The Federal Trade Commission just dropped a clear signal to the data broker industry: your business of packaging and selling Americans’ personal information—including details that flag someone as a member of the Armed Forces—now carries real national security weight, and the government is watching.
On February 9, 2026, the FTC sent warning letters to 13 unnamed data brokers, spotlighting potential non-compliance with the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA). The agency released the template letter publicly, and its message is unmistakable: stop any practices that could make sensitive U.S. data, especially military-status information, available to China, Russia, Iran, North Korea, or entities they control—or face enforcement under the FTC’s broad Section 5 authority.
PADFAA, effective since June 2024, is laser-focused. It bans data brokers from selling, licensing, renting, trading, transferring, disclosing, providing access to, or otherwise making available “personally identifiable sensitive data” of U.S. individuals to foreign adversaries. The definition of data broker is precise: entities that, for payment, make available data about Americans they didn’t collect directly from those people, to parties that aren’t just service providers. Exclusions exist for things like user-directed transmissions or news publishers, but most commercial aggregators and resellers are in scope.
“Sensitive data” covers a wide net—SSNs and other government IDs, health records, financial details, biometrics, precise location, kids’ info under 17, private messages, login creds—and explicitly includes information revealing status as a member of the Armed Forces. The FTC template calls this out directly: “We have identified instances in which your company offers or has offered solutions and insights involving the status of an individual as a member of the Armed Forces. Such information is subject to PADFAA’s requirements.”
Why zero in on military data? In today’s hybrid-threat landscape, lists identifying active-duty personnel, reservists, or veterans aren’t just privacy intrusions—they’re potential intelligence gold for adversaries. Foreign actors could use such data for targeting recruitment, phishing, influence campaigns, or physical threats. By highlighting this category in the letters, the FTC is treating military-linked personal information as a strategic vulnerability, not merely another demographic slice.
The letters aren’t accusations of guilt—they’re preemptive. Recipients get a polite but firm nudge to review practices immediately and cease anything non-compliant. The FTC stresses it’s sending similar notices to others, and receipt doesn’t imply wrongdoing. Yet the teeth are real: violations count as unfair or deceptive acts under Section 5 of the FTC Act, opening the door to investigations, injunctions, and civil penalties up to $53,088 per violation.
This move fits a bigger pattern. The U.S. is increasingly treating outbound sensitive data flows as a security issue, not just a consumer-privacy one. PADFAA isn’t a comprehensive privacy regime like GDPR—it’s narrow, adversary-specific—but pairing it with Section 5 gives the FTC flexible, powerful enforcement leverage. Data brokers now know the agency is actively monitoring the market for transfers that could reach hostile states.
For the industry, the takeaway is stark: if your models infer or aggregate military status (through affiliations, purchases, location patterns, or public records), and you monetize that insight to anyone who might pass it upstream to restricted entities, you’re on notice. Compliance isn’t optional—it’s urgent. Scrub datasets, audit downstream recipients, implement strict controls, and document everything.
The FTC’s February 2026 action isn’t the end of the story; it’s an opening salvo. In an era where personal data can be weaponized, protecting servicemembers’ information from foreign adversaries is no longer abstract policy—it’s active enforcement priority. Data brokers ignoring this risk far more than fines: they risk becoming conduits in geopolitical games they never signed up to play. The message from Washington is clear—clean up now, or the Commission will do it for you.
