A group of Democratic lawmakers has warned that the Justice Department’s data security rules, created to restrict the sale of Americans’ sensitive personal data to countries of concern, failed to include several high-profile government locations on its protected list. According to the lawmakers, the omissions include the White House, Congress, CIA headquarters, nuclear laboratories, and other sensitive federal sites.
The issue is not merely bureaucratic. It exposes a deeper privacy and national security problem: commercial location data has become so precise, so widely traded, and so easy to repurpose that it can reveal the habits, movements, and vulnerabilities of government employees, contractors, military personnel, diplomats, and elected officials.
For privacy teams, this story is bigger than Washington. It shows how location data, vendor relationships, consent flows, mobile SDKs, advertising pixels, analytics tools, and data broker ecosystems are converging into a new compliance risk category. The question is no longer whether location data is “personal information.” The question is whether a company can prove where sensitive data goes, who can access it, and whether it can be sold, shared, transferred, or inferred in ways that create legal, security, and reputational exposure.
What Happened?
The Justice Department’s final rule implementing Executive Order 14117 was designed to prevent countries of concern from accessing Americans’ bulk sensitive personal data and U.S. government-related data. The rule targets certain transactions involving countries such as China, Russia, Iran, North Korea, Cuba, and Venezuela, including data brokerage arrangements that could give foreign adversaries access to sensitive U.S. information.
The rule also created special protections for “government-related location data.” This matters because even small amounts of location data near sensitive facilities can reveal patterns about people who work there. A foreign intelligence service does not necessarily need the name of a CIA officer, congressional staffer, federal prosecutor, military official, or White House aide. A persistent mobile advertising ID, repeated visits to a sensitive facility, nighttime location patterns, and travel behavior can be enough to build a profile.
According to lawmakers, however, the government’s list of protected locations was incomplete. Instead of creating a broad protective zone around Washington, D.C. and other sensitive government clusters, the rule relied on specific GPS coordinates for individual facilities. Congressional staff reportedly analyzed those coordinates and found that several critical sites were missing.
Why Location Data Is a National Security Problem
Location data is often marketed as a commercial tool. Advertisers use it to understand foot traffic. Retailers use it to measure store visits. Apps use it for navigation, personalization, local offers, weather, delivery, ride sharing, fitness tracking, and fraud detection.
But the same data can be used for surveillance.
When location data is collected from mobile apps, software development kits, advertising exchanges, and data brokers, it can be aggregated into datasets that show where devices travel over time. Even if the dataset does not include obvious identifiers such as a name or email address, repeated movement patterns can make a person identifiable.
For example, a mobile device that appears at a federal agency every weekday, travels to a private residence every evening, visits a child’s school, attends a medical clinic, and occasionally appears near a military facility can reveal far more than a traditional database record. The data may expose employment, family routines, health-related visits, religious activity, political activity, security clearances, and foreign travel.
That is why lawmakers are treating the issue as an espionage risk, not just a consumer privacy problem.
The Real Gap: Data Brokers Are Hard to Control After Data Leaves the Business
The controversy highlights a difficult truth for privacy officers: the most dangerous privacy risks often emerge downstream.
A company may believe it is collecting data for analytics, advertising attribution, personalization, or fraud prevention. But once that data flows into third-party networks, adtech vendors, SDK providers, analytics platforms, enrichment services, or data brokers, the original business may lose practical visibility into how the data is combined, resold, transferred, licensed, or inferred.
That creates a major compliance challenge. Modern privacy programs cannot stop at cookie banners and privacy policies. They need evidence that the organization has mapped its data flows, classified sensitive data, reviewed vendor contracts, honored opt-out signals, restricted unnecessary sharing, and prevented data from being used in ways that contradict user expectations or legal obligations.
This is especially important for companies that collect or process:
- Precise geolocation data
- Health, wellness, reproductive, or biometric data
- Financial data
- Children’s or minors’ data
- Government employee, contractor, or workforce data
- Identifiers tied to advertising, tracking, profiling, or cross-context behavioral advertising
- Data that may be transferred, licensed, or accessed internationally
Why the White House and CIA Omissions Matter
The alleged omission of the White House and CIA headquarters is symbolically striking, but the operational problem is broader.
If a rule protects some sensitive locations but misses others, it creates a false sense of security. A data broker, vendor, or downstream recipient may technically avoid certain listed coordinates while still collecting or selling data that reveals movements around other equally sensitive places.
That is why the lawmakers urged the administration to consider a broader “protection zone” for the Washington, D.C. region instead of relying only on a building-by-building list. In a dense government environment, sensitive activity is not limited to one address. Staffers, contractors, foreign delegations, agency employees, lobbyists, congressional aides, intelligence personnel, and federal law enforcement officials move across overlapping areas every day.
From a privacy governance perspective, this is a lesson in underinclusive controls. If the control is too narrow, adversaries can route around it. If the protected category is defined too technically, the risk may remain even when the company believes it is compliant.
What the DOJ Data Security Rule Does
The DOJ rule creates a national security framework for certain sensitive data transactions. It focuses on preventing access by countries of concern and covered persons to categories of U.S. sensitive personal data and U.S. government-related data.
In practical terms, the rule addresses transactions involving data brokerage, vendor agreements, employment agreements, and investment agreements where sensitive U.S. data may become accessible to restricted foreign parties.
The covered data categories include highly sensitive information such as precise geolocation, biometric identifiers, health data, financial data, personal identifiers, and other data that could be exploited when transferred at scale or in sensitive contexts.
The key point for businesses is that sensitive data regulation is moving beyond traditional privacy notice requirements. Regulators are increasingly treating personal data as a national security asset, especially when it can be used to identify, track, influence, blackmail, or profile Americans.
What This Means for Privacy Teams
Privacy teams should treat this development as a warning about the next phase of data governance. Regulators are no longer focused only on whether a company posted a privacy policy or offered a cookie banner. They are increasingly asking whether the business can prove that sensitive data is controlled throughout its lifecycle.
That means privacy leaders need to answer questions such as:
- What sensitive data do we collect? This includes location data, device identifiers, health inferences, browsing behavior, financial data, and data linked to employees or government users.
- Which vendors, pixels, SDKs, APIs, analytics tools, and adtech partners receive it? A company cannot govern data flows it has not inventoried.
- Can we stop data sharing when consent is missing or an opt-out signal is present? Consent must be operational, not just disclosed.
- Do our contracts restrict resale, onward transfer, profiling, and use for unrelated purposes? Vendor terms need to match privacy promises.
- Do we have evidence? Regulators, plaintiffs, customers, and enterprise buyers increasingly expect proof, including records of consent, data maps, assessments, and opt-out handling.
The Compliance Risk Is Bigger Than Government Sites
Although the current debate centers on federal buildings, the same risk applies to businesses that collect sensitive data from ordinary consumers.
A healthcare startup, law firm, financial services company, school, children’s app, mental health platform, fertility clinic, addiction treatment center, or political organization may not think of itself as a national security target. But if its website, app, or vendor ecosystem leaks sensitive location, behavioral, or identity data into advertising and broker networks, it can trigger privacy, consumer protection, wiretapping, biometric, state privacy, and unfair practices risk.
This is why privacy compliance needs to be designed around data use, not just legal disclosures. A privacy policy may say that a company protects user data, but regulators and plaintiffs will look at what actually happens on the site or app. Are trackers firing before consent? Are opt-out signals honored? Are pixels collecting sensitive page visits? Are third parties receiving identifiers? Are data brokers or ad platforms able to profile users?
Why Consent Management Alone Is Not Enough
A cookie banner is useful, but it is not a full privacy program.
Businesses need a system that connects consent, tracking, data mapping, vendor governance, opt-out automation, privacy notices, and assessments. This is where platforms like Captain Compliance can become the operational layer for privacy teams that need to move from policy language to provable controls.
Captain Compliance helps businesses manage consent, cookie scanning, privacy notices, DSAR workflows, opt-out automation, and compliance assessments. For organizations worried about location data, adtech exposure, cross-context behavioral advertising, or sensitive data sharing, the goal should be to create a repeatable system for discovering trackers, classifying data flows, honoring user choices, and documenting compliance decisions.
That kind of infrastructure matters because the legal risk is no longer limited to one statute. A single tracking or data sharing problem can implicate state privacy laws, consumer protection laws, wiretap claims, sector-specific rules, contract obligations, and enterprise customer requirements.
How Companies Should Respond Now
Businesses should not wait for enforcement letters or litigation to begin reviewing sensitive data flows. The DOJ rule and the congressional warning are part of a larger trend: sensitive personal data is becoming a board-level issue.
Companies should begin with a practical review of their collection and sharing practices.
Audit Location and Sensitive Data Collection
Identify whether your website, mobile app, SDKs, analytics tools, forms, advertising tags, or customer platforms collect precise location data or data that could reveal sensitive activity. Do not rely only on what engineering teams believe is happening. Use scanning, testing, and vendor documentation to verify actual data flows.
Review Data Broker and Adtech Exposure
Determine whether any data is sold, shared, licensed, enriched, matched, or made available through adtech or broker channels. Pay particular attention to mobile advertising IDs, hashed emails, IP addresses, device IDs, location signals, and behavioral segments.
Honor Opt-Out Preference Signals
Companies subject to state privacy laws should ensure that opt-out requests and universal preference signals are properly honored. If a user opts out of sale, sharing, targeted advertising, or profiling, the company must be able to demonstrate that downstream tracking and sharing actually changed.
Update Vendor Contracts
Vendor contracts should restrict unauthorized resale, onward transfer, sensitive data use, profiling, and processing for unrelated commercial purposes. Contract language should also require cooperation with audits, deletion requests, opt-outs, and regulatory inquiries.
Document the Decision Trail
Privacy teams should maintain records showing why data is collected, which vendors receive it, what legal basis or consent mechanism applies, how long it is retained, and how opt-outs are enforced. Documentation is critical when responding to regulators, enterprise customers, insurers, plaintiffs, and auditors.
What This Means for Data Brokers
Data brokers face the most direct pressure from this regulatory trend. The days of treating location data as an ordinary commercial asset are ending.
Data brokers that collect, aggregate, license, or sell sensitive data need stronger controls around source verification, consent, contractual restrictions, location filtering, restricted party screening, international access, and downstream use. They also need to account for the fact that “de-identified” or pseudonymous data may still be linkable to real people when combined with movement patterns and other datasets.
The risk is especially high when data can reveal visits to government facilities, military bases, medical providers, religious institutions, protests, schools, courts, shelters, or other sensitive locations.
What This Means for Enterprise Buyers
Enterprise buyers should use this moment to tighten procurement requirements. If a vendor collects or processes sensitive personal data, buyers should ask for proof of data minimization, consent controls, opt-out handling, subprocessors, retention schedules, international access restrictions, and resale prohibitions.
Privacy diligence should not be limited to a questionnaire. Buyers should require technical evidence where possible, including tracker scans, data flow maps, privacy assessments, and documentation showing how user choices are enforced across systems.
The Bigger Trend: Privacy Is Becoming National Security Infrastructure
The congressional warning reflects a major shift in U.S. privacy policy. For years, privacy law was treated mainly as a consumer rights issue. That is changing.
Location data, health data, biometric data, genetic data, financial data, and behavioral data can now be used to support intelligence operations, cyber targeting, blackmail, coercion, influence campaigns, and physical surveillance. As a result, privacy compliance is increasingly overlapping with cybersecurity, sanctions, export controls, procurement, and national security law.
For companies, that means privacy programs need to become more technical, more operational, and more evidence-driven. The organizations that are best prepared will be those that can show not only what their privacy policy says, but how their systems actually behave.
Key Takeaways
- The DOJ’s sensitive data rule was designed to restrict access by countries of concern to Americans’ sensitive personal data and government-related data.
- Lawmakers say the protected location list failed to include major sites such as the White House, Congress, CIA headquarters, and other sensitive facilities.
- The issue highlights the danger of commercial location data being sold or transferred in ways that can support espionage, profiling, or coercion.
- Businesses should review sensitive data collection, adtech sharing, data broker exposure, vendor contracts, and opt-out enforcement.
- Privacy teams should move beyond disclosure-based compliance and build operational controls that can be tested, documented, and enforced.
FAQ: Data Broker Location Data and the DOJ Sensitive Data Rule
What is data broker location data?
Data broker location data refers to information collected from mobile apps, SDKs, advertising networks, or other sources that can show where a device or person has been. Brokers may aggregate, license, or sell this data for advertising, analytics, intelligence, fraud prevention, or other purposes.
Why is location data considered sensitive?
Location data can reveal where someone lives, works, worships, receives medical care, attends school, travels, or meets with others. When collected over time, it can expose patterns that identify a person even if their name is not included in the dataset.
What is Executive Order 14117?
Executive Order 14117 is a U.S. national security order aimed at restricting access by countries of concern to Americans’ bulk sensitive personal data and U.S. government-related data when that access could create unacceptable national security risks.
Which countries are covered by the DOJ sensitive data rule?
The DOJ rule focuses on countries of concern, including China, Russia, Iran, North Korea, Cuba, and Venezuela, along with certain covered persons connected to those countries.
Why are lawmakers concerned about the White House and CIA?
Lawmakers say certain high-profile sensitive locations were not included in the government’s protected list of coordinates. If true, that could allow location data connected to people near those facilities to remain exposed through commercial data channels.
What should companies do about this risk?
Companies should audit their sensitive data flows, review adtech and data broker relationships, update vendor contracts, honor opt-out signals, and use privacy automation tools to document consent, tracking, data sharing, and compliance controls.
Final Word
The warning about the White House, CIA, and other sensitive sites is not just a Washington story. It is a preview of where privacy law is heading.
Regulators, lawmakers, enterprise buyers, and courts are increasingly focused on whether companies can control sensitive data after it is collected. Businesses that rely on location data, advertising identifiers, pixels, SDKs, analytics tools, or data brokers need to understand that the compliance burden is shifting from “Did we disclose it?” to “Can we prove we controlled it?”
For privacy teams, that means the next priority is operational proof: live data mapping, consent enforcement, tracker governance, vendor controls, opt-out automation, and documented assessments. The companies that build those controls now will be in a stronger position as privacy, cybersecurity, and national security regulation continue to converge.
