Even if your business only sells goods or services in the U.S., your business may be a “data broker” under the new bulk data regulations, according to an April 11, 2025 Compliance Guide issued by the U.S. Department of Justice, if consumer data is being transmitted to countries of concern. That guidance states in part:
Some activities that may not be thought of in ordinary parlance as data brokerage may nonetheless constitute data brokerage under the DSP, such as a U.S. company maintaining a website or mobile application that contains ads with tracking pixels or software development kits that were knowingly installed or approved for incorporation into the app or website by the U.S. company. That transfer or provision of access to government-related or bulk U.S. sensitive personal data to covered persons or countries of concern could constitute data brokerage and could be a violation of the DSP.
Compliance Guidelines at 5. Keep in mind that the regulation not only includes civil penalties, but upon conviction, criminal violators may be fined not more than $1,000,000, or if a natural person, may be imprisoned for not more than 20 years, or both.
The bulk data regulations, which were published in the Federal Register on January 8, 2025, contain restrictions/prohibitions on sending bulk personal data of U.S. residents to “countries of concern.” The countries of concern listed are:
- China (including Hong Kong and Macau)
- Cuba
- Iran
- North Korea
- Russia
- Venezuela
The regulation also includes some examples of what constitutes “personal data,” such as IP addresses and precise geolocation data.
Background
The Federal Register notice summarized the background for the rule as follows:
Executive Order 14117 of February 28, 2024, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (“the Order”), directs the Attorney General to issue regulations that prohibit or otherwise restrict United States persons from engaging in any acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign country or national thereof has any interest (“transaction”), where the transaction: involves United States Government-related data (“government-related data”) or bulk U.S. sensitive personal data, as defined by final rules implementing the Order; falls within a class of transactions that has been determined by the Attorney General to pose an unacceptable risk to the national security of the United States because it may enable access by countries of concern or covered persons to government-related data or Americans’ bulk U.S. sensitive personal data; and meets other criteria specified by the Order.
IP addresses and precise geolocation data
An IP address is considered a “listed identifier.” Listed identifiers—which also include device IDs and advertising IDs under 28 CFR § 202.234—can be “covered personal identifiers,” which can be “bulk” data subject to the regulation. The Department of Justice recognizes that, alone, an IP address likely would not constitute sensitive personal data. On the other hand, “The Department understands that, in most commercial instances, IP addresses are collected in datasets that often contain well into the tens or hundreds of millions of such addresses and often involve other listed identifiers, as well.” Consequently, the example in § 202.302 states:
A U.S. company owns and operates a mobile app for U.S. users with available advertising space. As part of selling the advertising space, the U.S. company provides the bulk precise geolocation data, IP address, and advertising IDs of its U.S. users’ devices to an advertising exchange based in Europe that is not a covered person. The U.S. company’s provision of this data to the advertising exchange is data brokerage and a prohibited transaction unless the U.S. company obtains a contractual commitment from the advertising exchange not to engage in any covered data transactions involving data brokerage of that same data with a country of concern or covered person.
The regulation considers in-scope covered personal identifiers that are collected about, or maintained on, more than 100,000 U.S. persons during the preceding 12-month period.
In contrast, “precise geolocation data”—defined in 202.242 as “data, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of within 1,000 meters”—by itself is included in the definition of “bulk” data subject to the regulation. Collecting that data on more than 1,000 U.S. devices over a 12-month period is sufficient to make the data in-scope for the regulation.
Takeaways
Although the regulation went into effect on April 8, 2025, the Department of Justice has stated that it “will target its enforcement efforts during the first 90 days to allow U.S. persons (e.g., individuals and companies) additional time to continue implementing the necessary changes to comply. . . Specifically, NSD will not prioritize civil enforcement actions against any person for violations of the DSP that occur from April 8 through July 8, 2025 so long as the person is engaging in good faith efforts to comply with or come into compliance with the DSP during that time.” National Security Division, U.S. Dept. of Justice, “Frequently Asked Questions,” question #4 (April 11, 2025) (emphasis added).
How NT Analzyer Helps
As a practical matter, any pixel, mobile app SDK, or JavaScript tag that triggers a network request to a server located in a “country of concern” will potentially trigger data broker status and can run afoul of the DSP.
NT Analyzer is Norton Rose Fulbright’s proprietary testing tool that it uses to assist clients with their mobile app/website/OTT compliance efforts and due diligence. One of NT Analyzer’s features is that it can determine the host country of any server based on the server’s IP address. Since NT Analyzer uses network traffic captures to generate its findings, each captured network call to a third party reveals the third party’s IP address to the proxy. We use the third party’s IP address to determine server location and, in turn, assess compliance with the DSP.
In addition to determining server location, NT Analyzer also provides precise, line-of-sight on what data is transmitted to third parties and provides a comprehensive description of how and why data is being ingested by such endpoints using API mapping and JavaScript file analysis.
If you would like to learn more about NT Analyzer, please contact:
Steven Roosa steven.roosa@nortonrosefulbright.com.
Phil Hodgkins philip.hodgkins@nortonrosefulbright.com.
Wenda Tang wenda.tang@nortonrosefulbright.com.