The U.S. Department of Justice’s (DOJ) Data Security Program (DSP; 28 C.F.R. Part 202) is now fully enforced, marking a significant shift in how U.S. companies handle sensitive personal data. The DSP, effective since April 11, 2025, aims to protect Americans’ bulk sensitive personal data and government-related data from access by countries of concern, including China, Russia, Iran, North Korea, Cuba, and Venezuela, as well as covered persons entities or individuals affiliated with these countries. With the 90-day enforcement leniency period over, companies must ensure data privacy compliance to avoid civil and criminal penalties. Additional compliance requirements, such as audits and reporting, take effect on October 6, 2025.
As a business owner who already has a ton of compliance measures to deal with this is just one more thing to add to your plate and that doesn’t include litigation that is running wild over privacy violations. Luckily Captain Compliance is here to assist and below we provide you with the details on what businesses need to know to navigate this new regulatory landscape.
Background and Purpose of the DSP
The DSP was established under Executive Order 14117, signed on February 28, 2024, to address national security risks posed by foreign adversaries exploiting U.S. sensitive personal data. This includes bulk genomic, biometric, geolocation, health, financial, and other personal identifiers, as well as government-related data. The DOJ’s National Security Division (NSD) oversees the program, which imposes prohibitions and restrictions on certain data transactions to prevent espionage, surveillance, and other threats to national security. During the initial 90-day period from April 8 to July 8, 2025, the DOJ prioritized education and outreach, offering leniency for companies demonstrating good-faith efforts to comply. As of today, full enforcement is in effect, and businesses must act swiftly to align with the DSP’s requirements.
Who Must Comply With This Bulk Sensitive Data Law?
The DSP applies broadly to U.S. persons individuals and entities engaged in covered data transactions. Key groups that must act immediately include:
- Data Collectors: Any company collecting or processing bulk sensitive personal data, such as genomic, biometric, geolocation, health, financial, or large-scale personal identifiers, regardless of sector or intended use.
- Companies with Foreign Partners: Businesses with vendor, employment, or investment relationships involving foreign entities or covered persons must review these for compliance.
- Data Brokers: Transactions involving access to U.S. personal data by countries of concern or covered persons are prohibited unless exempt or authorized by a specific license.
- Telecom and Tech Providers: Companies in these sectors must assess exemptions, such as transactions “ordinarily incident to and part of the provision of telecommunications services,” and implement measures to prevent unauthorized onward data transfers.
The DSP defines “countries of concern” as China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela. “Covered persons” include entities 50% or more owned by these countries, their employees or contractors, and individuals primarily resident in these regions.
Key Compliance Requirements
To comply with the DSP, companies must take immediate steps to understand their data practices and ensure they meet regulatory standards. The DOJ’s Compliance Guide, FAQs, and Implementation and Enforcement Policy, released on April 11, 2025, provide detailed guidance. Key requirements include:
- Know Your Data: Companies must identify whether they collect, process, or maintain covered data, including its type, volume, and use. This involves conducting internal audits to assess data holdings and determine if they meet the DSP’s bulk thresholds.
- Map Data Flows and Access Points: Businesses should map all data flows, identifying access points where covered data may be exposed to countries of concern or covered persons, including through third-party vendors or affiliates.
- Review Agreements: Contracts involving data brokerage, vendor, employment, or investment agreements must be reviewed to ensure compliance. The Compliance Guide offers model contractual language to prohibit unauthorized onward transfers of covered data by foreign persons.
- Implement DSP Compliance Plans: Companies should establish robust data compliance programs, incorporating risk-based procedures for verifying data transactions. This includes implementing security measures like data minimization, encryption, and privacy-enhancing technologies, as outlined by the Cybersecurity and Infrastructure Security Agency (CISA).
Additional obligations, such as due diligence, annual audits, and reporting on rejected prohibited transactions, will become mandatory on October 6, 2025. However, companies should begin preparing now to meet these requirements and can work with our team of compliance experts here at Captain Compliance to adhere to the new guidelines and federal privacy requirements.
Enforcement and Penalties
As of this writing the DOJ’s NSD is authorized to pursue civil and criminal penalties for DSP violations under the International Emergency Economic Powers Act (IEEPA). Civil penalties can reach up to $368,136 or twice the value of the violating transaction, while willful violations may lead to criminal penalties, including up to 20 years imprisonment and a $1,000,000 fine. The DOJ has emphasized that egregious or willful violations will face enforcement action, even during the initial 90-day period, though good-faith efforts provided temporary leniency. Companies must now demonstrate full compliance with all provisions effective as of April 8, 2025.
The DOJ encourages voluntary self-disclosure of violations, which may be considered a mitigating factor in enforcement actions. Disclosures must include a detailed report within 180 days of notification. Additionally, individuals reporting violations through FinCEN’s whistleblower program may be eligible for financial awards.
Exemptions and Licenses
Certain transactions are exempt from DSP regulations, including:
- Official U.S. government business.
- Transactions required or authorized by federal law or international agreements.
- Transactions necessary for compliance with federal law.
Companies may also apply for specific licenses to authorize otherwise prohibited transactions, though the DOJ reviews these with a presumption of denial. During the 90-day leniency period, the DOJ discouraged formal license requests, urging informal inquiries instead. As of today companies can submit requests for licenses or advisory opinions via nsd.firs.datasecurity@usdoj.gov, though responses are not guaranteed.
Industry-Specific Impacts
The DSP’s impact varies by industry, with significant implications for:
- Technology and Telecom: Companies with global operations or distributed data infrastructure must enhance vendor vetting, data handling protocols, and access controls, particularly for AI, cloud, digital advertising, and data analytics services.
- Healthcare and Biotech: Firms handling bulk genomic, biometric, or health data must ensure compliance with DSP restrictions, even for anonymized or pseudonymized datasets.
- Financial Services: Companies managing large-scale financial data must review cross-border data flows and implement CISA’s heightened security requirements.
Next Steps for Compliance
To avoid penalties and ensure compliance, companies should:
- Conduct a Data Risk Assessment: Identify and map all data flows involving sensitive data types and third-party access.
- Update Contracts: Amend agreements to include provisions prohibiting unauthorized data transfers and ensure compliance with restricted transaction terms.
- Develop Compliance Programs: Establish comprehensive data security protocols, including employee training and CISA-aligned security measures, by October 6, 2025.
- Engage Legal Counsel: Consult experts familiar with DSP requirements to navigate complexities and ambiguities.
- Stay Informed: Monitor updates from the DOJ, including the forthcoming Covered Persons List and additional FAQs, to refine compliance strategies.
The DOJ has signaled ongoing engagement with stakeholders and plans to release further guidance, including an initial Covered Persons List. Companies should leverage existing compliance frameworks, such as anti-money laundering or sanctions controls, to streamline DSP compliance efforts and really lean into data privacy frameworks.
DOJ’s Data Security Programs Future
The DOJ’s Data Security Program represents Americas version of safeguarding U.S. sensitive personal and government-related data from foreign adversaries. With full enforcement beginning live now, companies are now required to assess their data practices, review agreements, and implement robust compliance programs. By taking proactive steps now, businesses can mitigate risks and align with the DSP’s requirements, ensuring both regulatory compliance and national security.
For more information, refer to the DOJ’s Compliance Guide, FAQs, and Implementation and Enforcement Policy, available at www.justice.gov. Companies with questions can contact the NSD at nsd.firs.datasecurity@usdoj.gov.
If you want an assessment of your risk and help with your data privacy needs to comply with the DOJ’s Data Security Program please book a demo below with one of our data privacy representatives.