As part of our series to provide practical insights into emerging Federal Trade Commission (FTC) priority areas for consumer protection and data privacy enforcement, we are taking a deep dive into the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFA)—a recent law that took effect in mid-2024 and that is enforced by the FTC. Earlier this year, FTC Commissioner Melissa Holyoak highlighted PADFA as an agency enforcement priority, signaling forthcoming enforcement activity.    

At a high level, PADFA prohibits certain sales of personally identifiable sensitive data to foreign adversary countries, or any entities controlled by a foreign adversary country. Notably, the law applies to a broad range of sensitive data; has a definition of “data broker” that is distinct from other frameworks; and includes a unique threshold for foreign adversary control. Additionally, PADFA is not sector-specific, so its reach extends across industries, including financial services and health-related apps. Accordingly, any company under FTC authority that is engaged in consumer data sales, including for advertising-related purposes, may be subject to the law’s unique restrictions.  

Below we provide tips to identify PADFA risks, develop appropriate compliance strategies, and prepare for enforcement.