Why the DOJ’s Rule on Preventing Access to American's Data Could Impact Your Marketing and Offshore Hiring
How the DOJ’s National Security Data Rule Affects SME Tech Companies
On April 8, 2025, the U.S. Department of Justice's Rule on “Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the Rule) officially took effect.
Even companies that use everyday digital tools—like Meta Pixel, Google Ads, or offshore contractors—may now need to consider whether certain data flows fall under U.S. national security restrictions, depending on who can access the data and where the persons who have access are located.
This rule, issued under Executive Order 14117, is not a privacy law—it is a national security measure. It targets the risk of bulk sensitive U.S. personal data being accessed by foreign persons in "countries of concern". While this sounds like it’s meant for big firms or defense contractors, it can just as easily apply to small or mid-sized U.S. tech companies who outsource marketing or hire overseas developers.
Let’s walk through what you should do about it.
Under EO 14117, the DOJ prohibits U.S. businesses from allowing foreign persons in countries of concern (China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, Venezuela) to access bulk datasets that include “sensitive personal data” of U.S. individuals.
To help make this rule easier to understand, I’ve included the official legal definitions and some examples provided by the DOJ below so you can refer to them directly if needed. If you're short on time, feel free to skip past them and continue with the practical explanation—they’ll still be here for reference whenever you're ready.
What the Law Actually Says
§ 202.249 Sensitive personal data.
(a) Definition. The term sensitive personal data means covered personal identifiers, precise geolocation data, biometric identifiers, human ‘omic data, personal health data, personal financial data, or any combination thereof.
(b) Exclusions. The term sensitive personal data, and each of the categories of sensitive personal data, excludes:
(1) Public or nonpublic data that does not relate to an individual, including such data that meets the definition of a ‘‘trade secret’’ (as defined in 18 U.S.C. 1839(3)) or ‘‘proprietary information’’ (as defined in 50 U.S.C. 1708(d)(7));
(2) Data that is, at the time of the transaction, lawfully available to the public from a Federal, State, or local government record (such as court records) or in widely distributed media (such as sources that are generally available to the public through unrestricted and open-access repositories);
(3) Personal communications; and (4) Information or informational materials and ordinarily associated metadata or metadata reasonably necessary to enable the transmission or dissemination of such information or informational materials.
§ 202.212 Covered personal identifiers.
(a) Definition. The term covered personal identifiers means any listed identifier:
(1) In combination with any other listed identifier; or
(2) In combination with other data that is disclosed by a transacting party pursuant to the transaction such that the listed identifier is linked or linkable to other listed identifiers or to other sensitive personal data.
(b) Exclusion. The term covered personal identifiers excludes:
(1) Demographic or contact data that is linked only to other demographic or contact data (such as first and last name, birthplace, ZIP code, residential street or postal address, phone number, and email address and similar public account identifiers); and
(2) A network-based identifier, account-authentication data, or call- detail data that is linked only to other network-based identifier, account- authentication data, or call-detail data as necessary for the provision of telecommunications, networking, or similar service.
(c) Examples of listed identifiers in combination with other listed identifiers—
(1) Example 1. A standalone listed identifier in isolation (i.e., that is not linked to another listed identifier, sensitive personal data, or other data that is disclosed by a transacting party pursuant to the transaction such that the listed identifier is linked or linkable to other listed identifiers or to other sensitive personal data)—such as a Social Security Number or account username—would not constitute a covered personal identifier.
(2) Example 2. A listed identifier linked to another listed identifier—such as a first and last name linked to a Social Security number, a driver’s license number linked to a passport number, a device Media Access Control (‘‘MAC’’) address linked to a residential address, an account username linked to a first and last name, or a mobile advertising ID linked to an email address—would constitute covered personal identifiers.
(3) Example 3. Demographic or contact data linked only to other demographic or contact data—such as a first and last name linked to a residential street address, an email address linked to a first and last name, or a customer loyalty membership record linking a first and last name to a phone number—would not constitute covered personal identifiers.
(4) Example 4. Demographic or contact data linked to other demographic or contact data and to another listed identifier—such as a first and last name linked to an email address and to an IP address—would constitute covered personal identifiers.
(5) Example 5. Account usernames linked to passwords as part of a sale of a dataset would constitute covered personal identifiers. Those pieces of account-authentication data are not linked as a necessary part of the provision of telecommunications, networking, or similar services. This combination would constitute covered personal identifiers.
(d) Examples of a listed identifier in combination with other data disclosed by a transacting party—
(1) Example 1. A foreign person who is a covered person asks a U.S. company for a list of Media Access Control (‘‘MAC’’) addresses from devices that have connected to the wireless network of a U.S. fast-food restaurant located in a particular government building. The U.S. company then sells the list of MAC addresses, without any other listed identifiers or sensitive personal data, to the covered person. The disclosed MAC addresses, when paired with the other data disclosed by the covered person— that the devices ‘‘have connected to the wireless network of a U.S. fast-food restaurant located in a particular government building’’—makes it so that the MAC addresses are linked or linkable to other sensitive personal data, in this case precise geolocation data of the location of the fast-food restaurant that the national security-related individuals frequent with their devices. This combination of data therefore meets the definition of covered personal identifiers.
<...>
Sensitive data includes not only traditional identifiers but also a range of personal and technical information that, in combination, can pose national security risks if accessed improperly.
According to § 202.249 and § 202.212 of the DOJ rule, "sensitive personal data" includes "covered personal identifiers"—which refer to identifiers that are linked (or linkable) to each other or to other types of sensitive data. This includes, but is not limited to:
Advertising IDs (GAID, IDFA)
IP addresses
Device/location data
Emails, phone numbers, contact information
“Bulk” is defined in § 202.205 and refers to datasets that meet specific thresholds depending on the type of sensitive personal data. For covered personal identifiers—which include advertising IDs, IP addresses, and similar identifiers—the threshold is 100,000 U.S. persons over any 12-month period. This is a high volume, but not unrealistic for companies running digital campaigns or maintaining large customer or prospect databases. Notably, the rule applies even if the data is anonymized, pseudonymized, de-identified, or encrypted.
What the Law Actually Says
§ 202.205 Bulk.
The term bulk means any amount of sensitive personal data that meets or exceeds the following thresholds at any point in the preceding 12 months, whether through a single covered data transaction or aggregated across covered data transactions involving the same U.S. person and the same foreign person or covered person:
(a) Human ‘omic data collected about or maintained on more than 1,000 U.S. persons, or, in the case of human genomic data, more than 100 U.S. persons;
(b) Biometric identifiers collected about or maintained on more than 1,000 U.S. persons;
(c) Precise geolocation data collected about or maintained on more than 1,000 U.S. devices;
(d) Personal health data collected about or maintained on more than 10,000 U.S. persons;
(e) Personal financial data collected about or maintained on more than 10,000 U.S. persons;
(f) Covered personal identifiers collected about or maintained on more than 100,000 U.S. persons; or
(g) Combined data, meaning any collection or set of data that contains more than one of the categories in paragraphs (a) through (f) of this section, or that contains any listed identifier linked to categories in paragraphs (a) through (e) of this section, where any individual data type meets the threshold number of persons or devices collected or maintained in the aggregate for the lowest number of U.S. persons or U.S. devices in that category of data.
§ 202.206 Bulk U.S. sensitive personal data.
The term bulk U.S. sensitive personal data means a collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, where such data meets or exceeds the applicable threshold set forth in § 202.205.
According to the Rule, a "covered data transaction" occurs when a U.S. person engages in a data brokerage, vendor, employment, or investment agreement that grants a country of concern or a covered person access to government-related data or bulk U.S. sensitive personal data.
What the Law Actually Says
§ 202.214 Data brokerage.
(a) Definition. The term data brokerage means the sale of data, licensing of access to data, or similar commercial transactions, excluding an employment agreement, investment agreement, or a vendor agreement, involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.
(b) Examples—
(1) Example 1. A U.S. company sells bulk U.S. sensitive personal data to an entity headquartered in a country of concern. The U.S. company engages in prohibited data brokerage.
<...>
(3) Example 3. A U.S. organization maintains a database of bulk U.S. sensitive personal data and offers annual memberships for a fee that provide members a license to access that data. Providing an annual membership to a covered person that includes a license to access government-related data or bulk U.S. sensitive personal data would constitute prohibited data brokerage.
(4) Example 4. A U.S. company owns and operates a mobile app for U.S. users with available advertising space. As part of selling the advertising space, the U.S. company provides IP addresses and advertising IDs of more than 100,000 U.S. users’ devices to an advertising exchange based in a country of concern in a twelve-month period. The U.S. company’s provision of this data as part of the sale of advertising space is a covered data transaction involving data brokerage and is a prohibited transaction because IP addresses and advertising IDs are listed identifiers that satisfy the definition of bulk covered personal identifiers in this transaction.
(5) Example 5. Same as Example 4, but the U.S. company provides the data to an advertising exchange based in the United States. As part of the sale of the advertising space, the U.S. advertising exchange provides the data to advertisers headquartered in a country of concern. The U.S. company’s provision of the data to the U.S. advertising exchange would not be a transaction because it is between U.S. persons. The advertising exchange’s provision of this data to the country of concern-based advertisers is data brokerage because it is a commercial transaction involving the transfer of data from the U.S. advertising exchange to the advertisers headquartered in the country of concern, where those country-of-concern advertisers did not collect or process the data directly from the individuals linked or linkable to the collected or processed data. Furthermore, the U.S. advertising exchange’s provision of this data to the country of concern-based advertisers is a prohibited transaction.
(6) Example 6. A U.S. information technology company operates an autonomous driving platform that collects the precise geolocation data of its cars operating in the United States. The U.S. company sells or otherwise licenses this bulk data to its parent company headquartered in a country of concern to help develop artificial intelligence technology and machine learning capabilities. The sale or license is data brokerage and a prohibited transaction.
(7) Example 7. A U.S. company owns or operates a mobile app or website for U.S. users. That mobile app or website contains one or more tracking pixels or software development kits that were knowingly installed or approved for incorporation into the app or website by the U.S. company. The tracking pixels or software development kits transfer or otherwise provide access to government-related data or bulk U.S. sensitive personal data to a country of concern or covered person-owned social media app for targeted advertising. The U.S. company engages in prohibited data brokerage.
(8) Example 8. A non-U.S. company is contracted to develop a mobile app for a U.S. company. In developing the mobile app for that U.S. company, the non-U.S. company knowingly incorporates tracking pixels or software development kits into the mobile app that then transfer or otherwise provide access to government-related data or bulk U.S. sensitive personal data to a country of concern or covered person for targeted advertising, at the request of the U.S. company. The non-U.S. company has caused a violation of the data brokerage prohibition. If the U.S. company knowingly arranged the transfer of such data to the country of concern or covered person by requesting incorporation of the tracking pixels or software development kits, the U.S. company has engaged in prohibited data brokerage.
<...>