buyers licensing insurance leads or mortgage refi panels should verify whether PADFAA-sensitive fields are segmented in separate SKUs with stronger transfer controls than marketing files. Ad-tech buyers combining clickstream with maid feed need subprocessors lists that include demand-side platforms in adversary-adjacent jurisdictions — screening is a graph problem, not a checkbox on the MSA cover page.
Document denials: when legal rejects a deal because ultimate parent maps to a covered country, retain the questionnaire and denial rationale (redacted) for auditor replay. Positive approvals should name the approving counsel or compliance officer and expire annually.
University and nonprofit buyers are not automatically low risk — research collaborations with adversary-country institutions can taint transfers. Screen grant-funded projects and visiting scholars with the same ownership questionnaire used for commercial agencies.
Maintain a denied-parties list synchronized with adversary-country entity updates — screening once at onboarding is insufficient when buyers restructure quarterly. Train customer success teams to escalate when prospects request access from VPNs geolocated to adversary countries — technical signals should trigger legal review even before contract signature. Align the list with DOJ bulk data covered-person screening to avoid maintaining two incompatible deny matrices.
Buyers building location, foot-traffic, or geofence programs can scope POI data with polygon coverage, brand hierarchy, and daily refresh before production licensing.