The Protecting Americans’ Data from Foreign Adversaries Act of 2024 (the “PADFAA”) recently passed with little fanfare but may nevertheless impact the digital advertising industry. In particular, PADFAA prohibits “data brokers” from disclosing certain categories of personal data defined under the Act as “personally identifiable sensitive data” (also referred to herein as “covered data”) to a foreign adversary or any entity that is controlled by a foreign adversary, which in this case means China, Iran, North Korea, and Russia (“Covered Recipients”). Failure to comply with PADFAA is treated as an unfair and deceptive practice with enforcement authority vested in the FTC. PADFAA § (2)(b)(1).
We do not know precisely how PADFAA will apply to the digital advertising industry, but some industry participants may reasonably want to be conservative in their approach to the law — especially until we have further guidance. This blog post outlines what a conservative read of the law looks like (i.e., it assumes a broad reading of the PADFAA by the FTC) for the digital advertising industry and how our new PADFAA module for the IAB Diligence Platform can mitigate risk.
Who May be Covered by PADFAA in the Digital Advertising Industry?
The statutory definitions are an important starting point when interpreting the reach of PADFAA, which defines a “data broker” as any business that “for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider.” PADFAA § 2(c)(3)(A) (emphasis added). Thus, PADFAA, covers those who do not directly collect data from consumers – which often fits the ad tech intermediary business model – albeit only with respect to disclosures to Covered Recipients where an exception is not applicable.
With that, what might a conservative approach to assessing the reach of PADFAA look like? A relevant consideration would include if an ad tech company determines that it is covered by California’s “Delete Act,” which defines data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” Cal. Civ. Code § 1798.99.80 (c) (emphasis added). Thus, an ad tech company that registers with the California Privacy Protection Agency as a “data broker” would likely want to consider that as a relevant factor in assessing whether it is covered by PADFAA.
Once a company determines that it may meet this initial parameter of the law, it should assess whether it is disclosing covered data to a Covered Recipient and, if so, whether an exemption applies. For example, among other exemptions, entities are not considered “data brokers” to the extent they are disclosing covered data:
- to service providers;
- to Covered Recipients where the data broker itself is acting as a service provider to another entity (to the extent that such entity on whose behalf the data broker is acting is not also “controlled by a foreign adversary”);
- at the direction of the U.S. individual; or
- in connection with providing, maintaining, or offering a product or service with respect to which such covered data, or access to such data, is not the product or service. PADFAA § 2(c)(3)(B)(ii).
More broadly, publishers and advertisers themselves appear to be exempted from PADFAA’s reach in most circumstances. Generally, they directly collect personal data through conventional forms, as well as through the third-party pixels, tags, cookies, APIs, and web beacons they, or their third-party partners (e.g., agencies), integrate in connection with the publisher or advertiser’s digital properties. In doing so, publishers and advertisers likely do not meet the definition of a data broker (i.e., the indirect collection of covered data). Even if that were not the case, the range of exemptions within PADFAA, such as those listed above or others (e.g., reporting, publishing, or otherwise making available news), could apply to those publishers and advertisers.
What Data is Covered Under PADFAA?
A second compliance consideration surrounds PADFAA’s definition of “personally identifiable sensitive data,” which includes an array of attributes that are traditionally considered sensitive, such as biometric identifiers or information pertaining to a data subject’s sexual orientation. The statute also broadens the scope of what is traditionally considered sensitive data by including in its list “information identifying an individual’s online activities over time and across websites or online services.” PADFAA § 2(c)(7)(O). Thus, a data broker’s disclosure of digital identifiers used in the digital advertising ecosystem (such as cookie IDs or universal ad IDs), as combined with information identifying online activity across websites, could potentially qualify as “personally identifiable sensitive data.”
What is the Compliance Challenge in the PADFAA?
If you’re an ad tech company covered by PADFAA, you could disclose “covered data” when passing bid requests in a real-time bidding transaction. For example, if you are a sell-side platform/exchange that does not act as the publisher’s service provider, and you provide bid requests regarding the same consumer device ID across multiple unrelated publishers to a DSP that is a Covered Recipient, you could be sending “information identifying an individual’s online activities over time and across websites and online services” in violation of the PADFAA, absent an applicable exemption.
So, the PADFAA compliance challenge is for a covered ad tech company to determine whether the party to whom it intends to disclose personally identifiable sensitive data is “controlled by a foreign adversary,” which is defined as follows:
(A) a foreign person that is domiciled in, is headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country;
(B) an entity with respect to which a foreign person or combination of foreign persons described in subparagraph (A) directly or indirectly own at least a 20 percent stake; or
(C) a person subject to the direction or control of a foreign person or entity described in subparagraph (A) or (B).
To protect itself from liability under PADFAA, the disclosing ad tech company should undertake diligence. First, that involves asking about the jurisdiction where the party that will receive the data is domiciled, has its principal place of business, and is organized. Validating documentation might include certificates of incorporation, certificates of formation, and the use of third-party services that can validate some of these corporate attributes.
Diligence becomes more complicated in determining whether a foreign person or combination of foreign persons from the covered countries has a 20 percent stake either directly or indirectly in the party to whom the ad tech company discloses data. A “20 percent stake” could potentially take different forms of interest, from equity to voting. And the use of the term “indirectly” means a broader portion of the corporate tree could potentially be covered and necessitate disclosure during diligence.
A hypothetical is instructive. Company B is domiciled in a Covered Country and has a 15% equity interest in Company A. Company C is domiciled in the United Kingdom and has a 10% equity interest in Company A. Company C is a wholly owned subsidiary of Company D, which is domiciled in China. Whether this circumstance reaches the “20 percent stake” is left for another day, but the disclosing ad tech company taking a conservative approach would likely want to conduct appropriate diligence about its counterparty’s corporate structure. Such information might be included in responses to diligence questions and potential validation could be substantiated by review of: (i) bylaws, operating agreements, or other similar documents; (ii) agreements relating to voting, ownership, or control, including all shareholder or member agreements, voting trusts and voting agreements, proxies, transfer restriction agreements, preemptive rights agreements, registration agreements, equity security purchase rights, and warrants; and (iii) schedules identifying the names, titles, nationalities, and locations of company’s and its affiliates’ board of directors, officers, executive personnel, partners, regents, trustees, or senior management officials.
Given PADFAA’s newness and the potential corporate complexity in some organizations, each party will need to find the appropriate diligence threshold for their relationship.
How the IAB Diligence Platform Can Assist with Scaled Diligence Under PADFAA
Given the number of personal data disclosures in selecting and delivering an ad, the digital advertising industry needs a scaled PADFAA diligence solution. We believe that the IAB’s recently released IAB Diligence Platform, powered by SafeGuard Privacy, can be used to conduct PADFAA diligence of partners.
The IAB Diligence Platform currently contains a set of standardized privacy diligence questions specially designed for participants in the digital advertising industry, as well as those tied directly to state privacy laws. For example, the Platform includes questions that are specifically drafted for a publisher’s diligence of a Supply-Side Platform (SSP); an advertiser’s diligence of a demand-side platform (DSP); an SSP’s diligence of a DSP; and everyone’s diligence of data providers. The IAB Diligence Platform includes a vendor compliance hub that allows each company to complete the diligence materials once and share it with other IAB member and non-member companies within the Platform. Importantly, participating companies choose with whom they share their privacy diligence responses when engaging in a digital ad transaction.
We’re pleased to announce the release of a PADFAA diligence module for the IAB Diligence Platform. This module will allow parties to undertake scaled diligence before disclosing covered data. It will be provided within the IAB Diligence Platform at no additional cost to subscribers.
For more information, you can contact SafeGuard Privacy here or email [email protected] to see a demo of the IAB Diligence Platform.