New Act Bans Data Brokers from Selling Military Member Lists to Foreign Adversaries

This new piece of legislation, the Protecting Military Servicemembers Data from Foreign Adversaries Act of 2025, is laser-focused on national security and personal privacy. Simply put, it makes it flat-out illegal for data brokers—those companies that collect and sell your personal information—to transfer lists of current or former U.S. military servicemembers to foreign adversaries. The bill defines these adversaries as ‘covered nations’ and any entity controlled by them, which includes businesses where a foreign person from that nation owns 20% or more of the company (SEC. 2).

Who’s Guarding the Guards?

The core of the bill is a direct prohibition: data brokers cannot sell, trade, license, or give away any list that identifies military servicemembers to a covered nation or anyone under its control (SEC. 3). For instance, if a data broker has a list of veterans who recently moved or bought a new car, they cannot monetize that list by selling it to a company headquartered in, or 20% owned by, a foreign government deemed an adversary. This is a critical move to stop foreign intelligence operations from easily purchasing sensitive data used for targeting, espionage, or influence campaigns against our service members and their families.

The Contractual Catch-22

Recognizing that data changes hands multiple times, the bill also requires data brokers to build a firewall into their contracts. If a broker sells a servicemember list to a domestic company (who is not a covered nation), that contract must include a legally binding promise that the buyer won't then turn around and transfer the list to any covered nation or controlled entity (SEC. 3). Think of it as a chain of custody requirement: the original seller is responsible for ensuring the data doesn't end up in the wrong hands, even after the sale. The bill also explicitly bans any financial transaction or scheme designed specifically to sneak around these prohibitions, aiming to prevent shell companies and complex legal maneuvers from undermining the law.

Enforcement: The FTC and State AGs Tag Team

To make sure this isn't just a suggestion, the bill gives enforcement power to two major players: the Federal Trade Commission (FTC) and State Attorneys General (SEC. 4). The FTC can treat violations just like any other unfair or deceptive business practice, allowing them to use their full arsenal of tools—including filing lawsuits, issuing fines, and seeking restitution for consumers. Crucially, this power extends even to non-profit organizations that might be acting as data brokers, expanding the FTC’s usual jurisdiction.

State Attorneys General can also sue data brokers in federal court on behalf of their residents if they believe the law has been violated. This dual enforcement mechanism means data brokers will have watchdogs at both the federal and state levels, making it much harder to operate outside the lines. However, states have to give the FTC a heads-up before they file suit, and if the FTC is already pursuing a case, the state must wait.

Required Reading: The Check-Up Report

Finally, the bill mandates a reality check. Within one year of enactment, the Comptroller General must deliver a report to Congress (SEC. 5). This report has to analyze how well the law is actually being enforced and, more importantly, whether the U.S. needs to dedicate more resources or grant new powers to enforcement agencies to keep up with the threat. They also have to recommend whether the protections should be expanded to cover more types of people or more kinds of personal data. This built-in review mechanism is a smart move, acknowledging that data threats evolve quickly and the initial law might not be enough in the long run.