Cross-Border Transfers of American Personal Information Carry Heightened Regulatory, Litigation Risks

Until recently, there was no law against sharing lawfully-collected personal information about Americans with affiliates, partners, vendors, and buyers located overseas. That has now changed.

An expanding array of US state and federal legal regimes—including the Department of Justice’s Data Security Program (“DSP”) and the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (“PADFAA”)—are reshaping the enforcement and litigation landscape for companies engaging in such cross-border data transfers.

On the regulatory enforcement front, the Federal Trade Commission (“FTC”) has issued formal warning letters to data brokers under PADFAA, and the Florida Attorney General has launched a new enforcement unit specifically targeting data practices involving China and other foreign adversaries under state consumer protection laws, signaling heightened enforcement activity at the federal and state levels.

Meanwhile, class-action plaintiffs’ lawyers have developed a novel strategy to deploy these new laws even though they contain no private right of action. New class action lawsuits now assert federal Wiretap Act and related state privacy law claims that would otherwise be barred by a company’s privacy policy on the theory that American users cannot legally consent to the collection and sharing of their data if it is shared with foreign entities in violation of the DSP.

This Legal Update discusses these enforcement and litigation trends and presents recommendations for US companies engaging in cross-border data transfers with countries impacted by the regulations.

I. Regulatory Enforcement Activity

A. FTC Warning Letters Under PADFAA

PADFAA, effective as of June 2024, prohibits data brokers¹ from transferring personally identifiable sensitive data about Americans to foreign adversary countries.² PADFAA grants enforcement authority to the FTC, which treats violations as unfair or deceptive practices under Section 5 of the FTC Act.

On February 9, 2026, the FTC sent formal warning letters to 13 companies identified by the Commission as “data brokers,” emphasizing their obligation to comply with PADFAA’s prohibitions on transfers of sensitive data to foreign adversaries. The letters notify the recipients that the Commission has identified instances in which the companies “offered solutions and insights involving the status of an individual as a member of the Armed Forces,”³ which the statute prohibits from being transferred to a “foreign adversary country.”

Without intending to suggest that the recipients had violated the law, the letters encourage recipients to “conduct a comprehensive review of [their] practices and immediately bring [their] acts and practices into compliance with PADFAA[,]” while reminding recipients that violations of the law may be subject to an FTC enforcement action and civil penalties of up to $53,088 per violation. The Commission also notes that it is “monitoring the marketplace for potentially violative acts or practices” and “will take additional action as warranted.”

The letters and accompanying press release represent the clearest sign to date, since the enactment of the law, that the FTC intends to scrutinize the data brokerage industry’s compliance with PADFAA and to pursue enforcement where it identifies violations.

B. Florida Attorney General Launches CHINA Prevention Unit

State-level enforcement under consumer protection statutes likewise poses an expanding legal and compliance risk for companies engaging in cross-border data transfers. On February 5, 2026, Florida Attorney General James Uthmeier announced the launch of the Consumer Harm from International Nefarious Actors (“CHINA”) Prevention Unit—a dedicated section within the Office of the Attorney General focused on “combating threats posed by the Chinese Communist Party and other foreign adversaries to Florida consumers, data privacy, and economic security.”

Among the Unit’s first actions was to subpoena “fast-fashion” company Shein over concerns of deceptive trade practices and data privacy violations. Attorney General Uthmeier also directed the Unit to demand audits of medical device companies with ties to the Chinese Communist Party.⁴

The Florida initiative underscores that state attorneys general can attempt to leverage expansive consumer protection laws as a powerful tool to address the privacy and security concerns associated with cross-border data transfers, and especially with regards to companies with links to China. Illustrating this trend, the Texas Attorney General recently filed five lawsuits against China-linked companies, alleging violations of the Texas Deceptive Trade Practices Act, including for claims relevant to illegal data harvesting and data privacy. Attorneys General in Arizona, Kentucky, and Nebraska have filed similar suits.

II. Private Litigation: DSP Violations Cited as Predicate for Federal Wiretap and State Privacy Claims

The DSP regulates transactions by US persons that involve access to covered data by “countries of concern” and persons or entities subject to their jurisdiction. It prohibits certain transactions outright, while restricting others by requiring companies to conduct risk assessments and implement mitigation measures.⁵ New class action complaints illustrate how plaintiffs are using alleged violations of the DSP as a predicate for federal wiretap and state privacy claims.

A. Factual Allegations

In these new lawsuits, plaintiffs attack common data collection practices that are otherwise entirely lawful when combined with proper privacy policy disclosures and consent, including website pixels used to track user visits to a website, website chatbots operated by third parties, and online advertising bidding exchanges.

For example, in Christy v. Lenovo (United States) Inc., the complaint alleges that Lenovo (United States) Inc., a US subsidiary of Lenovo Group Limited (organized in Hong Kong with principal operations in Beijing), deployed tracking technologies on its website that intercepted communications and transmitted persistent identifiers—including IP addresses, cookie identifiers, advertising IDs, and full URL strings—to its Chinese parent. In addition, the complaint alleges this data was collected from more than 100,000 US persons, satisfying the “bulk” threshold, and that Lenovo failed to implement CISA-mandated security controls. The complaint specifically alleges, citing Lenovo’s Website Privacy Policy, that “Lenovo transfers users’ personal information within the Lenovo Group to the People’s Republic of China without the requisite safeguards and controls.”

B. DSP Violations as a Wiretap Act Predicate

Because the DSP (being rooted in IEEPA) lacks a private right of action, these new lawsuits invoke the alleged regulatory violation as the predicate criminal or tortious act necessary to overcome the party-consent exception to the Wiretap Act.

Under 18 U.S.C. § 2511(2)(d), a party to a communication may intercept it without liability, but this exception does not apply where the interception is undertaken “for the purpose of committing any criminal or tortious act.” The complaints allege that defendants intercepted communications for the purpose of engaging in prohibited data brokerage transactions under the DSP, thereby negating the party exception and rendering them liable under 18 U.S.C. § 2511.⁶

C. DSP Violations as Support for State Law Claims

In addition to the federal claims, these new lawsuits also invoke the alleged DSP violations as a predicate to support state law claims. They allege that the defendant’s interceptions were “knowingly and intentionally performed for the independent purpose of committing tortious acts in violation of California common law,” thereby supporting claims for intrusion upon seclusion and violation of the right to privacy. The Christy complaint further relies on the DSP violation as a predicate “unlawful” act under California’s Unfair Competition Law, which prohibits any “unlawful, unfair or fraudulent business act or practice.”

III. Recommendations

US companies engaged in cross-border data flows (particularly involving China or other “countries of concern”) should consider the following risk-mitigation steps in light of these enforcement and litigation developments.

• Data Mapping: Companies should assess their data inventories to determine which datasets fall within PADFAA’s and the DSP’s covered categories and (where applicable) threshold quantities. They should also identify and evaluate business use cases involving such data that could trigger compliance obligations under those frameworks and ensure ongoing compliance with such obligations.
• Links to China: Companies should review their exposure to Chinese vendors, contractors, customers, affiliates, and other business partners, particularly where those relationships involve access to covered data, infrastructure, or systems. They should ensure that such arrangements are supported by appropriate contractual protections, including representations and warranties, technical safeguards, and clear, public disclosures concerning DSP compliance programs (which might be incorporated by reference into the pleadings during a motion to dismiss). These relationships may heighten the risk of regulatory scrutiny under PADFAA and the DSP, as well as parallel enforcement by state attorneys general, who could argue that certain data-sharing practices with Chinese counterparties or affiliates is deceptive, insufficiently disclosed, or inadequately safeguarded.
• Web Activity Monitoring and Ad Tech Integration: In light of the allegations in the new lawsuits, companies should closely evaluate their use of user activity tracking technology and ad tech integrations, especially where collected data may be shared with Chinese parents, affiliates, customers, or integration partners. Companies should assess whether aggregated user data could meet bulk thresholds, ensure that data flows are supported by appropriate contractual and technical safeguards (if necessary, the CISA Security Requirements), and confirm that public disclosures accurately describe third-party sharing practices and compliance measures.⁷

IV. Conclusion

The regulatory and litigation developments discussed above reflect heightened attention to cross-border data transfers involving “countries of concern”. Regarding enforcement, both the FTC’s PADFAA warning letters and the stand-up of Florida’s CHINA Prevention Unit (as well as aggressive litigation by other state attorneys general) demonstrate that federal and state regulators are actively monitoring data practices and are prepared to deploy the full range of available legal tools.

In parallel, the new class action complaints signal that the plaintiffs’ bar has identified a potential pathway to monetize alleged DSP violations through the Wiretap Act and state privacy claims, notwithstanding the lack of a private right of action under the regulation itself. While these cases remain at an early stage and the plaintiffs’ theories have yet to be tested, companies should prepare for the possibility of similar claims, even if meritless. A successful ruling on even the preliminary legal questions, such as whether an alleged DSP violation vitiates consent under the Wiretap Act, could encourage additional litigation. In addition, such litigation is likely to attract the attention of DOJ officials seeking to identify violations.

Taken together, these developments underscore the need for US companies to adopt a proactive and comprehensive approach to cross-border data transfer compliance. Organizations that conduct transactions involving cross-border data transfers should prioritize data mapping, third-party due diligence, technical safeguards, and disclosure accuracy—not only to satisfy federal regulatory obligations, but also to mitigate the growing risk of civil litigation and state enforcement.

V. How Mayer Brown Can Help

Mayer Brown’s Government Contracts, National Security, and Public Policy, Regulatory & Government Affairs practices and State Attorneys General Task Force have extensive experience helping clients navigate complex, high-stakes, and fast-evolving regulatory environments. We manage interconnected regulatory, enforcement, and litigation risks by pairing extensive experience in data privacy and national security regulation, including PADFAA and the DSP, and government enforcement defense with robust public policy and advocacy capabilities. Companies engaged in cross-border data transactions—particularly those involving China and other “countries of concern”—can benefit from the comprehensive counsel Mayer Brown provides across regulatory compliance, FTC and state attorney general enforcement defense, and private litigation.

 

---

 

¹ For PADFAA’s purposes, “Data broker” means an entity that, for valuable consideration, makes available data of US individuals that it did not collect directly from such individuals to another entity not acting as a service provider. Exclusions exist for entities transmitting data at an individual’s request, providing products or services where data is not the product, publishing news or public-interest information, and acting as service providers. The term does not include an entity that is providing, maintaining, or offering a product or service with respect to which personally identifiable sensitive data, or access to such data, is not the product or service. 15 U.S.C. § 9901(c)(3).

² “Foreign Adversary Country” means China, Russia, Iran, and North Korea.

³ Data regarding one’s military status is expressly enumerated as “sensitive data” under PADFAA.

⁴ The companies named in the press release include Mindray North America, United Imaging, MicroPort, Edan Instruments, Lepu Medical Tech, Shinva Medical Instruments, Neusoft Medical Systems, Longest Medical, and Jiangsu Yuyue Medical.

⁵ “Country of Concern” means China (incl. Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. 28 C.F.R. § 202.601.

⁶ The plaintiff in Christy further alleges that, to the extent the transaction qualifies as a “restricted transaction” under the DSP, Lenovo fails to satisfy the applicable CISA security requirements.

⁷ Notably, in Christy, the plaintiff points to Lenovo’s Privacy Policy as purported evidence of DSP violations, alleging that the Policy acknowledges transfers of users’ personal information to China, protected only through agreements and standard contractual clauses.