‘Know Your Customer’ Law Comes For Ad Data Licensors

While you were reading about the recent ‘TikTok sale’ law, you may have missed an accompanying ban on companies licensing data to ‘foreign adversaries’. Before you dismiss this new law as inapplicable, you might be surprised at the broad scope and potential inadvertent applicability to everyday data licensors, especially those in adtech.   

The Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFA), originally introduced as HR 7520, unanimously passed the House of Representatives (which is remarkable by itself) and then sailed through the Senate as bundled with the supplemental appropriations bill.

Here’s what you need to know about this new law:

• PADFA is intended to ban all ‘sensitive’ data sales to individuals or entities ‘controlled’ by Iran, Russia, China, North Korea, and any other countries on this list. However, the definition of ‘control’ in this context is quite broad, as it specifically includes individuals who ‘directly or indirectly’ own at least a 20% stake in that company. 
  
  The definition of individual is a foreign person that is ‘domiciled in, is headquartered in, or has a principal place of business in’ the foreign adversary country.  This list certainly includes many Russian oligarchs who are regular venture investors, even if ‘indirectly’ through proxy investment firms, as well as any businesses that continue to operate in Russia such as Yandex. Ironically, it likely does not include Tiktok, as they are a California LLC, and their parent company ByteDance is a Cayman Islands entity with more than 80% of the company owned by non-Chinese entities. 
  
• The definition of ‘data broker’ is broad and includes any entity that; “for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider.”
  
  This definition is broader than existing U.S. state laws because there is no ‘data quantity threshold’ or ‘revenue threshold’, such as California’s requirement to process more than 100k unique identifiers per year, or Texas’ requirement for a ‘primary business purpose’ of selling personal information. While there are exemptions for media companies and ‘service providers’, PADFA’s definition of ‘service provider’ is unclear and poorly tailored to advertising-related services.  As a result of these scoping issues, any advertising intermediaries that enable access to licensed data, such as through a data marketplace, may become inadvertent ‘data brokers’ under this new law. (If this sounds familiar, it should.)
  
• The scope of ‘sensitive data’ includes the same list as U.S. state laws related to precise geolocation, biometrics, physical/mental health, race/ethnicity, religion, and sexual ‘behavior’. But PADFA also includes many other broader categories, the most critical being: “information identifying an individual’s online activities over time and across websites or online services”, “information revealing the video content requested or selected by an individual” as well as “information about an individual under the age of 17.” 
  
  These last three categories of ‘sensitive’ data are what make this law very challenging generally and in particular for advertising data intermediaries.
  
  Unless clarified, the law dramatically expands the scope of data licensing obligations to require media sellers, exchanges, data marketplaces or demand-side platforms to (1) conduct due diligence on their licensors to comply with this new law, and (2) further restrict certain categories of data from being collected or licensed, (3) especially for ‘mixed age audiences’ that are currently only age-restricted with consent in California. 
  
• The law goes into effect in less than 60 days on June 23, 2024.  This is an incredibly short window for compliance, and is likely going to catch most data licensors and intermediaries off-guard. In some cases, data licensing agreements have already been executed for use well beyond June, so these data licensors may need to effectively ‘claw back’ their data from licensees without some assurances that the recipients are not ‘foreign adversaries’.
  
• Enforcement is strictly by the Federal Trade Commission as a ‘violation of a rule’ under the FTC Act, which can carry with it a fine of $50,120 in civil penalties per violation.  One interpretation of this fine in the context of data licensing is that ‘per violation’ could be related to each specific piece of personal information licensed, which could be exorbitant.   

As there are disparate types of entities potentially affected by this law, my advice is:

1. Data licensors: If your company licenses ‘sensitive data’, even to other data intermediaries such as marketplaces, then you need to conduct some due diligence on the licensee and/or intermediary terms and insert representations and warranties into any agreement that includes attestations that expressly prohibits at any point during the license term that the licensee will be ‘controlled by a ‘foreign adversary’. If you do not have the above assurances, you’ll want to amend your agreements and be prepared to cut off any licensing agreements or marketplaces if there are still open ‘controllership’ questions by June 23. 
   
2. Data intermediaries: If your company operates a data marketplace, even if it's just a pass-through entity on behalf of licensors, then you will also need to include similar licensor reps and warranties since your platform ‘makes available’ data potentially to ‘foreign adversaries’.  In some cases, sample data will also be in scope for compliance, so it will be critical to restrict access to any such samples  some Know Your Customer diligence and/or include express prohibitions as a condition of access.  

The current Federal Trade Commission has been incredibly active in its enforcement of data licensing activities, and especially vocal about their position that online behavioral data is considered to be ‘sensitive’. With blanket enforcement capabilities under this new law, I fully expect the FTC to find a good example of a data licensor or marketplace with lax terms or due diligence practices. If the FTC’s recent actions are any indication the enforcer will be looking to set a precedential example as soon as possible (and certainly before the November election.)