The FTC Just Caught 13 Data Brokers Selling Your Data to China

In February 2026, the Federal Trade Commission sent warning letters to 13 data brokers for potentially violating a federal law that prohibits the sale of Americans' personal data to foreign adversaries. The countries in question: China, Russia, Iran, and North Korea. The data at risk: Social Security numbers, financial records, health information, precise geolocation, and biometric data. This is not a hypothetical threat. These companies were identified because their own regulatory filings indicate they sell data to entities in adversary nations.

What Happened

The FTC's action stems from the Protecting Americans' Data from Foreign Adversaries Act, known as PADFAA. The law became effective in June 2024, passed as part of the same legislative package that addressed TikTok's Chinese ownership. PADFAA prohibits data brokers from selling or transferring Americans' sensitive personal data to entities controlled by four designated foreign adversaries: China, Russia, Iran, and North Korea.

In February 2026, the FTC identified 13 data brokers whose California data broker registry filings indicated they may be violating PADFAA. The Commission sent each company a formal warning letter, putting them on notice that continued sales could trigger enforcement action with penalties exceeding $53,000 per violation.

California's Registry Revealed the Scale

The FTC's warning letters were informed by data from California's data broker registry, which requires brokers operating in the state to disclose key details about their data practices. That registry painted a far worse picture than the 13 companies the FTC targeted.

According to the registry filings, 33 data brokers disclosed that they sell or share data with entities in countries classified as foreign adversaries. Among those 33, 5 brokers specifically sell precise geolocation data — the kind that can track your movements to a specific building, clinic, or workplace.

This geolocation data is especially dangerous in the hands of foreign intelligence services. It can be used to identify the movements of government employees, military personnel, journalists, and activists. The FBI has itself purchased location data from commercial brokers for domestic surveillance — the same supply chain now feeding adversary nations.

What Data Is at Risk

PADFAA specifically covers the categories of data that pose the greatest national security and personal safety risks when transferred to foreign adversaries:

• Social Security numbers — the skeleton key for identity theft, financial fraud, and building dossiers on American citizens
• Financial data — bank account details, credit information, income data, and transaction histories
• Health data — medical records, prescription history, health conditions, and insurance claims
• Precise geolocation — GPS-level location data from mobile devices that reveals where you live, work, worship, and seek medical care
• Biometric data — fingerprints, facial recognition templates, voiceprints, and other identifiers that cannot be changed once compromised

The common thread: these are data types you cannot rotate like a password. If your SSN or biometric template ends up in a foreign government's database, there is no reset button.

PADFAA: The Law Behind the Letters

PADFAA was enacted in April 2024 as part of the legislative package most publicly associated with the TikTok divestiture requirement. While TikTok dominated the headlines, PADFAA quietly created the first federal prohibition on data broker sales to foreign adversaries.

The law defines "data broker" broadly — any entity that collects and sells personal data of individuals with whom it does not have a direct relationship. It covers four adversary nations (China, Russia, Iran, and North Korea) and applies to entities "controlled by" those nations, including subsidiaries, shell companies, and other intermediary structures designed to obscure ownership.

Penalties exceed $53,000 per violation. Given that data brokers routinely sell records in batches of millions, a single confirmed sale to a foreign adversary could result in liability in the billions.

The National Security Dimension

Data broker sales to foreign adversaries are not just a personal privacy problem. They represent a systematic intelligence vulnerability. Consider what a foreign intelligence service can do with commercial data broker records:

1. Identify intelligence targets. Geolocation data from broker databases can identify individuals who regularly visit military installations, government buildings, or defense contractor offices — potential targets for recruitment or surveillance.
2. Build comprehensive dossiers. By combining SSN data, financial records, health information, and location histories, a foreign adversary can build profiles on millions of Americans that rival what any domestic intelligence agency maintains.
3. Enable blackmail and coercion. Health data revealing sensitive medical conditions, financial data showing debt or distress, and location data showing visits to sensitive locations can all be used as leverage against individuals with access to classified information.
4. Map social networks. Cross-referencing data broker records allows adversaries to map relationships between individuals — identifying family members, colleagues, and associates of high-value targets.
5. Conduct influence operations. Detailed consumer profiles — political leanings, media consumption, purchasing behavior — provide the raw material for targeted disinformation campaigns.

This is not speculative. In 2023, the Office of the Director of National Intelligence published a declassified report acknowledging that commercially available data poses significant risks to national security and civil liberties, and that foreign adversaries are actively purchasing it.

What the FTC Can Actually Do

The FTC's warning letters are a first step, not a resolution. Warning letters put companies on notice that the FTC is aware of potential violations — and that any future violations will be treated as knowing and willful, increasing potential penalties. But letters alone do not stop data flows.

The FTC's enforcement toolkit includes civil penalties, consent orders (which impose ongoing compliance requirements), and injunctive relief. The Commission has used these tools effectively against domestic data broker abuses — the Gravy Analytics and Kochava cases are recent examples. Applying them to foreign data transfers is legally straightforward under PADFAA but practically more complex, especially when intermediary entities are involved.

The deeper problem is structural: the US still lacks a comprehensive federal privacy law. PADFAA addresses one specific abuse — sales to foreign adversaries — but does nothing about the underlying data collection that makes those sales possible. As long as data brokers can legally collect and stockpile Americans' SSNs, health data, and precise location histories, the data will remain vulnerable to both authorized and unauthorized transfers.

How to Protect Yourself

You cannot control whether a data broker has already sold your information to a foreign entity. But you can reduce your exposure going forward by removing your data from broker databases before it can be transferred again.

1. Remove your data from broker databases. The most direct protection is getting your information out of the databases that feed these sales. A service like GhostVault automates removal from 500+ data broker sites for $3.99/month, covering the major brokers that aggregate and resell personal data.
2. Restrict location permissions on your phone. Five of the brokers identified in California's registry sell precise geolocation data to foreign actors. This data comes from apps on your phone. Revoke location access for every app that does not genuinely need it, and switch to approximate location where possible.
3. Disable your advertising identifier. On iOS: Settings > Privacy > Tracking > disable "Allow Apps to Request to Track." On Android: Settings > Privacy > Ads > delete your advertising ID. This breaks the link that brokers use to tie your location data to your identity.
4. Freeze your credit. A credit freeze at all three bureaus (Equifax, Experian, TransUnion) prevents new accounts from being opened with your SSN — a critical identity theft prevention measure if your SSN has been compromised through a foreign data sale.
5. Monitor for breaches. If your data has been sold to a foreign entity, it may eventually surface in data breaches or dark web marketplaces. Regular breach monitoring helps you respond quickly if your information appears in new exposures.

Frequently Asked Questions

What is PADFAA and when did it become law?

The Protecting Americans' Data from Foreign Adversaries Act became law in April 2024. It was enacted as part of the same legislative package that addressed TikTok's Chinese ownership. PADFAA specifically prohibits data brokers from selling or transferring sensitive personal data — SSNs, financial data, health information, geolocation, and biometric data — to entities controlled by China, Russia, Iran, or North Korea. Each violation carries penalties exceeding $53,000.

Which data brokers did the FTC warn about selling data to China?

In February 2026, the FTC sent warning letters to 13 data brokers identified through California's data broker registry as potentially violating PADFAA. The brokers were flagged because their own regulatory filings indicated they sell or share Americans' data with entities in adversary nations. California's registry separately found 33 brokers selling data to foreign actors, including 5 that sell precise geolocation data capable of tracking physical movements.

What types of personal data are being sold to foreign adversaries?

The data categories covered by PADFAA and identified in the FTC's action include Social Security numbers, financial account information, health and medical records, precise geolocation data from mobile devices, and biometric data such as fingerprints and facial recognition templates. The geolocation data is especially concerning — 5 brokers in California's registry sell precise GPS-level location data to foreign actors.

What penalties do data brokers face for selling data to China or Russia?

PADFAA imposes penalties exceeding $53,000 per violation. Because data brokers sell records in bulk — often millions of records per transaction — a single confirmed sale to a foreign adversary could result in cumulative liability in the billions of dollars. The FTC's February 2026 warning letters serve to establish that the named brokers are on notice, which strengthens the case for treating any future violations as knowing and willful.

How can I prevent my data from being sold to foreign countries?

The most effective strategy is removing your data from broker databases before it can be sold. Use a data removal service to automate opt-outs across hundreds of brokers. Restrict location permissions on your phone to cut off the geolocation data supply. Disable your advertising identifier to prevent cross-app tracking. Freeze your credit to protect against SSN misuse. These steps cannot undo past sales, but they significantly reduce the data available for future transfers to foreign adversaries.